Difference between revisions of "Revocation"

From MgmtWiki
Jump to: navigation, search
(Solutions)
(Context)
Line 6: Line 6:
 
The collection of [[User Private Information]] by a [[Data Controller]] now necessitates the ability [[Authentication|Authenticate]] the [[User]] under a wide range of challenges, like:
 
The collection of [[User Private Information]] by a [[Data Controller]] now necessitates the ability [[Authentication|Authenticate]] the [[User]] under a wide range of challenges, like:
 
# Simplest of all the [[User]] needs to [[Authentication|Authenticate]] from time to time and on a variety of devices under less than ideal conditions where passwords are mistyped and [[Multi-factor Authentication|Alternate Authentication factors]] are lost or fail.
 
# Simplest of all the [[User]] needs to [[Authentication|Authenticate]] from time to time and on a variety of devices under less than ideal conditions where passwords are mistyped and [[Multi-factor Authentication|Alternate Authentication factors]] are lost or fail.
# More severe [[Recovery]] problems occur when the [[User]] has lost control of their account and needs it to be reset. The level of [[Authentication]] for these situation can be severely taxing to a user desperate for access to their accounts.
 
# When an [[Multi-factor Authentication|Authentication factor]] like an alternate email or phone number is compromised, insecure [[Recovery]] methods themselves become a means of attack, especially since factors like phone number were never intended to be secure.<ref>Lily Hay Newman,
 
''PHONE NUMBERS WERE NEVER MEANT AS ID. NOW WE’RE ALL AT RISK'' (2018-08-25) Wired Magazine https://www.wired.com/story/phone-numbers-indentification-authentication</ref>
 
  
 
==Problems==
 
==Problems==

Revision as of 10:03, 2 October 2018

Full Title or Meme

The problem of revoking a grant previously issued on behalf of a Subject which is a requirement of several privacy regulations.

Context

The collection of User Private Information by a Data Controller now necessitates the ability Authenticate the User under a wide range of challenges, like:

  1. Simplest of all the User needs to Authenticate from time to time and on a variety of devices under less than ideal conditions where passwords are mistyped and Alternate Authentication factors are lost or fail.

Problems

Solutions

  • Issue a Refresh Token that can be used by the Relying Party to acquire an access token with a short life time. Revocation would not be possible during that short life time.
  • Require the Authorization endpoint to verify liveness of the token before it authorizes actual access to the Resource.

References

Retrieved from "http://tcwiki.azurewebsites.net/index.php?title=Revocation&oldid=3684"