CMFA points

[woodbe]

This is just a place to collect interesting points that come up so they are in one place. The thinking I have is that this would be used to generate issues once we are to the point of creating the PP-Module.

(things that have been determined to not be useful are in italics)

• detection of attacker being present at enrolment may be possible if the enrolment process already has some initial CMFA enforcement (i.e. until say biometric enrolment, enrolment is blocked unless in some specific location)
• may want to have an SFR that defines whether CMFA is part of the initial authentication process or only becomes active after the user has authenticated.
  • for example, the user logs in normally and then the CMFA gets the authorization and maintains is vs CMFA is actually providing information during the initial authentication (or the initial authentication is actually the CMFA authentication)

[woodbe]

Example of SFR for input change

CMFA shall continuously determine the current level of confidence in the authentication of a user based on inputs from sensors and configuration data.

PP-module defines SFRs that correspond to this requirement (see below) and SD describes evaluation activities to test those SFR (e.g. take the device out of the office and check the device is locked immediately after evaluator move the device far away enough from registered (trusted) place)

TOE shall determine the confidence rating with following rule and update the rating at [Assignment: min or max time interval of update]

BEW: This should probably have a selection for time (maybe with some set of expected values, though I don't know what those would be) and then an event trigger (i.e. if Wi-Fi is turned on/off could automatically trigger a refresh).

Increase the rating when [Assignment: some conditions (e.g. recognize a user’s voice] are met

Decrease the rating when [Assignment: some conditions (e.g. located in untrusted location)] are met

Keep the rating when [Assignment: some conditions (e.g. signing into the company wifi)] are met

Reset the rating when [Assignment: some conditions (e.g. detect sensor failure)]

[woodbe]

Removed since "accuracy" is not completely clear, and if the other determination of confidence don't already point to this, I think there is a problem (comparing to the BIO ESR, there is not an explicit accuracy requirement, and I'm not clear how this requirement could be repeatable off hand).

NOTE: I'm actually combining this into the "continuously" ESR.

CMFA shall accurately determine the current confidence rating of a user based on inputs from sensors and configuration data.

PP-module defines SFRs that correspond to this requirement (see below) and SD describes evaluation activities to test those SFR (e.g. method to evaluate the performance report provided by the vendor).

TOE shall provide a CMFA that meets [Assignment: method of measurement of performance and minimum performance requiremet]

There is no standard to measure CMFA performance because there are many combination of sensors that can be used by CMFA. However, vendor can set own performance matrix to objectively measure the accuracy of CMFA authentication. For example, vendor can create the test scenario and measure mean time to detect (time CMFA need to detect another user is start using a device (and decrease the confidence rating low enough so that the computer can transit to the locked state immidiately)).

[woodbe]

Trust Score and unlocking

A key point raised was what should happen when a trust score falls below the threshold set for remaining unlocked. The question was whether it should be possible for a trust score to be raised again without a direct user action (i.e. entering a biometric or password) to maintain the device to be unlocked, or whether, once the score was below the threshold, the score cannot be raised to unlock the device again.

There were several points made:

• It may be acceptable to re-unlock the device automatically in certain circumstances (as defined by the admin)
• It may be useful to have a timeout concept like when a screen goes off before the lock, where once the score has gone below that it can be raised back within a set period of time (say a few minutes), so the lock only happens after this period has passed
• The admin may need to be able to specify the types of actions that are required for the unlock (allowing for ones that are not obvious like the biometric or password entry)

This will likely need some sort of SFR to deal with the expectations and description of the solution