Credential Lifecycle Guide
Introduction
- Lifecycle management for authenticators.
- FIDO specifics as appropriate.
Issuance
Address initial issuance.
Enrollment
- Credential issuance happens as final part of identity proofing process.
- Authenticator is bound at this time.
Redundancy
- Should issue multiple and back-up credentials.
Add-on
- Allow user to add new authenticators of equal or lesser strength than the authenticator used for current session; useful for generating back-up credentials.
Use Cases
Lost Authenticator
- Reporting loss.
- CSP must have clear and readily available instructions for users that lose their authenticators.
- CSP may revoke existing authenticator
- Initiate reissuance via backup authenticator (if possible).
Reissuance
- Replace credential
- In-person
- Necessitate new enrollment?
- Viable via redundant credentials.
Expiration
- Trigger reissuance before expiration
- Credential no longer valid
Revocation
- Mark credential as no longer valid.