I think we the clarifying language to be something like 'bound to a IAL3 credential' but for transparency, here is DOE's suggestion:
Thank you Kaitlin for the explanation.
Maybe in a future revision, the sentence could be more clear on the intent by adding
Reestablishment of authentication factors for identities established at IAL3 SHALL be done in person, or through a supervised remote process as described in SP 800-63A Section 5.3.3.2, and SHALL verify the biometric collected during the original proofing process.
Rationale: Mainly because it is quite clear with the new direction of the SP that IAL and AAL are separate and mutually exclusive. Current text suggests (and could be confused with) authentication factors directly relate to an IAL. Adding “for identities” makes it clear that regardless of AAL, the identity proofing requirements of IAL3 must be performed for identities proofed/enrolled at IAL3.
I think we the clarifying language to be something like 'bound to a IAL3 credential' but for transparency, here is DOE's suggestion:
Thank you Kaitlin for the explanation.
Maybe in a future revision, the sentence could be more clear on the intent by adding Reestablishment of authentication factors for identities established at IAL3 SHALL be done in person, or through a supervised remote process as described in SP 800-63A Section 5.3.3.2, and SHALL verify the biometric collected during the original proofing process.
Rationale: Mainly because it is quite clear with the new direction of the SP that IAL and AAL are separate and mutually exclusive. Current text suggests (and could be confused with) authentication factors directly relate to an IAL. Adding “for identities” makes it clear that regardless of AAL, the identity proofing requirements of IAL3 must be performed for identities proofed/enrolled at IAL3.
If I’m off based, please ignore the suggestion.
Regards, Glen