| Activity | Subactivity | Subsubactivity | Mapping I (Identity/Identification) T (Token) | mandatory/optional? | Input | Output | (Security) risks if omitted | Dependencies | Increases/Decreases LoA |
|---|---|---|---|---|---|---|---|---|---|
| 1) 2FA token request | 1.0) Should we have a first factor authentication subactivity here as a gatekeeper for "User provides user info" 1.1) User provides user info | T_request | mandatory | user information (e.g. name, email, organization, e.g. via SAML assertion) | token request |
| Eligibility either needs to be checked in 1.1 or 3.1 | N/A | |
| 2) 2FA (pre-)registration | 2.1) User selects 2FA token | N/A, see T_select | optional | ||||||
2.2) User performs authentication with that token for binding and to prove possession | N/A, see T_authenticate | optional | |||||||
| 3) Identification (eligibility check;identity vetting using ID doc or alternative identity assertion method;unsure match of the person and her digital identity) | 3.0) Identification session arrangement and scheduling (!optional) | I_schedule | |||||||
| 3.1) Check eligiblity of user & possession of first factor | I_ I_ | optional if already performed in 1.1 | |||||||
3.3) Vet identity of user | |||||||||
| 3.3.1) Compare claimed/transmitted/spoken information with user's identity proof (e.g. ID doc, activation code) | I_vet_ | mandatory | |||||||
3.3.2) Perform Liveness Check (e.g. ID doc photo vs. real life face/ selfie) | I_vet_liveness | ||||||||
| 3.3.3) Check user's identity proof with its original source for validity | I_vet_originalSource | optional | ↓ | ||||||
| 3.3.4) Record identity proof | I_record | ||||||||
| 4) Token binding | 4.1) User chooses own token or handover of token to user | T_select | optional when activity 2 took place | ||||||
4.2) Bind token to digital ID | T_bind | mandatory, may already be performed in step 2 precondition: successful 3.2.1) | |||||||
| 4.3) Token-proof of-possession (e.g. test authentication) | T_authenticate | optional | |||||||
| 4.4) Token activation & record | T_activate T_record | mandatory precondition: successful 3.2.1 | |||||||
| 4.5) Inform user about token activation | T_confirmActivation |
| 2FA token request | 2FA token (pre-)registration | Identification | Token binding | |||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 1.1) User provides user info | 2.1) User selects 2FA token | 2.2) User performs authentication with that token to prove possession | 3.1) Eligibility check of user | 3.2) Vet identity of user | 4.1) User chooses own token or handover of token to user | 4.2) Bind token to digital ID | 4.3) Token-proof-of-possession | 4.4) Token activation & record | 4.5)Inform user | |||
| 3.2.1) Compare claimed/transmitted/spoken information with user's identity proof | 3.2.2) Check user's identity proof with its original source for validity | 3.2.3) Record identity proof | ||||||||||
| Method | ||||||||||||
| Live video |
federated login |  |  |
(checked in 1.1 via login) | ||||||||
| ... | ||||||||||||
...