Hi BoKkers: here's a first strawman attempt to start the taxonomy in the authentication section. Please start hacking at it! It is imperfect and needs your critique. Based loosely on the Kantara ID Assurance Framework v5 and NIST SP 800-63 v3 drafts What are the practices of: - Authentication (of credentials) - - Authenticators - - Categories and characteristics - Single- and multi-factor authenticators: objectives, threat mitigation - Verification mechanisms - Cryptographic mechanisms - Lifecycle management - Misuse and impersonation detection - Usability considerations - Relationship to Identification - - ‘Binding’ of authenticators to entity records - - Uniqueness within a population scope or ‘namespace' - Privacy matters - - Correlation across multiple transactions - Decoupling of personal information to authentication events - Methods to choose appropriate authentication techniques - - Risk evaluation considerations - Cost considerations - Usability - Manageability - Attack Resistance - Models of Authentication ‘levels’ - Authentication models, process and protocols - - Authentication protocols (OpenID Connect, PKI-based) - Federated authentication models - Single-sign on models *Andrew Hughes *CISM CISSP Independent Consultant *In Turn Information Management Consulting* o +1 650.209.7542 m +1 250.888.9474 1249 Palmer Road, Victoria, BC V8P 2H8 AndrewHughes3000@gmail.com ca.linkedin.com/pub/andrew-hughes/a/58/682/ *Identity Management | IT Governance | Information Security *