FIDO Credential Lifecycle Guide: Difference between revisions

From NIEF Wiki
Jump to navigation Jump to search
Line 1: Line 1:
==Introduction==
==Introduction==
All authenticators (mechanism by which a user is authenticated) require some degree of lifecycle management.  The technical details of an authenticator impacts the lifecycle in many ways.  For example passwords tend to expire and have to adhere to complexity requirements and typically have automated recovery processes for when they are forgotten.  Physical authenticators may have longer expiration times but more complex requirements for replacing (ie. show up at the badge office, fill out some paperwork, verify your identity, have a new credential issued, etc.).  The lifecycle also necessarily includes the very initial provisioning of the credential.  For low assurance level services, this is often a simple online sign-up process with an email address verification and nothing more.  For more secure credentialing it is often an in-person process with biometric capture and verification, like a fingerprint scan and photo taken for a driver's license
All authenticators (mechanism by which a user is authenticated) require some degree of lifecycle management.  The technical details of an authenticator impacts the lifecycle in many ways.  For example passwords tend to expire and have to adhere to complexity requirements and typically have automated recovery processes for when they are forgotten.  Physical authenticators may have longer expiration times but more complex requirements for replacing (ie. show up at the badge office, fill out some paperwork, verify your identity, have a new credential issued, etc.).  The lifecycle also necessarily includes the very initial provisioning of the credential.  For low assurance level services, this is often a simple online sign-up process with an email address verification and nothing more.  For more secure credentialing it is often an in-person process with biometric capture and verification, like a fingerprint scan and photo taken for a driver's license.
 
FIDO UAF (this guide is not intended to address FIDO U2F devices, which are hard physical tokens used for 2nd factor authentication) authenticators tend can be used for both high assurance and low assurance, depending on the process used to issue the credential.


==Issuance==
==Issuance==

Revision as of 14:55, 22 April 2019

Introduction

All authenticators (mechanism by which a user is authenticated) require some degree of lifecycle management. The technical details of an authenticator impacts the lifecycle in many ways. For example passwords tend to expire and have to adhere to complexity requirements and typically have automated recovery processes for when they are forgotten. Physical authenticators may have longer expiration times but more complex requirements for replacing (ie. show up at the badge office, fill out some paperwork, verify your identity, have a new credential issued, etc.). The lifecycle also necessarily includes the very initial provisioning of the credential. For low assurance level services, this is often a simple online sign-up process with an email address verification and nothing more. For more secure credentialing it is often an in-person process with biometric capture and verification, like a fingerprint scan and photo taken for a driver's license.

Issuance

Address initial issuance.

Enrollment

  • Credential issuance happens as final part of identity proofing process.
  • Authenticator is bound at this time.

Redundancy

  • Should issue multiple and back-up credentials.

Add-on

  • Allow user to add new authenticators of equal or lesser strength than the authenticator used for current session; useful for generating back-up credentials.

Use Cases

Lost Authenticator

  • Reporting loss.
    • CSP must have clear and readily available instructions for users that lose their authenticators.
    • CSP may revoke existing authenticator
    • Initiate reissuance via backup authenticator (if possible).

Reissuance

  • Replace credential
    • Near expiration time, may reissue (for example password changes).
    • For FIDO reissuing is likely not an issue, credentials would not have expiration times and backup authenticators likely not strong enough to allow direct enrollment.
  • In-person
    • Depending on availability of multiple authenticators, reissuance may require in-person processes.
  • Necessitate new enrollment?
    • Without multiple authenticators, may necessitate a new enrollment (new online identity / account).
  • Viable via redundant credentials.
    • In some cases (and particularly for lower strength authenticators), you can reissue an authenticator via a channel established with another authenticator.

Expiration

  • Trigger reissuance before expiration
  • Credential no longer valid
  • FIDO likely not configured to have expiration.
    • The underlying account (online identity) may have expiration rules independent of the authenticator's expiration rules though.
    • Does DI3 have expiration rules? Inactivity leading to automatically disabled accounts?

Revocation

  • Mark credential as no longer valid.
  • For FIDO/ThumbSignIn this is done within the ThumbSignIn control panel.
Retrieved from "https://wiki.nief.org/index.php?title=FIDO_Credential_Lifecycle_Guide&oldid=175"