FIDO Credential Lifecycle Guide
All authenticators (i.e., mechanisms by which a user is authenticated) require some degree of lifecycle management. The technical details of an authenticator impact its lifecycle in many ways. For example, passwords tend to expire, must satisfy minimum complexity requirements, and typically have automated recovery processes for when they are forgotten. Physical authenticators may have longer expiration times, but they also have more complex requirements for replacement (i.e., appear in person before the issuing official, fill out some paperwork, verify your identity, have a new credential issued, etc.) The credential lifecycle also necessarily includes the initial provisioning of the credential. For lower-assurance credentials, this is often a simple online sign-up process with an email address verification and nothing more. But for higher-assurance credentials, it is often an in-person process with biometric capture and verification, such as a fingerprint scan and/or photograph of the user.
The Fast Identity Online (FIDO) 1.0 specification has two primary standards: Universal 2nd Factor (U2F) and Universal Authentication Framework (UAF). While some of the topics contained here apply to both U2F and UAF, this document's focus is UAF. Note also that a "FIDO2" standard has been developed through W3C, and is named webAuthn. This standard is still very new as of Spring 2019, but rapid adoption by browsers up to this point hints at its long-term viability. The FIDO2 standard consolidates UAF and U2F functionality and supports both use cases.
FIDO UAF authenticators can be used for both high assurance and low assurance, depending on the process used to issue the credential. For a FIDO UAF mobile credential to be considered an AAL2 or AAL3 credential in accordance with NIST SP 800-63B, it must be issued through a high-assurance identity proofing process, e.g., in accordance with NIST SP 800-63A IAL2 or IAL3, respectively.
The most direct method for establishing a high-assurance FIDO credential on a user's mobile device is for the user to have the device present at the time when the user finishes going through the identity proofing process, so that the authenticator can be issued and bound to the device during this in-person event. This requires the user to use their phone during this process and generate a FIDO credential that is bound to the online identity created during the enrollment. While this process is effective at establishing a strong credential, it is somewhat costly, inconvenient, and unscalable. It also lacks resiliency due to the potential loss or replacement of the mobile device.
Redundant authenticators can be issued during enrollment, such as a username and password for low assurance operations, or physical tokens for higher assurance interactions. Redundancy can be costly to implement and can yield even more potential failure points if there are insufficient self-service capabilities to remedy subsequent credential management issues that may arise. For larger systems with significant self-service capabilities, redundancy can become critically important for using those self-service capabilities. Supporting multiple authentication methods and multiple authenticators can be costly, but it can be beneficial for large-scale providers and moderate-scale providers hoping to reduce their scaling costs.
It can be useful to have processes where a user can add an additional authenticator to their user account. Add-on authenticators are constrained by the assurance level of the authenticator used to add the authenticator. When adding a FIDO UAF credential to an existing account, it would be considered AAL1 if it is added to an account via an existing username/password. This may still be a useful use case if the FIDO UAF credential can be still be used to access resources despite having a lower assurance level. An add-on authenticator with a low assurance authenticator can be elevated through external processes. For example, a FIDO UAF authenticator could be added to a username/password account, and then that authenticator could be further bound at a higher AAL via an out-of-band verification and approval process.
A common occurrence for any authenticator is the possibility of loss, so it is critical for a provider to have clear and readily available instructions for their users on what to do in the case of their authenticator being lost. This may typically include a phone number or email address for the user to contact and notify an administrator. They may also report a high assurance level credential as being lost over a lower assurance level channel. In the case of a FIDO UAF credential on a mobile device, loss would include any situation where the user no longer possesses the device (e.g, due to theft, loss or device replacement/upgrade). In such case, the provider can revoke the credential on the FIDO server, thereby assuring that the credential can never be used to authenticate. But this may not be necessary; it depends on various factors, such as whether the the device was stolen and what mechanism was used to protect the key material on the device (if a sufficiently strong biometric was used, the key may not be recoverable). The provider must make a risk-based decision as to whether to revoke a credential on a lost, stolen, or replaced device.
For FIDO UAF to be used at higher assurance levels, reissuance may be handled by having the user go through the initial issuance process again. If a provider issues multiple strong credentials to users, this may enable a user to use a strong back-up credential to self enroll a new FIDO device. Note that this is not a typical use case for small providers, as supporting many different authenticators can be cost-prohibitive.
There are two aspects to expiration. One is authenticator expiration (such as a password expiring or a certificate expiring) and the other is online account expiration, which is a common occurrence due to lack of use. FIDO UAF credentials generally have no expiration issues, as FIDO uses strong public key cryptography for the keys with expected lifetime of the device being shorter than the expected lifetime of the key material. In the case of an expired account rendering a FIDO UAF credential inoperative, the user would need to go through the issuance process again to enable a new account or to re-enable their existing account. As with reissuance, this reactivation would need to happen at an appropriate assurance level process to ensure the FIDO UAF credential maintained AAL2.
Revocation is a mechanism whereby the credential possessed (or lost) by the a user is disallowed for future use by the authentication server. For FIDO UAF, revocation is handled within the FIDO UAF Server simply by deleting the credential for the user, thus forcing them to go through the registration process again thus generating a new credential at that time.