https://artifacts.trustmarkinitiative.org/lib/tds/authentication---acceptable-management-of-reauthentication/1.0/Authentication - Acceptable Management of Reauthentication1.0Sessions will require reauthentication of subscribers in varying circumstances and with varying levels of assurance.2019-04-05T00:00:00.000Zhttps://trustmarkinitiative.org/Trustmark InitiativePRIMARYTrustmark Supporthelp@trustmarkinitiative.org555-555-5555https://trustmarkinitiative.org/This artifact is published by the Georgia Tech Research Institute (GTRI) as part of the Trustmark Initiative. This artifact and the information contained herein is provided on an "AS IS" basis, and GTRI disclaims all warranties, express or implied, including but not limited to any warranty that the use of the information herein will not infringe any rights or any implied warranties or merchantability or fitness for a particular purpose. In addition, GTRI disclaims legal liability for any loss incurred as a result of the use or reliance on the document or the information contained herein.AccessActive AttackAddress of RecordApplicantApproved CryptographyAssertionAssertion ReferenceAsymmetric KeysAttackAttackerAttributeAttribute BundleAttribute ReferenceAttribute ValueAuthenticateauthentication.]]>Authenticated Protected ChannelAuthenticationAuthentication Factorsomething you know, something you have, and something you are. Every authenticator has one or more authentication factors.]]>Authentication IntentAuthentication ProtocolAuthentication Protocol RunAuthentication Secretshort-term authentication secrets, which are only useful to an attacker for a limited period of time, and long-term authentication secrets, which allow an attacker to impersonate the subscriber until they are manually reset. The authenticator secret is the canonical example of a long-term authentication secret, while the authenticator output, if it is different from the authenticator secret, is usually a short-term authentication secret.]]>Authenticatortoken.]]>Authenticator Assurance LevelAALAuthenticator OutputAuthenticator SecretAuthenticator TypeAuthenticityAuthoritative SourceAuthorizeBack-Channel CommunicationBearer AssertionBindingBiometricsChallenge-Response ProtocolClaimantClaimed AddressClaimed IdentityCompletely Automated Public Turing test to tell Computers and Humans ApartCAPTCHACredentialCredential Service ProviderCSPCross-site Request ForgeryCSRFCross-site ScriptingXSSCryptographic AuthenticatorCryptographic Keyasymmetric keys, symmetric key.]]>Cryptographic ModuleData IntegrityDerived CredentialDigital AuthenticationElectronic Authentication.]]>Digital SignatureDiversionaryEavesdropping AttackElectronic AuthenticationE-Authenticationdigital authentication.]]>EnrollmentEntropyn bits of entropy has the same degree of uncertainty as a uniformly distributed n-bit random value.]]>Federal Information Processing StandardFIPSFederationFederation Assurance LevelFALFederation ProxyFront-Channel CommunicationHash FunctionIdentityIdentity Assurance LevelIALIdentity EvidenceIdentity ProofingIdentity ProviderIdPIssuing SourceKerberosKnowledge-Based VerificationKBVMan-in-the-Middle AttackMitMMitMAMemorized Secretsomething they know as part of an authentication process.]]>Message Authentication CodeMACMobile CodeMulti-Factorauthentication factor for successful authentication. MFA can be performed using a single authenticator that provides more than one factor or by a combination of authenticators that provide different factors. The three authentication factors are something you know, something you have, and something you are.]]>Multi-Factor AuthenticationMFAauthentication factor for successful authentication. Multi-factor authentication can be performed using a multi-factor authenticator or by a combination of authenticators that provide different factors. The three authentication factors are something you know, something you have, and something you are.]]>Multi-Factor AuthenticatorNetworkNonceOffline AttackOnline AttackOnline Guessing AttackPairwise Pseudonymous IdentifierPassive AttackPassphrasePasswordmemorized secret.]]>Personal Datapersonally identifiable information.]]>Personal Identification NumberPINPersonal Informationpersonally identifiable information.]]>Personally Identifiable InformationPIIPharmingPhishingPossession and Control of an AuthenticatorPractice StatementPresentation AttackPresentation Attack DetectionPADliveness detection, involve measurement and analysis of anatomical characteristics or involuntary or voluntary reactions, in order to determine if a biometric sample is being captured from a living subject present at the point of capture.]]>Private CredentialsPrivate KeyProtected Sessionauthenticated if, during the session, they prove possession of one or more authenticators in addition to the session keys, and if the other party can verify the identity associated with the authenticator(s). If both participants are authenticated, the protected session is said to be mutually authenticated.]]>PseudonymPseudonymityPseudonymous IdentifierPublic CredentialsPublic KeyPublic Key CertificatePublic Key InfrastructurePKIReauthenticationRegistrationenrollment.]]>Relying PartyRPRemoteIn the context of remote authentication or remote transaction) An information exchange between network-connected devices where the information cannot be reliably protected end-to-end by a single organization's security controls.]]>Replay AttackReplay ResistanceRestrictedRisk AssessmentRisk ManagementSaltSecure Sockets LayerSSLTransport Layer Security (TLS).]]>SessionSession Hijack AttackShared SecretSide-Channel AttackSingle-FactorSocial EngineeringSpecial PublicationSPSubjectSubscriberSymmetric KeyTokenauthenticator.]]>Token Authenticatorauthenticator output.]]>Token Secretauthenticator secret.]]>TransactionTransport Layer SecurityTLSTrust AnchorUsabilityVerifierVerifier ImpersonationVirtual In-Person ProofingWeakly Bound CredentialsZero-Knowledge Password ProtocolZeroizeNIST SP 800-63BNIST Special Publication 800-63B, Digital Identity Guidelines: Authentication and Lifecycle Management. June 2017. https://doi.org/10.6028/NIST.SP.800-63b.1C1Sessions will be maintained in a way such as to force reauthentication when appropriate:
<ul>
<li>Continuity of authenticated sessions SHALL be based upon the possession of a session secret issued by the verifier at the time of authentication and optionally refreshed during the session.
<li>Session secrets SHALL be non-persistent. That is, they SHALL NOT be retained across a restart of the associated application or a reboot of the host device.
<li>Periodic reauthentication of sessions SHALL be performed to confirm the continued presence of the subscriber at an authenticated session (i.e., that the subscriber has not walked away without logging out).
<li>A session SHALL NOT be extended past the maximum session length as determined by AAL.
<li>When a session has been terminated, due to a time-out or other action, the user SHALL be required to establish a new session by authenticating again.
</ul>2C2Acceptable reauthentications depends on the AAL. At AAL1 one factor SHALL suffice, at AAL2 the subscriber MUST present something they have (that a device does not) such as a memorized secret or biometric, and at AAL3 all factors MUST be performed.3C3Federation protocols SHALL, if possible, allow RPs to require reauthentication at the CSP, and the CSP SHALL communicate the authentication event time to the RP so that the RP can decide whether to accept this assertion for reauthentication.1Triggering ReauthenticationDoes the service's session management force reauthentication as appropriate? Do to inactivity, expiration of session, non-persistence, etc.A12Reauthn Assurance LevelDoes the service engage reauthentication appropriately for the configured AAL? Any factor for AAL1, requiring a user possessed factor for AAL2, and requiring all factors for AAL3.A13Federation ReauthnDoes the federation protocol in use support reauthentication as well as needed? This means the CSP should reauthenticate on request and the CSP should send sufficient authentication information in assertions for RPs to verify an authentication took place.A1