FIA_UAU.5 Multiple authentication mechanisms
User application notes
The use of this component allows specification of requirements for more than one authentication mechanism to be used within a TOE. For each distinct mechanism, applicable requirements must be chosen from the FIA class to be applied to each mechanism. It is possible that the same component could be selected multiple times in order to reflect different requirements for the different use of the authentication mechanism.
The management functions in the class FMT may provide maintenance capabilities for the set of authentication mechanisms, as well as the rules that determine whether the authentication was successful.
To allow anonymous users to be on the system, a `none' authentication mechanism can be incorporated. The use of such access should be clearly explained in the rules of FIA_UAU.5.2.
Operations
Assignment:
In FIA_UAU.5.1, the PP/ST author should define the available authentication mechanisms. An example of such a list could be: "none, password mechanism, biometric (retinal scan), S/key mechanism".
In FIA_UAU.5.2, the PP/ST author should specify the rules that
describe how the authentication mechanisms provide authentication
and when each is to be used. This means that for each situation the set
of mechanisms that might be used for authenticating the user must be
described. An example of a list of such rules is:
"if the user has special privileges a password mechanism and a
biometric mechanism both shall be used, with success only if both
succeed; for all other users a password mechanism shall be used."
The PP/ST author might give the boundaries within which the authorised administrator may specify specific rules. An example of a rule is: "the user shall always be authenticated by means of a token; the administrator might specify additional authentication mechanisms that also must be used." The PP/ST author also might choose not to specify any boundaries but leave the authentication mechanisms and their rules completely up to the authorised administrator.