Comment: The text focuses on Identity Proofing and on the subsequent issuance of credentials. However it does happen that users who have already performed the identity proofing need to obtain their credentials again from the CSP, without having to go through the identity proofing process again. In such a case the user needs to authenticate (log on) to the CSP. This is currently not addressed in the text.
Suggested Change: (The following could be added as a new subsection "User authentication, based on risk" under section 5.3. Credential Management) At a minimum, a trust framework’s systems rules should define methods for authenticating already-proofed users to CSP’s. The rules can contain which authentication methods or authentication factors can or cannot be accepted (e.g. Should the CSP accept password-only authentication? May one-time passwords be distributed via SMS?), with how many factors a user has to authenticate, which combination of factors can or cannot be accepted (e.g. Is it allowed to use fingerprint authentication to a mobile app that provides a one-time password) based on the level of risk.
Organization: VASCO Data Security
Type: 2 - Industry
Reference: Section "5. System Rules"
Comment: The text focuses on Identity Proofing and on the subsequent issuance of credentials. However it does happen that users who have already performed the identity proofing need to obtain their credentials again from the CSP, without having to go through the identity proofing process again. In such a case the user needs to authenticate (log on) to the CSP. This is currently not addressed in the text.
Suggested Change: (The following could be added as a new subsection "User authentication, based on risk" under section 5.3. Credential Management) At a minimum, a trust framework’s systems rules should define methods for authenticating already-proofed users to CSP’s. The rules can contain which authentication methods or authentication factors can or cannot be accepted (e.g. Should the CSP accept password-only authentication? May one-time passwords be distributed via SMS?), with how many factors a user has to authenticate, which combination of factors can or cannot be accepted (e.g. Is it allowed to use fingerprint authentication to a mobile app that provides a one-time password) based on the level of risk.