...
Activity | Subactivity | Subsubactivity | mandatory/optional? | Input | Output | (Security) risks if omitted | Dependencies | Increases/Decreases LoA |
---|---|---|---|---|---|---|---|---|
1) 2FA token request | 1.0) Should we have a first factor auth subactivity here as a gatekeeper for "User provides user info" 1.1) User provides user info | mandatory | user information (e.g. name, email, organization, e.g. via SAML assertion) | token request |
| Eligibility either needs to be checked in 1.1 or 3.1 | N/A | |
2) 2FA (pre-)registration | 2.1) User selects 2FA token | optional | ||||||
2.2) User performs authentication with that token for binding and to prove possession | optional | |||||||
3) Identification (identity vetting, a using ID doc or alternative meeting) | 3.0) Identification session arrangement and scheduling (!optional) 3.1) Eligibility check of user | optional if already performed in 1.1 | ||||||
3.2) Vet identity of user | ||||||||
3.2.1) Compare claimed/transmitted/spoken information with user's identity proof (e.g. ID doc, activation code) | mandatory | |||||||
3.2.2) Check user's identity proof with its original source for validity | optional | ↓ | ||||||
3.2.3) Record identity proof | ||||||||
4) Token binding | 4.1) User chooses own token or handover of token to user | optional when activity 2 took place | ||||||
4.2) Bind token to digital ID | mandatory, may already be performed in step 2 precondition: successful 3.2.1) | |||||||
4.3) Token-proof of-possession (e.g. test authentication) | optional | |||||||
4.4) Token activation & record | mandatory precondition: successful 3.2.1 | |||||||
4.5) Inform user about token activation |
...