Closed CDR-API-Stream closed 1 year ago
Significant planning on this item has been conducted but it has been shifted to Q1 2022 for ongoing work
A plan for engagement has been developed and has been internally circulated and reviewed. Currently working through the budgetary process to determine an appropriate timetable to schedule the actual engagements
Problem Statement
In Decision 182, the Data Standards Chair approved four recommendations. This Future Plan item covers Recommendation 3 and the targeted consultation to determine appropriate risk-based security controls and supported authentication methods.
Feedback strongly supported the development of an attacker model to identify the risks the Information Security model seeks to address, and the controls required to manage those risks. This attacker model can leverage the FAPI 2 attacker model as a baseline developed by the OIDF.
The Data Standards Chair notes that the Future Directions report includes several key recommendations to enhance security, flexibility, and choice for consumers. These recommendations seek to adopt a risk-based approach to assessing which authentications methods be supported and when they are appropriate. In considering which authentication methods are suitable, the convenience and consumer experience of different authentication mechanisms should be considered against the actions being instructed and the risks both within a given sector and across the CDR. This recommendation supports and complements the Future Direction report's recommendations.
A risk-based authentication framework should look at when and how second factors of authentication are required and opportunities to support decoupled authentication (otherwise referred to as app2app).
In conjunction broadening authentication standards, the risk framework should consider the identity proofing requirements when initiating different actions.
Key Future Directions Recommendations