Trustmark Definitions (226-250 of 3247)

Trustmark Definition Name	Version
Auditor Role Excluded From Multiparty Access XML \| JSON \| Addresses the requirement for the Auditor Trusted Role to be excluded from multiparty access control.	1.0
Authenticated Communications Between Trusted Roles and PKI Certificate Authority XML \| JSON \| Addresses the requirement for authentication of communications between PKI trusted roles and their PKI certificate authority.	1.0
Authentication - Acceptable Management of Authenticator Expiration XML \| JSON \| Credential Service Providers may issue authenticators that expire, and if it does it must handle expiration appropriately by not accepting expired authenticators and by notifying a user o the expiration. If a physical device has expired it should be destroyed and reclaimed.	1.0
Authentication - Acceptable Management of Authenticator Loss, Theft, Damage, and Unauthorized Duplication Requirements XML \| JSON \| Compromised authenticators (do to loss, damage, or unauthorized duplication/disclosure) must be suspended, revoked, or destroyed as appropriate.	1.0
Authentication - Acceptable Management of Authenticator Revocation and Termination XML \| JSON \| Credential Service Providers must revoke authenticators in cases where the identity ceases to exist, on request, and when the subscriber is no longer eligible. This may require destroying or reclaiming a physical authenticator if it contained certified data.	1.0
Authentication - Acceptable Management of Reauthentication XML \| JSON \| Sessions will require reauthentication of subscribers in varying circumstances and with varying levels of assurance.	1.0
Authentication - Acceptable Management of Session Bindings XML \| JSON \| Sessions must be generated, managed, and terminated properly to ensure safe interactions between subscriber and service.	1.0
Authentication - Acceptable Use of Attestation XML \| JSON \| Authenticator verifiers may rely on attestation data conveyed to the verifier from a directly connected authenticator or endpoint. That attestation data must be digitally signed appropriately.	1.0
Authentication - Acceptable Use of Biometrics XML \| JSON \| Biometrics used as a factor in multi-factor authentication must adhere to numerous requirements to be effective and safe.	1.0
Authentication - Acceptable Use of Rate Limiting XML \| JSON \| Authenticator Verifiers must protect against online guessing attacks, locking or suspending an account after too many consecutive failed attempts, and typically using other measures to rate limit guesses prior to suspension.	1.0
Authentication - Acceptable Use of Restricted Authenticators XML \| JSON \| If restricted authenticators are used by a CSP, the CSP must address the risks inherent in using them and must provide some alternative authentication methods to their subscribers.	1.0
Authentication - Acceptable Verifier-Compromise Resistance XML \| JSON \| Verifiers are compromise resistant when they do not store anything that when stolen nullifies the value of the authenticator.	1.0
Authentication - Acceptable Verifier-CSP Communications XML \| JSON \| Credential Service Providers must function as the authenticator verifier or must have a mutually authenticated secure channel with the authenticator verifier over which all communications occur.	1.0
Authentication - Authenticator Binding XML \| JSON \| Credential Service Providers must bind authenticators to online identities during enrollment as well as after enrollment over appropriately protected channels. Additionally, records should be kept of all authenticators bound to the online identity.	1.0
Authentication - Authenticator Compromise Detection and Transaction Termination XML \| JSON \| Software authenticators that operate within an operating system should attempt to detect compromise and when detected terminate transactions.	1.0
Authentication - CSP Instructions to Subscribers on Protecting Authenticators Against Theft or Loss XML \| JSON \| Credential Service Providers must provide instructions to subscribers on how to protect their authenticators.	1.0
Authentication - CSP Mechanism for Authenticator Revocation or Suspension Upon Theft or Loss XML \| JSON \| Credential Service Providers must be able to revoke or suspend authenticators in cases where the authenticator may have been stolen or lost.	1.0
Authentication - Enforcement of an Acceptable Maximum Session Duration XML \| JSON \| All sessions must have a maximum acceptable duration that must be enforced to qualify for AAL1, AAL2, or AAL3.	1.0
Authentication - Enforcement of Periodic Subscriber Reauthentication XML \| JSON \| Subscribers must reauthenticate after periods of inactivity according to the AAL being operated at.	1.0
Authentication - Intent XML \| JSON \| Authentication intent is an important property of an authentication system as it is a method to avoid malware automatically authenticating. To demonstrate authentication intent, the authentication process must include at least one step that requires the person to express intent to authenticate.	1.0
Authentication - No Allowance of Unlocking a Mobile Device as a Valid Authentication Factor XML \| JSON \| Unlocking a smart phone device must not be considered an authentication factor, as a verifier cannot verify this was done.	1.0
Authentication - Privacy Analysis and Privacy Impact Assessment XML \| JSON \| Credential Service Providers must undergo a thorough privacy analysis and impact assessment publishing the results.	1.0
Authentication - Replay Resistance XML \| JSON \| Multi-factor authentication should include some factor that is replay resistant.	1.0
Authentication - Risk Assessment for Side Channel Attacks Against Hardware-Based Authenticators and Verifiers XML \| JSON \| Credential Service Providers using hardware based authenticators should document their resistance to side channel attacks within their risk assessment.	1.0
Authentication - Use of Approved Cryptography for Cryptographic Authenticators XML \| JSON \| Approved cryptography must be used by cryptographic authenticators used at AAL1 and AAL2.	1.0

This page is also available as JSON and XML.