ambiguous 2FA requirement

[bluesteens]

Steering summary: Proposal to review the wording and intent regarding the provision of 2FA, as it is unclear whether it is an obligation or optional.

---

observation:

• 4.3.1 Wallet User Management states, "A solution SHALL support user on-boarding, off-boarding and user Credential management features and workflows. [...] On-boarding includes a secure process to assign a role to a verified user of the trading partner. This process includes secure provisioning of 2FA or MFA access credentials to a given user.
• NFR001 states that, "Two-Factor Authentication (2FA) SHOULD be implemented."

language definition:

• SHALL and SHALL NOT indicate strict requirements from which no deviation is permitted.
• SHOULD and SHOULD NOT indicate preferred approaches

Issue: It is unclear whether SHALL or SHOULD applies to the 2FA/MFA requirement.

Suggestion: If SHOULD is the intention, rephrase 4.3.1 Wallet User Management as follows: "This process SHOULD include secure provisioning of 2FA or MFA access credentials to a given user."

[bluesteens]

suggested rewording of NFR001 Conformance Criteria by C Stöcker:

Authentication

• Information Systems and devices SHALL have appropriate authentication mechanisms to authenticate human and system users.
• Human user authentication SHALL have 2FA.
• Systems user authentication SHALL have ... [tbc]
• Authentication credentials transmitted during login are encrypted or hashed.
• Authentication credentials are not hard-coded and allow rotation

Authorization

• Access authorization SHALL follow an authorization role model where:
• Access permissions or entitlements are assigned to system roles and system roles to user accounts.
• System roles are designed to enable a human or system user to perform only tasks or functions on a system in line with the user’s job role (or system function, e.g. VRS system authorisation) in the business process.
• The provisioning of system roles to human or system user accounts and permissions or entitlements to system roles is not hardcoded, and so is dynamic (changeable) over time.
• Administrator roles are set up considering segregation of duties, and responsibilities are clearly identified.

[bluesteens]

Triage:

• [x] Is Issue appropriate for OCI Architecture
• [x] Create Steering-level Summary of request
• [x] Assign Size
• [x] Assign Priority
• [x] Assign Label (if needed)
• [x] OCI affected Artifacts Identified
• [ ] Assign Triage - Artifact Version Target (v x.x.x Milestone)
• [ ] Assign Triage - Interop Profile Version Target (v x.x.x Milestone)
• [ ] Create sub-project (if needed)

Affected Parties (help determine Sunrise/Sunset):

• [x] Trading Partners
• [ ] Issuers
• [x] Wallet Solutions
• [ ] PI Verification Solutions

Affected OCI Artifact

• [ ] Schema Document
• [ ] Identity Schema
• [ ] ATP Schema
• [ ] Issuer Conformance Criteria
• [x] Wallet Conformance Criteria
• [ ] VRS Solution Conformance Criteria
• [ ] Wallet API Specification
• [ ] Governance Document
• [ ] Conformance Program
• [ ] OCI Website
• [ ] Internal Process
• [ ] Getting Started

Change Category (Guides Steering Review)

- Steering/Industry Review

• [x] Business-Level (May affect business operations)
• [ ] OCI Governance, Policy or website feature

- Steering/Industry Notification

• [ ] Technical-Level (Do not affect business operations)
• [ ] OCI Internal Process or Infrastructure

[bluesteens]

July, 27: to be released in Digital Wallet Criteria v3.3.0, interop profile v3.2.0