DV-MFA table

Activity	Subactivity	Subsubactivity	mandatory/optional?	Input	Output	(Security) risks if omitted	Dependencies	Increases/Decreases LoA
1) 2FA token request	1.1) User provides user info		mandatory	user information (e.g. name, email, organization, e.g. via SAML assertion)	token request	First check to be entitled to register 2FA token (e.g. federated login, email address is present which is associated with user/org. LDAP	Eligibility either needs to be checked in 1.1 or 3.1	N/A
2) 2FA (pre-)registration	2.1) User selects 2FA token		optional
	2.2) User performs authentication with that token to prove possession		optional
3) Identification	3.1) Eligibility check of user		optional
	3.2) Vet identity of user
		3.2.1) Compare claimed/transmitted/spoken information with user's identity proof (e.g. ID doc, activation code)	mandatory
		3.2.2) Check user's identity proof with its original source for validity	optional					↓
		3.2.3) Record identity proof
4) Token binding	4.1) User chooses own token or handover of token to user		optional when activity 2 took place
	4.2) Bind token to digital ID		mandatory, may already be performed in step 2 precondition: successful 3.2.1)
	4.3) Token-proof of-possession (e.g. test authentication)		optional
	4.4) Token activation & record
	4.5) Inform user

	2FA token request	2FA token (pre-)registration		Identification				Token binding
	1.1) User provides user info	2.1) User selects 2FA token	2.2) User performs authentication with that token to prove possession	3.1) Eligibility check of user	3.2) Vet identity of user			4.1) User chooses own token or handover of token to user	4.2) Bind token to digital ID	4.3) Token-proof-of-possession	4.4) Token activation & record	4.5)Inform user
					3.2.1) Compare claimed/transmitted/spoken information with user's identity proof	3.2.2) Check user's identity proof with its original source for validity	3.2.3) Record identity proof

Page tree