Loss, Theft, Damage, and Compromise with regards to authenticators #3314
Description
Under NIST sp800-63b, 4.3 you find the following paragraph:
"CSPs MAY support the temporary suspension of authenticators that are suspected of possible compromise. If suspension is supported, it SHOULD be reversed after the subscriber successfully authenticates to the CSP using a valid (i.e., not suspended) authenticator and requests reactivation of the suspended authenticator. The CSP MAY set a time limit after which a suspended authenticator can no longer be reactivated."
Currently we have:
| 6.4.4 | Verify that if a multi-factor authentication factor is lost, evidence of identity proofing is performed at the same level as during enrollment. | 2 |
|---|
What I believe is missing is the suspension and reversal of the suspension that currently isn't mentioned in ASVS.
Please also note the passage in 4.2.2.3: "f an account that can authenticate at AAL3 has been identity-proofed at IAL1 or IAL2, the requirements are the same as those for recovery at AAL2" and so on.