IDEF Registry

Entities that issue credentials and tokens MUST implement methods for reissuance, updating, and recovery of credentials and tokens that preserve the security and assurance of the original registration and credentialing operations.

Procedures must be in place to reasonably prevent hijacking of an account through recovery and reset options: a common vector for identity thieves and other attackers. At a minimum, service providers must provide reset, recovery, and reissuance procedures that afford a commensurate level of security to the processes used during the initial registration and credentialing operations. These procedures may include out-of-band verification, device identification, or any combination of similar techniques used to increase the security of reset, reissuance, and recovery options while also meeting IDESG Usability Requirements (USABLE-1 through USABLE-7).

FICAM TFPAP Trust Criteria “Token & Credential Management”), LOA 2-3, #1, #2, #4, TFPAP Trust Criteria, Management and Trust Criteria, LOA 2-3, #3,#4, #6 (p.35); PCI-DSS v 2.0- 8.5.2 (p. 48) (corresponds to 8.2.2 in PCI-DSS v3. – p.67); NIST SP 800-63-2, Token and Credential Management Activities 7.1.2 (p. 58)