Credential Lifecycle Guide

Introduction

• Lifecycle management for authenticators.
• FIDO specifics as appropriate.

Issuance

Address initial issuance.

Enrollment

• Credential issuance happens as final part of identity proofing process.
• Authenticator is bound at this time.

Redundancy

• Should issue multiple and back-up credentials.

Add-on

• Allow user to add new authenticators of equal or lesser strength than the authenticator used for current session; useful for generating back-up credentials.

Use Cases

Lost Authenticator

• Reporting loss.
  • CSP must have clear and readily available instructions for users that lose their authenticators.
  • CSP may revoke existing authenticator
  • Initiate reissuance via backup authenticator (if possible).

Reissuance

• Replace credential
  • Near expiration time, may reissue (for example password changes).
  • For FIDO reissuing is likely not an issue, credentials would not have expiration times and backup authenticators likely not strong enough to allow direct enrollment.
• In-person
  • Depending on availability of multiple authenticators, reissuance may require in-person processes.
• Necessitate new enrollment?
  • Without multiple authenticators, may necessitate a new enrollment (new online identity / account).
• Viable via redundant credentials.
  • In some cases (and particularly for lower strength authenticators), you can reissue an authenticator via a channel established with another authenticator.

Expiration

• Trigger reissuance before expiration
• Credential no longer valid
• FIDO likely not configured to have expiration.
  • The underlying account (online identity) may have expiration rules independent of the authenticator's expiration rules though.
  • Does DI3 have expiration rules? Inactivity leading to automatically disabled accounts?

Revocation

• Mark credential as no longer valid.
• For FIDO/ThumbSignIn this is done within the ThumbSignIn control panel.