https://artifacts.trustmarkinitiative.org/lib/tds/authentication---acceptable-management-of-authenticator-revocation-and-termination/1.0/Authentication - Acceptable Management of Authenticator Revocation and Termination1.0Credential Service Providers must revoke authenticators in cases where the identity ceases to exist, on request, and when the subscriber is no longer eligible. This may require destroying or reclaiming a physical authenticator if it contained certified data.2019-04-05T00:00:00.000Zhttps://trustmarkinitiative.org/Trustmark InitiativePRIMARYTrustmark Supporthelp@trustmarkinitiative.org555-555-5555https://trustmarkinitiative.org/This artifact is published by the Georgia Tech Research Institute (GTRI) as part of the Trustmark Initiative. This artifact and the information contained herein is provided on an "AS IS" basis, and GTRI disclaims all warranties, express or implied, including but not limited to any warranty that the use of the information herein will not infringe any rights or any implied warranties or merchantability or fitness for a particular purpose. In addition, GTRI disclaims legal liability for any loss incurred as a result of the use or reliance on the document or the information contained herein.AccessActive AttackAddress of RecordApplicantApproved CryptographyAssertionAssertion ReferenceAsymmetric KeysAttackAttackerAttributeAttribute BundleAttribute ReferenceAttribute ValueAuthenticateauthentication.]]>Authenticated Protected ChannelAuthenticationAuthentication Factorsomething you know, something you have, and something you are. Every authenticator has one or more authentication factors.]]>Authentication IntentAuthentication ProtocolAuthentication Protocol RunAuthentication Secretshort-term authentication secrets, which are only useful to an attacker for a limited period of time, and long-term authentication secrets, which allow an attacker to impersonate the subscriber until they are manually reset. The authenticator secret is the canonical example of a long-term authentication secret, while the authenticator output, if it is different from the authenticator secret, is usually a short-term authentication secret.]]>Authenticatortoken.]]>Authenticator Assurance LevelAALAuthenticator OutputAuthenticator SecretAuthenticator TypeAuthenticityAuthoritative SourceAuthorizeBack-Channel CommunicationBearer AssertionBindingBiometricsChallenge-Response ProtocolClaimantClaimed AddressClaimed IdentityCompletely Automated Public Turing test to tell Computers and Humans ApartCAPTCHACredentialCredential Service ProviderCSPCross-site Request ForgeryCSRFCross-site ScriptingXSSCryptographic AuthenticatorCryptographic Keyasymmetric keys, symmetric key.]]>Cryptographic ModuleData IntegrityDerived CredentialDigital AuthenticationElectronic Authentication.]]>Digital SignatureDiversionaryEavesdropping AttackElectronic AuthenticationE-Authenticationdigital authentication.]]>EnrollmentEntropyn bits of entropy has the same degree of uncertainty as a uniformly distributed n-bit random value.]]>Federal Information Processing StandardFIPSFederationFederation Assurance LevelFALFederation ProxyFront-Channel CommunicationHash FunctionIdentityIdentity Assurance LevelIALIdentity EvidenceIdentity ProofingIdentity ProviderIdPIssuing SourceKerberosKnowledge-Based VerificationKBVMan-in-the-Middle AttackMitMMitMAMemorized Secretsomething they know as part of an authentication process.]]>Message Authentication CodeMACMobile CodeMulti-Factorauthentication factor for successful authentication. MFA can be performed using a single authenticator that provides more than one factor or by a combination of authenticators that provide different factors. The three authentication factors are something you know, something you have, and something you are.]]>Multi-Factor AuthenticationMFAauthentication factor for successful authentication. Multi-factor authentication can be performed using a multi-factor authenticator or by a combination of authenticators that provide different factors. The three authentication factors are something you know, something you have, and something you are.]]>Multi-Factor AuthenticatorNetworkNonceOffline AttackOnline AttackOnline Guessing AttackPairwise Pseudonymous IdentifierPassive AttackPassphrasePasswordmemorized secret.]]>Personal Datapersonally identifiable information.]]>Personal Identification NumberPINPersonal Informationpersonally identifiable information.]]>Personally Identifiable InformationPIIPharmingPhishingPossession and Control of an AuthenticatorPractice StatementPresentation AttackPresentation Attack DetectionPADliveness detection, involve measurement and analysis of anatomical characteristics or involuntary or voluntary reactions, in order to determine if a biometric sample is being captured from a living subject present at the point of capture.]]>Private CredentialsPrivate KeyProtected Sessionauthenticated if, during the session, they prove possession of one or more authenticators in addition to the session keys, and if the other party can verify the identity associated with the authenticator(s). If both participants are authenticated, the protected session is said to be mutually authenticated.]]>PseudonymPseudonymityPseudonymous IdentifierPublic CredentialsPublic KeyPublic Key CertificatePublic Key InfrastructurePKIReauthenticationRegistrationenrollment.]]>Relying PartyRPRemoteIn the context of remote authentication or remote transaction) An information exchange between network-connected devices where the information cannot be reliably protected end-to-end by a single organization's security controls.]]>Replay AttackReplay ResistanceRestrictedRisk AssessmentRisk ManagementSaltSecure Sockets LayerSSLTransport Layer Security (TLS).]]>SessionSession Hijack AttackShared SecretSide-Channel AttackSingle-FactorSocial EngineeringSpecial PublicationSPSubjectSubscriberSymmetric KeyTokenauthenticator.]]>Token Authenticatorauthenticator output.]]>Token Secretauthenticator secret.]]>TransactionTransport Layer SecurityTLSTrust AnchorUsabilityVerifierVerifier ImpersonationVirtual In-Person ProofingWeakly Bound CredentialsZero-Knowledge Password ProtocolZeroizeNIST SP 800-63BNIST Special Publication 800-63B, Digital Identity Guidelines: Authentication and Lifecycle Management. June 2017. https://doi.org/10.6028/NIST.SP.800-63b.1C1CSPs SHALL revoke the binding of authenticators promptly when an online identity ceases to exist (e.g., subscriber's death, discovery of a fraudulent subscriber), when requested by the subscriber, or when the CSP determines that the subscriber no longer meets its eligibility requirements.2C2The CSP SHALL require subscribers to surrender or certify destruction of any physical authenticator containing certified attributes signed by the CSP as soon as practical after revocation or termination takes place. This is necessary to block the use of the authenticator's certified attributes in offline situations between revocation/termination and expiration of the certification.1Revoke AuthenticatorDoes the CSP revoke the authenticator binding promptly when the online identity ceases to exist, when requested, or when the CSP determines the subscriber is no longer eligible?A12Reclaim or Destroy AuthenticatorDoes the CSP require subscribers to surrender or destroy any physical authenticator containing certified attributes?A1