Clarify reauthentication requirements at AAL2

Question

Clarify reauthentication requirements at AAL2

Opened this issue 6 years ago · 0 comments

There is an inconsistency in the reauthentication requirements for AAL2 in -63B Section 4.2.3. If a user is logged out at the end of a reauthentication period (either due to 30 minute inactivity or 12 hours having elapsed since authentication), it's not clear when the relaxed requirement of only one authentication factor comes into play.

Prior to an activity timeout, the user can be prompted to show some activity and do something in response, and no authentication factors are required. If that time is exceeded, then presumably the user is logged out and it's treated as an entirely new authentication, requiring 2 factors.

Approaching the 12-hour overall timeout, the user could be prompted for a single factor in order to extend the session beyond 12 hours. But since that time is relatively long, requiring only a single factor at this point doesn't save much user effort.

One possibility is to define a grace period following when reauthentication is required during which only a single factor needs to be used.