Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

ActivitySubactivitySubsubactivitymandatory/optional?InputOutput(Security) risks if omittedDependenciesIncreases/Decreases LoA
1) 2FA token request

1.0) Should we have a first factor auth authentication subactivity here as a gatekeeper for "User provides user info"

1.1) User provides user info


mandatoryuser information (e.g. name, email, organization, e.g. via SAML assertion)token request
  • First check to be entitled to register 2FA token (e.g. federated login, email address is present which is associated with user/org. LDAP)
Eligibility either needs to be checked in 1.1 or 3.1N/A
2) 2FA (pre-)registration2.1) User selects 2FA token
optional





2.2) User performs authentication with that token for binding and to prove possession


optional




3) Identification
(eligibility check;identity vetting , a using ID doc or alternative meetingidentity assertion method;unsure match of the person and her digital identity)

3.0) Identification session arrangement and scheduling (!optional)

3.1) Eligibility check of user


optional if already performed in 1.1







3.2) Vet identity of user








3.2.1) Compare claimed/transmitted/spoken information with user's identity proof (e.g. ID doc, activation code)mandatory






3.2.2) Check user's identity proof with its original source for validityoptional





3.2.3) Record identity proof





4) Token binding4.1) User chooses own token or handover of token to user
optional when activity 2 took place





4.2) Bind token to digital ID


mandatory,

may already be performed in step 2

precondition: successful 3.2.1)







4.3) Token-proof of-possession (e.g. test authentication)
optional





4.4) Token activation & record

mandatory

precondition: successful 3.2.1







4.5) Inform user about token activation






...