Admin vs user re-authentication

[jfisherbah]

The current Module defines FIA_UAU.6 as an optional requirement for re-authentication of administrative users. There is no corresponding requirement for re-authentication of non-admin users and it's unclear if there should be or not.

For example, do we want to have a case where an end user has been authenticated via the NAS to access enterprise resources where the TOE will force them to periodically re-authenticate to reduce the risk impact of unattended session hijacking? Or is it actually the case that we only care about administrator re-authentication conditions and not end users?

[ajlaing]

User re-authentication makes sense as an optional requirement. It would be invoked if the user requested additional services, or more generally if 'continuous authentication' is supported. Not looking to define any requirements for zero trust concepts like continuous authentication at this time, but if integrated in a zero-trust environment, and the authentication server detects a need, or an external service requests, re-authentication, it's a nice feature to have.

[jfisherbah]

As of the latest draft this has not yet been added (the only re-auth requirement is still for admins) - should it be?