Skip to end of banner
Go to start of banner

Re-authentication (Dictionary Entry)

Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 19 Current »

Contexts

Cybersecurity, IAM

Term

Re-authentication

Alternative Forms

  • Session Re-authentication

  • Step-up Authentication NEAR SYNONYM

Definitions

A security control that consists in forcing a new authentication during an existing session.

A re-authentication may reuse the original authentication factor or request a distinct factor.

The aim of re-authentication is to assure the identity of the entity after a certain amount of time, before a sensitive operation is executed or when intelligence has been collected that suggests the identity may have been compromised.

It comes with a cost for the end-user and should thus be proportionate to and adequate for the circumstances.

A complementary or alternative mechanism is continuous authentication.

Re-authentication may be applied at the device-level (i.e. device lock) or at the system or application level.

Re-authentication does not only apply to human agents. It may be applied to technical accesses as well.

Related Terms

Quotes

Re-authentication

The process of confirming the subscriber’s continued presence and intent to be authenticated
during an extended usage session.

(NIST SP 800-63-3-R3, 2020, p. 53)

Bearer tokens MUST have a limited lifetime that can be determined directly or indirectly (e.g., by checking with a validation service) by the service provider. By expiring tokens, clients are forced to obtain a new token (which usually involves re-authentication) for continued authorized access. For example, in OAuth 2.0, a client MAY use OAuth token refresh to obtain a new bearer token after authenticating to an authorization server.

(RfC 7644, 2015, p. 79)

For instance, in the wake of the widely-reported theft of a laptop containing personal information on millions of US veterans, OMB directed all agencies to implement a set security measures (or verify they had already been implemented) including (…) automated time-out for remote access to require re-authentication after periods of inactivity (…)

(Gantz and Philpott, 2013, p. 468)

7.3.Token and Credential Management Assurance Levels

7.3.1. Requirements per Assurance Level

The stipulations for management of tokens and credentials by the CSP and Verifier are described below for each assurance level. The stipulations described at each level in this section are incremental in nature; requirements stipulated at lower levels are implicitly included at higher levels.

(…)

7.3.1.4. Level 4

At Level 4, the following is required:

(…)

Token and credential renewal/re-issuance – Sensitive data transfers shall be cryptographically authenticated using keys bound to the authentication process. All temporary or short-term keys derived during the original authentication operation shall expire and re-authentication shall be required after not more than 24 hours from the initial authentication.

(NIST SP 800-63-2, 2013, p. 62-68)

Session Re-Authentication

Consider re-authenticating users for critical actions such as money transfers or purchases involving considerable sums of money. This would require the user to re-authenticate or be reissued another session token directly preceding taking a material action.

(Wright, 2008, p. 533)

5.2 Continuous Authentication Needs to Be Enforced

In physical cyber security convergence, a physical access control policy of a building could have many points of authentication where a user presents his access token. The repetitive re-authentication of a user should be avoided, but the user should rather be tracked using sensors from where authentication is done to where access control is enforced. Similarly, physical objects that are moved around need to be continuously tracked to ensure their integrity and safety.

(Greaves et al., 2018, p. 193)

IA-11 RE-AUTHENTICATION

Control: Require users to re-authenticate when [Assignment: organization-defined circumstances or situations requiring re-authentication].

Supplemental Guidance: In addition to the re-authentication requirements associated with device locks, organizations may require re-authentication of individuals in certain situations including, for example, when authenticators or roles change; when security categories of systems change; when the execution of privileged functions occurs; after a fixed time-period; or periodically.

Related Controls: AC-3, AC-11, IA-2, IA-3, IA-8.

Control Enhancements: None.

References: None.

(NIST SP 800-53 R5 Draft, 2017, p. 119)

Bibliography

See Also

  • No labels

Follow us on LinkedIn | Discuss on Slack | Support us with Patreon | Sign-up for a free membership.

This wiki is owned by Open Measure, a non-profit association. The original content we publish is licensed under a Creative Commons Attribution 4.0 International License.