Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.





ActivitySubactivitySubsubactivity

Mapping

I (Identity/Identification)

T (Token) or more generic F (Factor)??? might fit better in case biometry is used as second factor (biometry is not an "token" itself)

mandatory/optional?InputOutput(Security) risks if omittedDependenciesIncreases/Decreases LoA
1) 2FA token request

1.0) Should we have a first factor authentication subactivity here as a gatekeeper for "User provides user info"

1.1) User provides user info


T_requestmandatoryuser information (e.g. name, email, organization, e.g. via SAML assertion)token request
  • First check to be entitled to register 2FA token (e.g. federated login, email address is present which is associated with user/org. LDAP)
Eligibility either needs to be checked in 1.1 or 3.1N/A
2) 2FA (pre-)registration2.1) User selects 2FA token
N/A, see T_selectoptional





2.2) User performs authentication with that token for binding and to prove possession


N/A, see T_authenticate
optional




3) Identification
(eligibility check;identity vetting using ID doc or alternative identity assertion method;unsure match of the person and her digital identity)

3.0) Identification session arrangement and scheduling (!optional)



I_schedule








3.1) Check eligiblity of user & possession of first factor

I_checkEligibility

I_authenticateFirstFactor (where does it belong to "I" or "T" or new class???)

optional if already performed in 1.1





3.3) Vet identity of user











3.3.1) Compare claimed/transmitted/spoken information with user's identity proof (e.g. ID doc, activation code)I_vet_????mandatory






3.3.2) Perform Liveness Check

(e.g. ID doc photo vs. real life face/ selfie)

I_vet_liveness







3.3.3) Check user's identity proof with its original source for validityI_vet_originalSourceoptional





3.3.4) Record identity proofI_record





4) Token binding4.1) User chooses own token or handover of token to user
T_selectoptional when activity 2 took place





4.2) Bind token to digital ID


T_bind

mandatory,

may already be performed in step 2

precondition: successful 3.2.1)







4.3) Token-proof of-possession (e.g. test authentication)
T_authenticateoptional





4.4) Token activation & record

T_activate

T_record

mandatory

precondition: successful 3.2.1







4.5) Inform user about token activation
T_confirmActivation








2FA token request2FA token (pre-)registration
IdentificationToken binding

1.1) User provides user info2.1) User selects 2FA token2.2) User performs authentication with that token to prove possession3.1) Eligibility check of user3.2) Vet identity of user4.1) User chooses own token or handover of token to user4.2) Bind token to digital ID4.3) Token-proof-of-possession4.4) Token activation & record4.5)Inform user





3.2.1) Compare claimed/transmitted/spoken information with user's identity proof3.2.2) Check user's identity proof with its original source for validity3.2.3) Record identity proof




Method
Live video

(tick)

federated login

(tick)(error)

(error)

(checked in 1.1 via login)









...