Trustmark Definitions (226-250 of 3247)

Trustmark Definition Name Version
Addresses the requirement for the Auditor Trusted Role to be excluded from multiparty access control.
1.0
Addresses the requirement for authentication of communications between PKI trusted roles and their PKI certificate authority.
1.0
Credential Service Providers may issue authenticators that expire, and if it does it must handle expiration appropriately by not accepting expired authenticators and by notifying a user o the expiration. If a physical device has expired it should be destroyed and reclaimed.
1.0
Compromised authenticators (do to loss, damage, or unauthorized duplication/disclosure) must be suspended, revoked, or destroyed as appropriate.
1.0
Credential Service Providers must revoke authenticators in cases where the identity ceases to exist, on request, and when the subscriber is no longer eligible. This may require destroying or reclaiming a physical authenticator if it contained certified data.
1.0
Sessions will require reauthentication of subscribers in varying circumstances and with varying levels of assurance.
1.0
Sessions must be generated, managed, and terminated properly to ensure safe interactions between subscriber and service.
1.0
Authenticator verifiers may rely on attestation data conveyed to the verifier from a directly connected authenticator or endpoint. That attestation data must be digitally signed appropriately.
1.0
Biometrics used as a factor in multi-factor authentication must adhere to numerous requirements to be effective and safe.
1.0
Authenticator Verifiers must protect against online guessing attacks, locking or suspending an account after too many consecutive failed attempts, and typically using other measures to rate limit guesses prior to suspension.
1.0
If restricted authenticators are used by a CSP, the CSP must address the risks inherent in using them and must provide some alternative authentication methods to their subscribers.
1.0
Verifiers are compromise resistant when they do not store anything that when stolen nullifies the value of the authenticator.
1.0
Credential Service Providers must function as the authenticator verifier or must have a mutually authenticated secure channel with the authenticator verifier over which all communications occur.
1.0
Credential Service Providers must bind authenticators to online identities during enrollment as well as after enrollment over appropriately protected channels. Additionally, records should be kept of all authenticators bound to the online identity.
1.0
Software authenticators that operate within an operating system should attempt to detect compromise and when detected terminate transactions.
1.0
Credential Service Providers must provide instructions to subscribers on how to protect their authenticators.
1.0
Credential Service Providers must be able to revoke or suspend authenticators in cases where the authenticator may have been stolen or lost.
1.0
All sessions must have a maximum acceptable duration that must be enforced to qualify for AAL1, AAL2, or AAL3.
1.0
Subscribers must reauthenticate after periods of inactivity according to the AAL being operated at.
1.0
Authentication intent is an important property of an authentication system as it is a method to avoid malware automatically authenticating. To demonstrate authentication intent, the authentication process must include at least one step that requires the person to express intent to authenticate.
1.0
Unlocking a smart phone device must not be considered an authentication factor, as a verifier cannot verify this was done.
1.0
Credential Service Providers must undergo a thorough privacy analysis and impact assessment publishing the results.
1.0
Multi-factor authentication should include some factor that is replay resistant.
1.0
Credential Service Providers using hardware based authenticators should document their resistance to side channel attacks within their risk assessment.
1.0
Approved cryptography must be used by cryptographic authenticators used at AAL1 and AAL2.
1.0
This page is also available as JSON and XML.