Credential Lifecycle Guide

From NIEF Wiki
Revision as of 20:29, 10 April 2019 by Jeff.Krug (talk | contribs) (→‎Revocation)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search

Introduction

  • Lifecycle management for authenticators.
  • FIDO specifics as appropriate.

Issuance

Address initial issuance.

Enrollment

  • Credential issuance happens as final part of identity proofing process.
  • Authenticator is bound at this time.

Redundancy

  • Should issue multiple and back-up credentials.

Add-on

  • Allow user to add new authenticators of equal or lesser strength than the authenticator used for current session; useful for generating back-up credentials.

Use Cases

Lost Authenticator

  • Reporting loss.
    • CSP must have clear and readily available instructions for users that lose their authenticators.
    • CSP may revoke existing authenticator
    • Initiate reissuance via backup authenticator (if possible).

Reissuance

  • Replace credential
    • Near expiration time, may reissue (for example password changes).
    • For FIDO reissuing is likely not an issue, credentials would not have expiration times and backup authenticators likely not strong enough to allow direct enrollment.
  • In-person
    • Depending on availability of multiple authenticators, reissuance may require in-person processes.
  • Necessitate new enrollment?
    • Without multiple authenticators, may necessitate a new enrollment (new online identity / account).
  • Viable via redundant credentials.
    • In some cases (and particularly for lower strength authenticators), you can reissue an authenticator via a channel established with another authenticator.

Expiration

  • Trigger reissuance before expiration
  • Credential no longer valid
  • FIDO likely not configured to have expiration.
    • The underlying account (online identity) may have expiration rules independent of the authenticator's expiration rules though.
    • Does DI3 have expiration rules? Inactivity leading to automatically disabled accounts?

Revocation

  • Mark credential as no longer valid.
  • For FIDO/ThumbSignIn this is done within the ThumbSignIn control panel.