Revocation

Full Title or Meme

The problem of revoking a grant previously issued on behalf of a Subject.

The collection of User Private Information by a Data Controller now necessitates the ability Authenticate the User under a wide range of challenges, like:

Simplest of all the User needs to Authenticate from time to time and on a variety of devices under less than ideal conditions where passwords are mistyped and Alternate Authentication factors are lost or fail.
More severe Recovery problems occur when the User has lost control of their account and needs it to be reset. The level of Authentication for these situation can be severely taxing to a user desperate for access to their accounts.
When an Authentication factor like an alternate email or phone number is compromised, insecure Recovery methods themselves become a means of attack, especially since factors like phone number were never intended to be secure.^[1]

Once a Bearer Token has been issued to a Relying Party by a Identifier or Attribute Provider there is no practical way to issue a Revocation.

As a part of creating a User Object to hold User Information any Site needs to first of all assure that they can contact the user.
The two most common contact methods are email address and Smart Phone numbers. But such contact itself can become the vector for attack so any contact email must be recognizable and protected against spoofing by attackers.

↑ Lily Hay Newman, PHONE NUMBERS WERE NEVER MEANT AS ID. NOW WE’RE ALL AT RISK (2018-08-25) Wired Magazine https://www.wired.com/story/phone-numbers-indentification-authentication