Secure Req 12: Difference between revisions
m (9 revisions imported: Initial Upload of old pages from IDESG Wiki) |
(No difference)
|
Latest revision as of 04:03, 28 June 2018
<< Back to Baseline Functional Requirements Index
SECURE-12. RECOVERY AND REISSUANCE
Entities that issue credentials and tokens MUST implement methods for reissuance, updating, and recovery of credentials and tokens that preserve the security and assurance of the original registration and credentialing operations.
SUPPLEMENTAL GUIDANCE
Procedures must be in place to reasonably prevent hijacking of an account through recovery and reset options: a common vector for identity thieves and other attackers. At a minimum, service providers must provide reset, recovery, and reissuance procedures that afford a commensurate level of security to the processes used during the initial registration and credentialing operations. These procedures may include out-of-band verification, device identification, or any combination of similar techniques used to increase the security of reset, reissuance, and recovery options while also meeting IDESG Usability Requirements (USABLE-1 through USABLE-7).
REFERENCES
FICAM TFPAP Trust Criteria “Token & Credential Management”), LOA 2-3, #1, #2, #4, TFPAP Trust Criteria, Management and Trust Criteria, LOA 2-3, #3,#4, #6 (p.35); PCI-DSS v 2.0- 8.5.2 (p. 48) (corresponds to 8.2.2 in PCI-DSS v3. – p.67); NIST SP 800-63-2, Token and Credential Management Activities 7.1.2 (p. 58)
APPLIES TO ACTIVITIES
KEYWORDS
ACCOUNT, CREDENTIAL, EXPIRY, LOSS, PROCESS, PROVISIONING, RECOVERY, SECURITY, TOKEN
Quick Links: SALS | Baseline Functional Requirements v1.0 | Glossary |