federated login
(checked in 1.1 via login)
The following generalised functional units (actions) serve to design and implement the vetting scenarios for second factor and multifactor authentication that fulfil some of ITU-T X.1254 entity authentication assurance framework processes. The following processes from its "8.1 Enrollment phase" are to be covered:
"8.1.4 Registration" is omitted as it is related with (later) use of services or resources.
Of all processes described in "8.2 Credential management phase" - only these are addressed here, as they are related with initialisation and issuance of the authentication factors, which, in our scenarios, are closely tied to identity proofing and verification:
The names and descriptions used in these elaborations aim to be mappable to those processes and be terminologically compatible with ITU-T X.1254 and its definitions of terms. An additional specifics in relation the above-listed processes is that they focus on the credentials (sets of data supporting identity or entitlement claims), while our scenarios are focused on authentication factors (something specific that is possessed, known or inherent). The subject entities are referred to as applicants, who are the physical persons whose identity is to be authenticated.
The actions listed here are common actions which may be used at multiple times at different stages and for various purposes. These actions are:
C_USE_EXISTING_FACTOR Authenticate Existing Factor
The applicant authenticates with his/her existing factor(s). Username/password login is typically the first existing factor that is readily available.
This action may be used for multiple purposes:
Perform authentication with the existing factor(s) to prove knowledge/possession of the respective factor(s).
This action may also be used for checking the applicants eligibility (see C_CHECK_ELIGIBILITY) based on the credentials used (e.g. by searching for a name or e-mail address in a LDAP directory) or the attributes (e.g. affiliation) which are send in the authentication response.
Input: Credentials (e.g. username/password combination, certificate)
Output: Authentication successful (yes/no), attributes is needed (e.g. affiliation)
C_SELECT_NEW_FACTOR
The applicant selects the type of the new factor to be introduced if there are several options. The offered options may depend on the place of the use, for example, a wider set of options may be available during initiation than with a particular vetting the user was directed to at the initiation phase.
There may be different factor types, e.g. something you know/have/are, the applicant can choose from as well as multiple realization options/products per factor (e.g. Yubikey, Google Authenticator).
Input: List of possible factors
Output: factor selected/assigned and known (or) in possession/... by the applicant
C_USE_NEW_FACTOR Use Introduced Factor
Usage of the introduced factor may serve multiple purposes at different stages.
E.g. Use introduced factor to test functioning, to prove knowledge/possession/inheritance/... or to make sure factors match.
Input: new factor
Output: usage of factor took place (for various purposes)
C_CHECK_ELIGIBILITY Check Eligibility of Applicant
Check if the applicant is eligible to request an additional factor. For example, if there are some policy or contractual restrictions. Is the applicant associated with participating organisation and eligible for the offered delivery of the additional physical factor such as token?
Done by manual or automated check a directory, federated identity, or examination of a written institutional certificate.
Input: applicant's identifying information
Output: decision: eligible (yes/no)
Initial request for an additional authentication factor during which vetting arrangements are made. Optional actions in case face-to-face vetting will take place. If needed:
C_USE_EXISTING_FACTOR (optional) DEFINED IN C
Optional. Used to provide both information about user identity and initial proof (with presumably weaker assurance) that the applicant is who (s)he claims to be.
C_CHECK_ELIGIBILITY (optional, requiring C_USE_EXISTING_FACTOR) DEFINED IN C
Optional. Used to check whether the applicant is entitled to request the additional factor at the moment of application, as this may incur some costs or use of resources.
C_SELECT_NEW_FACTOR (optional) DEFINED IN C
Optional, if there are several options for factors that may be offered at the start. May affect the options to be used during the vetting phase.
I_REQUEST_FACTOR
Optional. The applicant may also provide a delivery address and perhaps even pay for the factor, handling and delivery service. This may be even as simple as redirection to the external factor provider.
I_FACTOR_DELIVERY
Optional sending or handing over of the physical factor (typically a token), if such is used, and if this is a part of the provided service.
C_USE_NEW_FACTOR (optional) DEFINED IN C
Optional factor (token) preregistration and binding with the request. If the applicant is expected to possess a token at the time of registration; alternatively, this can be done during the vetting phase.
I_ARRANGE_VETTING (optional)
Optional detailing of vetting. E-mail, initiation application or other channel is used to communicate a code, appointment details or other relevant information. May include several steps:
Do the actual vetting by proofing the applicant's identity and verifying identity information.
