Assurance

[Benn Oshrin <>]

KBA seems a reasonable approach, but will it be considered acceptable 
for Bronze compliance? Perhaps this is a good candidate for the 
"alternative means" process.

-Benn-

On 2/11/13 7:36 PM, arlene Allen wrote:
> Ours is a fairly average approach. The LOA-2 is the one that requires
> considerably more structure.
>
> For LOA-1 we are comfortable with knowledge based auth (KBA). When the
> principal activated their identity we forced them to do the secret
> questions. The combination of knowing their employee id or student  id,
> etc. along with answering the secret questions gives them the reset
> ability. If they don't remember the secret questions anymore, then they
> must interact with our identity help function. This is all done on the
> web and we don't force the optional pathway of responding to an email
> sent to the address of record. For LOA-1 that seemed like a bit much,
> although one sees that a lot.
>
>
> On 2/11/2013 4:17 PM, Benn Oshrin wrote:
> > Since there weren't any replies, here's a hypothetical... Keeping in
> > mind we're talking LoA sufficient for retrieving your bookmarks,
> > perhaps we can say something like "the subject must re-establish her
> > or his identity in a manner consistent with the original credentialing".
> >
> > So, for example, consider that a student enrolls, provides sufficient
> > proof of identity to the Registrar, and that operation is leveraged to
> > establish the student's netid. The student subsequently forgets their
> > password, and cannot reset it via a single use token or reset
> > questions. The student could return to the Registrar's office and,
> > once the Registrar was satisfied with the identity of the student,
> > update their records with a new Address of Record. Once the address
> > migrated to the IdMS, a reset token could be issued.
> >
> > Similarly, an employee could go to their HR representative, or a guest
> > or affiliate could go to their sponsor. Where an institution allows
> > self-signup for NetIDs without a corresponding SOR role record, the
> > subject would presumably need to create a new NetID -- credentials
> > without associated registration/role records and no reset paths cannot
> > be recovered.
> >
> > Thoughts?
> >
> > -Benn-
> >
> > On 1/17/13 4:58 PM, Ann West wrote:
> > > Thanks Benn.
> > >
> > >
> > > Good question. How do folks re-credential for LoA1 now?
> > >
> > > Best,
> > > Ann
> > >
> > >
> > > On 1/11/13 6:37 PM, "Benn Oshrin" 
> > > <>
> > > wrote:
> > >
> > > > Sort of related to my last message...
> > > >
> > > > The proposed v1.2 FICAM draft makes §4.2.4.3 part of Bronze.
> > > >
> > > > "After expiration of the current Credential, if none of these methods
> > > > are successful then the Subject must re-establish her or his identity
> > > > with the IdPO per Section 4.2.2 before the Credential may be renewed or
> > > > re-issued."
> > > >
> > > > However, almost none of §4.2.2 applies to Bronze, which has no
> > > > registration record requirements. What does this imply for a Subject
> > > > with an expired credential, a no longer valid Address of Record, and no
> > > > (or forgotten) pre-registered questions?
> > > >
> > > > Thanks,
> > > >
> > > > -Benn-