Secure Req 12

From IDESG Wiki
Jump to: navigation, search

<< Back to Baseline Functional Requirements Index

SECURE-12. RECOVERY AND REISSUANCE

Entities that issue credentials and tokens MUST implement methods for reissuance, updating, and recovery of credentials and tokens that preserve the security and assurance of the original registration and credentialing operations.

SUPPLEMENTAL GUIDANCE

Procedures must be in place to reasonably prevent hijacking of an account through recovery and reset options: a common vector for identity thieves and other attackers. At a minimum, service providers must provide reset, recovery, and reissuance procedures that afford a commensurate level of security to the processes used during the initial registration and credentialing operations. These procedures may include out-of-band verification, device identification, or any combination of similar techniques used to increase the security of reset, reissuance, and recovery options while also meeting IDESG Usability Requirements (USABLE-1 through USABLE-7).

REFERENCES

FICAM TFPAP Trust Criteria “Token & Credential Management”), LOA 2-3, #1, #2, #4, TFPAP Trust Criteria, Management and Trust Criteria, LOA 2-3, #3,#4, #6 (p.35); PCI-DSS v 2.0- 8.5.2 (p. 48) (corresponds to 8.2.2 in PCI-DSS v3. – p.67); NIST SP 800-63-2, Token and Credential Management Activities 7.1.2 (p. 58)

APPLIES TO ACTIVITIES

REGISTRATION, CREDENTIALING

KEYWORDS

ACCOUNT, CREDENTIAL, EXPIRY, LOSS, PROCESS, PROVISIONING, RECOVERY, SECURITY, TOKEN



Quick Links: SALS | Baseline Functional Requirements v1.0 | Glossary |