CLOSED, moved to https://docs.google.com/document/d/1k1RaRfxd78A-Rm4fgUP8YRLv7UU554ayV1igjKYYqA4/edit

Use of second, different, factor type immediately after applying the first one, or when needed.

Factors

1. Knowledge (password)
2. Possession (ID card, security token, smartphone or other device).
3. inherent (biometric, behavior)
4. Location
5. Time

Applications/scenarios

Option A

Use SFA mechanisms as the means to support, simplify and optimise vetting. However, it should be clarified which specific populations and settings are likely users. And which are not. e.g. why the use of organizational directories is not sufficient, adequate or applicable. Also, whether this potentially extends to permission escalation,

Option B

• More secure authentication
• Permission escalation
• Remote vetting

Elements

• Physical devices and tokens, other client devices (sensors or mere USB port)
• Infrastructure and software
  • Vetting, issuance, management, revocation
  • Actual authentication
• Applications, services, authorisation (sometimes also in infrastructure)

Our scope

1st -  Password

2nd - Possession or inherence (what about knowledge from device-based out-of-band communication, software tokens, etc?) -  probably primarily photo IDs, eMRTDs biometric passports (ISO/IEC 14443 application MRTDs profile. ICAO Doc 9303-9 and Doc 9303-10) + live video or presence, with a human or hw/sw agent.

scenario?

with whom?

Vetting for a NREN, or within a NREN? Local users (and existing iDs intended for local use) or international ones (passports, are there others?) what about NREN/group remotely vetting a foreigner - is this a marginal or key case?