| Trustmark Definition Name | Version |
|---|---|
|
Credential Service Providers must bind authenticators to online identities during enrollment as well as after enrollment over appropriately protected channels. Additionally, records should be kept of all authenticators bound to the online identity.
|
1.0 |
|
Software authenticators that operate within an operating system should attempt to detect compromise and when detected terminate transactions.
|
1.0 |
|
Credential Service Providers must provide instructions to subscribers on how to protect their authenticators.
|
1.0 |
|
Credential Service Providers must be able to revoke or suspend authenticators in cases where the authenticator may have been stolen or lost.
|
1.0 |
|
All sessions must have a maximum acceptable duration that must be enforced to qualify for AAL1, AAL2, or AAL3.
|
1.0 |
|
Subscribers must reauthenticate after periods of inactivity according to the AAL being operated at.
|
1.0 |
|
Authentication intent is an important property of an authentication system as it is a method to avoid malware automatically authenticating. To demonstrate authentication intent, the authentication process must include at least one step that requires the person to express intent to authenticate.
|
1.0 |
|
Unlocking a smart phone device must not be considered an authentication factor, as a verifier cannot verify this was done.
|
1.0 |
|
Credential Service Providers must undergo a thorough privacy analysis and impact assessment publishing the results.
|
1.0 |
|
Multi-factor authentication should include some factor that is replay resistant.
|
1.0 |
|
Credential Service Providers using hardware based authenticators should document their resistance to side channel attacks within their risk assessment.
|
1.0 |
|
Approved cryptography must be used by cryptographic authenticators used at AAL1 and AAL2.
|
1.0 |
|
All communications during authentication between the claimant and verifier must use authenticated and protected channels.
|
1.0 |
|
Authentication with authenticators that do not use attestation.
|
1.0 |
|
Authentication with authenticators that do not use biometrics.
|
1.0 |
|
Some authenticator types are not susceptible to online guessing attacks and thus may not require mitigation against these attacks.
|
1.0 |
|
Verifiers may have no compromise resistance requirements for some authenticator types.
|
1.0 |
|
Authentication schemes may include the use of no restricted authenticators
|
1.0 |
|
Lookup Secrets are shared secrets between the claimant and CSP that the claimant provides to the CSP as an authentication factor. The claimant either is prompted for a specific secret or provides one from a set they have and it is no longer valid. Use of lookup secrets must adhere to the rules found within NIST 800-63-3B: 5.1.2.
|
1.0 |
|
Memorized Secrets (passwords and pins) must be sufficiently hard to guess and adhere to the rules found within NIST 800-63-3B: 5.1.1
|
1.0 |
|
Multi-factor cryptographic devices may be used for authentication and must adhere to the rules found within NIST 800-63-3B: 5.1.9
|
1.0 |
|
Multi-factor cryptographic software may be used for authentication and must adhere to the rules found within NIST 800-63-3B: 5.1.8
|
1.0 |
|
A multi-factor one-time password device may be used for authentication and must adhere to the rules found within NIST 800-63-3B: 5.1.5
|
1.0 |
|
An out-of-band authenticator is a physical device that is uniquely addressable and can communicate securely with the verifier over a distinct communications channel. There are many ways to use such a device in authentication and doing so must adhere to rules found within NIST 800-63-3B: 5.1.3
|
1.0 |
|
Single factor cryptographic devices may be used for authentication and must adhere to the rules found within NIST 800-63-3B: 5.1.7
|
1.0 |
