FIDO Credential Lifecycle Guide: Difference between revisions

From NIEF Wiki
Jump to navigation Jump to search
Line 7: Line 7:
The most direct method for establishing a higher assurance level FIDO credential on a user's mobile device is for them to have the device on them when they finish going through the identity proofing process, and the authenticator is bound during this process.  This would require the user to use their phone during this process to generate a FIDO credential that is bound to the online identity created during the enrollment. While this process is effective at establishing a strong credential, it may lack resiliency do to the potential loss or replacement of the mobile device.
The most direct method for establishing a higher assurance level FIDO credential on a user's mobile device is for them to have the device on them when they finish going through the identity proofing process, and the authenticator is bound during this process.  This would require the user to use their phone during this process to generate a FIDO credential that is bound to the online identity created during the enrollment. While this process is effective at establishing a strong credential, it may lack resiliency do to the potential loss or replacement of the mobile device.
===Redundancy===
===Redundancy===
Redundant authenticators can be issued during enrollment, such as a username and password for low assurance operations, or physical tokens for higher assurance interactions.
Redundant authenticators can be issued during enrollment, such as a username and password for low assurance operations, or physical tokens for higher assurance interactions. Redundancy can be costly to implement and can yield even more potential failure points if there are insufficient self-service capabilities to remedy issues.  For larger systems with significant self-service capabilities, redundancy can become critically important for using those self-service capabilities.
 
===Add-on===
===Add-on===
* Allow user to add new authenticators of equal or lesser strength than the authenticator used for current session; useful for generating back-up credentials.
* Allow user to add new authenticators of equal or lesser strength than the authenticator used for current session; useful for generating back-up credentials.

Revision as of 19:03, 22 April 2019

Introduction

All authenticators (mechanism by which a user is authenticated) require some degree of lifecycle management. The technical details of an authenticator impacts the lifecycle in many ways. For example passwords tend to expire and have to adhere to complexity requirements and typically have automated recovery processes for when they are forgotten. Physical authenticators may have longer expiration times but more complex requirements for replacing (ie. show up at the badge office, fill out some paperwork, verify your identity, have a new credential issued, etc.). The lifecycle also necessarily includes the very initial provisioning of the credential. For low assurance level services, this is often a simple online sign-up process with an email address verification and nothing more. For more secure credentialing it is often an in-person process with biometric capture and verification, like a fingerprint scan and photo taken for a driver's license.

Issuance

FIDO UAF (this guide is not intended to address FIDO U2F devices, which are hard physical tokens used for 2nd factor authentication) authenticators tend can be used for both high assurance and low assurance, depending on the process used to issue the credential. For a FIDO UAF mobile credential to be considered an AAL2 or AAL3 credential, it must be issued as part of a high assurance identity proofing process, IAL2 or IAL3 respectively.

Enrollment

The most direct method for establishing a higher assurance level FIDO credential on a user's mobile device is for them to have the device on them when they finish going through the identity proofing process, and the authenticator is bound during this process. This would require the user to use their phone during this process to generate a FIDO credential that is bound to the online identity created during the enrollment. While this process is effective at establishing a strong credential, it may lack resiliency do to the potential loss or replacement of the mobile device.

Redundancy

Redundant authenticators can be issued during enrollment, such as a username and password for low assurance operations, or physical tokens for higher assurance interactions. Redundancy can be costly to implement and can yield even more potential failure points if there are insufficient self-service capabilities to remedy issues. For larger systems with significant self-service capabilities, redundancy can become critically important for using those self-service capabilities.

Add-on

  • Allow user to add new authenticators of equal or lesser strength than the authenticator used for current session; useful for generating back-up credentials.

Use Cases

Lost Authenticator

  • Reporting loss.
    • CSP must have clear and readily available instructions for users that lose their authenticators.
    • CSP may revoke existing authenticator
    • Initiate reissuance via backup authenticator (if possible).

Reissuance

  • Replace credential
    • Near expiration time, may reissue (for example password changes).
    • For FIDO reissuing is likely not an issue, credentials would not have expiration times and backup authenticators likely not strong enough to allow direct enrollment.
  • In-person
    • Depending on availability of multiple authenticators, reissuance may require in-person processes.
  • Necessitate new enrollment?
    • Without multiple authenticators, may necessitate a new enrollment (new online identity / account).
  • Viable via redundant credentials.
    • In some cases (and particularly for lower strength authenticators), you can reissue an authenticator via a channel established with another authenticator.

Expiration

  • Trigger reissuance before expiration
  • Credential no longer valid
  • FIDO likely not configured to have expiration.
    • The underlying account (online identity) may have expiration rules independent of the authenticator's expiration rules though.
    • Does DI3 have expiration rules? Inactivity leading to automatically disabled accounts?

Revocation

  • Mark credential as no longer valid.
  • For FIDO/ThumbSignIn this is done within the ThumbSignIn control panel.