V_COMMENCE Begin vetting, possibly by accessing and validating the prior request
Set up the context for identity proofing and information verification by linking prior initiation or performing it if has not been done. Verify, resume, and potentially update the context established during the initiation, or do the key work that that is in it. For example, if the applicant is allowed to come to a service desk without prior registration, the key elements of the initiation still must be performed, such as C_CHECK_ELIGIBILITY and C_SELECT_NEW_FACTOR; other initiation elements related to scheduling of the appointment or linking of initiation and vetting, such as (secret) code creation are pointless, as the applicant is already present and available for vetting.
V_CREATE_DIGITAL_IDENTITY (optional)
Only if the applicant does not already possess the IdP identity (weak or 1st factor identity). This is optional and often prohibited or discouraged and avoided except for those in need of assistance or VIP individuals. Usually done before V_VERIFY_IDENTITY in order to allow parallelism at the service desk; should be undo-able if V_VERIFY_IDENTITY fails. This includes the check of the alignment with the enforced policies, informing of the applicant about the rules associated with this factor, creation of the username and the password, and providing the applicant with them.
This action should be invalidated if any of the following enrollment actions fails during both vetting and binding phases.
V_PRESENT_PROOF → include in V_VET_PROOF?
The applicant presents proof of identity, typically a sanctioned type of picture ID doc with demographic and biometric data.
C_SELECT_NEW_FACTOR (optional) DEFINED IN C
Optional - change of the factor the applicant has already applied for is quite unlikely but this may offer some flexibility by modifying the original choice made during the initiation.
V_HAND_OVER_FACTOR → refer to I_FACTOR_DELIVERY?
Optional, if the factor such as token is provided by the service desk. Recording of handover is probably unnecessary, as the service/operator is in the possession a proof (it was obtained with V_PRESENT_PROOF), so there is no risk of an irremediable situation or that the applicant would flee with the factor before C_USE_NEW_FACTOR.
V_VERIFY_IDENTITY →do we need subactions here?
Detailed check of ID validity and match with the person of the applicant. Compare the claimed identity (information) which is transmitted by the applicant or system with the applicant's identity proof and the actual person.
V_SOURCE (optional)
Check user's identity proof (e.g. national ID document, employee ID card) against its original source for validity.
Make sure the identity proof is not expired/revoked/invalid/...
Input: user's identity proof
Output: verified identity proof
Effect on LoA: typically higher LoA require this action
In case online identity vetting mechanisms are used (such as video identification, online document upload) a liveness check may be performed to prevent fraud. Otherwise implied by V_VET_ PROOF conducted with the user.
Example1: Show ID document besides the head to prove ID document and holder match.
Example2: Upload ID document and real-time recorded selfie.
Input: any means that show liveness
Output: liveness verified
Optional, typically by recording the last digits of ID doc number (avoid recording excess personal data, photos of the person or ID doc)
For accountability purposes (parts of) the identity proof (e.g. last 6 digits of national ID document) is recorded.
Input: identity proof
Output: record
Effect on LoA: not applicable
C_USE_NEW_FACTOR (optional) DEFINED IN C
Making sure that the applicant knows/possesses/inherits the new factor and is able to use it. Or in case of preregistration make sure that the factors match. This could be done by the user in parallel with V_VERIFY_IDENTITY. It may be preceded with C_USE_EXISTING_FACTOR it if has not been already performed. This may be avoided if C_USE_NEW_FACTOR was done during initiation or implied by a record on V_HAND_OVER_FACTOR. The record about C_USE_NEW_FACTOR could be a standalone event of the vetting phase or even required if there was no V_HAND_OVER_TOKEN, but it may be unnecessary with the presence C_PREREGISTER_TOKEN and V_USE_VETTING_CODE; the used token will be later bound to digital identity.
V_PREREGISTER_FACTOR (optional) → this is no preregistration, rather POSTregistration
This factor will be later bound and activated, so the record about it and its association with the applicant's digital identity is saved. For this to happen, all prior steps of vetting should be completed with success.
Establishment of an operational link between the identity of the user and factor.
B_FACTOR_AND_ID Bind factor to ID
Create a long term binding between the introduced factor and the digital ID of the user based on verified user identity.
