Authentication - Acceptable Management of Reauthentication, v1.0

Sessions will require reauthentication of subscribers in varying circumstances and with varying levels of assurance.

Assessment Steps (3)

1
Triggering Reauthentication (TriggeringReauthentication)
Does the service's session management force reauthentication as appropriate? Do to inactivity, expiration of session, non-persistence, etc.
Artifact
A1
Provide evidence (e.g. operational details, software data) that indicates reauthentication is requested appropriately.
2
Reauthn Assurance Level (ReauthnAssuranceLevel)
Does the service engage reauthentication appropriately for the configured AAL? Any factor for AAL1, requiring a user possessed factor for AAL2, and requiring all factors for AAL3.
Artifact
A1
Provide evidence (e.g. operational details, software data) that indicates reauthentication is performed at the appropriate AAL.
3
Federation Reauthn (FederationReauthn)
Does the federation protocol in use support reauthentication as well as needed? This means the CSP should reauthenticate on request and the CSP should send sufficient authentication information in assertions for RPs to verify an authentication took place.
Artifact
A1
Provide evidence (e.g. operational details, software data) that indicates reauthentication is handled for federated use cases.

Conformance Criteria (3)

C1
Sessions will be maintained in a way such as to force reauthentication when appropriate:
  • Continuity of authenticated sessions SHALL be based upon the possession of a session secret issued by the verifier at the time of authentication and optionally refreshed during the session.
  • Session secrets SHALL be non-persistent. That is, they SHALL NOT be retained across a restart of the associated application or a reboot of the host device.
  • Periodic reauthentication of sessions SHALL be performed to confirm the continued presence of the subscriber at an authenticated session (i.e., that the subscriber has not walked away without logging out).
  • A session SHALL NOT be extended past the maximum session length as determined by AAL.
  • When a session has been terminated, due to a time-out or other action, the user SHALL be required to establish a new session by authenticating again.
Citation
NIST SP 800-63B
Section 7.2
C2
Acceptable reauthentications depends on the AAL. At AAL1 one factor SHALL suffice, at AAL2 the subscriber MUST present something they have (that a device does not) such as a memorized secret or biometric, and at AAL3 all factors MUST be performed.
Citation
NIST SP 800-63B
Section 7.2
C3
Federation protocols SHALL, if possible, allow RPs to require reauthentication at the CSP, and the CSP SHALL communicate the authentication event time to the RP so that the RP can decide whether to accept this assertion for reauthentication.
Citation
NIST SP 800-63B
Section 7.2.1