You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 2 Next »

5.    Credential provisioning

    a.       Password rules and policies

        i. Describe the password policies you support with regard to complexity, length, and any dictionary checks. Include character classes supported in complexity checks. (Call nist

        ii. Does your product support flexible password policy based on password length? For example support pass phrases but requiring additional character sets for shorter passwords.

        iii. Describe your support for passwords in multiple languages.

        iv. Describe your products support for password expiration, including any support for flexible expiration based on grouping, assurance, or other factors such as password quality.

        v. Describe how your product conveys password quality to end users.

        vi. Describe how you product meets accessibility guidelines

    b.       Initial password setting (credential activation?, initial login?)

        i. Describe how your product assures initial password setting is being done by the appropriate authority, such as invitations, one time and/or short lived tokens etc.

        ii. Describe your products support for terms of use and informed consent when getting a credential.

        iii. What platforms are supported for end user devices setting initial and subsequent passwords, including any required technologies.

        iv. Describe any features your product has to deter attacks on unclaimed credentials.

        v. Describe how your product handles multiple credential stores.

    c.       Assignment of additional authentication factors

        i. Describe your support for certificate based authentication.

        ii. Describe your support for multifactor enrollment, specifying supported technologies and products, explicitly address U2F support.

        iii. Describe any support you have for challenge response questions.

        iv. Describe any unlisted additional authentication factors, and any features that help user recognition such as image validation.

        v. How do you handle loss of a (perhaps only) two factor device, such as one time tokens

    d.       Deprovisioning of credentials

        i. Describe the states supported by your product for credentials, such as open, expired, disabled, locked/unlocked, security deny, etc.

        ii. Describe any workflow available for deprovisioning, time based, approval based, and any attribute or membership checks that can be used for deprovisioning workflow.

        iii. Describe any controls for sanity checks in your product to prevent accidental mass deprovisioning.

        iv. Describe the administrative capabilities your product has for deprovisioning and deprovisioning intervention, include any delegation features.

        v. Describe how your product handles deprovisioning of credentials w/r/t propagation to multiple credential stores.

In addition to the above, include documentation of your APIs related to all of the above functional areas.

  • No labels