Input: verified user identity, digital ID of user, factor
Output: binding between digital ID and factor
B_ACTIVATE Activate Binding of Digital ID and New Factor
Activate the binding of the digital ID of the user and the new factor. Explain why activation is needed after binding...
Input: binding between digital ID and factor
Output: decision: activation successful/unsuccessful
B_CONFIRMATION Inform User about Factor Activation
Inform the user about the correct/incorrect activation of the factor.
In case the factor activation was successful, the applicant can now authenticate using more than one factor.
Input: result of factor activation (positive/negative)
Output: message to the applicant
------------------------------------------------------ Template for providing example realization options ---------------------------------------------------------------------
Example realization options
| Federated Login |
Short description | Federated login is used to provide user information |
Input | User information (e.g. name, email, organization) typically via a SAML assertion |
Output | Factor request |
Advantages | |
Drawbacks/Risks |
| Activity | Subactivity | Subsubactivity | Mapping I (Identity/Identification) F (Factor) → 1F if first factor, 2F if second factor | Mandatory/optional? (typically) | Input (typically) | Output (typically) | (Security) risks if omitted (general) | Dependencies (could be quite specific) | Increases/Decreases LoA (general) |
|---|---|---|---|---|---|---|---|---|---|
| FRq 1) 2FA token request | 1.0) Should we have a first factor authentication subactivity here as a gatekeeper for "User provides user info" FRq.UI 1.1) User provides user info | F_request (e.g. 2F_request if second factor is requested) | mandatory | user information (e.g. name, email, organization, e.g. via SAML assertion) | token request |
| Eligibility either needs to be checked in 1.1 or 3.1 | N/A | |
| FReg 2) 2FA (pre-)registration | FReg.Sel 2.1) User selects factor | N/A, see F_select | optional | ||||||
FReg.Authc 2.2) User performs authentication with that factor for binding and to prove possession/knowledge/... | N/A, see F_authenticate | optional | |||||||
| Ident 3) Identification (eligibility check;identity vetting using ID doc or alternative identity assertion method;unsure match of the person and her digital identity) | Ident.Sched 3.0) Identification session arrangement and scheduling (!optional) | I_schedule | |||||||
| Ident.ElegC 3.1) Check eligiblity of user & possession of first factor | I_checkEligibility 1F_authenticate | optional if already performed in 1.1 | |||||||
Ident.UVet 3.3) Vet identity of user | |||||||||
| Ident.UVet.CkClm 3.3.1) Compare claimed/transmitted/spoken information with user's identity proof (e.g. ID doc, activation code) | I_vet_???? | mandatory | |||||||
Ident.UVet.ULive 3.3.2) Perform Liveness Check (e.g. ID doc photo vs. real life face/ selfie) | I_vet_liveness | ||||||||
| Ident.UVet.IDVal 3.3.3) Check user's identity proof with its original source for validity | I_vet_originalSource | optional | ↓ | ||||||
| Ident.UVet.Rec 3.3.4) Record identity proof (par of ID doc, or just note success???) | I_record | ||||||||
| FBind 4) Token binding | FBind.Poss 4.1) User chooses own token or handover of token to user (possession) | F_select | optional when activity 2 took place | ||||||
FBind.DigID 4.2) Bind factor to digital ID | F_bind | mandatory, may already be performed in step 2 precondition: successful 3.2.1) | |||||||
| FBind.FPoss 4.3) Token-proof of-possession (e.g. test authentication) | 2F_authenticate | optional | |||||||
| FBind.FAct4.4) Factor activation & record | F_activate F_record | mandatory precondition: successful 3.2.1 | |||||||
| FBind.FAck 4.5) Inform user about factor activation | F_confirmActivation |
| 2FA token request | 2FA token (pre-)registration | Identification | Token binding | |||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 1.1) User provides user info | 2.1) User selects 2FA token | 2.2) User performs authentication with that token to prove possession | 3.1) Eligibility check of user | 3.2) Vet identity of user | 4.1) User chooses own token or handover of token to user | 4.2) Bind token to digital ID | 4.3) Token-proof-of-possession | 4.4) Token activation & record | 4.5)Inform user | |||
| 3.2.1) Compare claimed/transmitted/spoken information with user's identity proof | 3.2.2) Check user's identity proof with its original source for validity | 3.2.3) Record identity proof | ||||||||||
| Method | ||||||||||||
| Live video |
federated login | | |
(checked in 1.1 via login) | ||||||||
| ... | ||||||||||||