You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 7 Next »



ActivitySubactivitySubsubactivitymandatory/optional?InputOutput(Security) risks if omittedDependenciesIncreases/Decreases LoA
1) 2FA token request1.1) User provides user info
mandatoryuser information (e.g. name, email, organization, e.g. via SAML assertion)token request
  • First check to be entitled to register 2FA token (e.g. federated login, email address is present which is associated with user/org. LDAP
Eligibility either needs to be checked in 1.1 or 3.1N/A
2) 2FA (pre-)registration2.1) User selects 2FA token
optional





2.2) User performs authentication with that token to prove possession
optional




3) Identification3.1) Eligibility check of user
optional





3.2) Vet identity of user








3.2.1) Compare claimed/transmitted/spoken information with user's identity proof (e.g. ID doc, activation code)mandatory






3.2.2) Check user's identity proof with it's original source for validityoptional





3.2.3) Record identity proof





4) Token binding4.1) User chooses own token or handover of token to user
optional when activity 2 took place





4.2) Bind token to digital ID


mandatory,

may already be performed in step 2

precondition: successful 3.2.1)







4.3) Token-proof of-possession (e.g. test authentication)
optional





4.4) Token activation & record







4.5) Inform user








  • No labels