6. Manage the Credential Lifecycle
Active credentials require regular maintenance. This use case describes the most common credential maintenance activities:
- Reset a credential - An employee or contractor forgets the password or PIN associated with a credential and requests a reset.
- Renew a credential - An employee or contractor’s credential is expiring or their identity information changes, so they request a replacement credential. You must renew a credential prior to the expiration date; otherwise, the employee or contractor must go through the issuance process again.
- Revoke a credential - An employee or contractor is no longer eligible for their credential (like separating from the issuing agency). The sponsor, supervisor, or administrator requests a revocation of all associated credentials and enterprise accounts.
You should periodically review your employee or contractors’ eligibility for credentials to identify potential orphaned data.
Reset a Credential
In this use case, an administrator needs to reset a password or PIN for an employee or contractor credential.
Renew a Credential
In this use case, an administrator needs to issue a new credential to replace one that will expire soon or has outdated identity information.
Revoke a Credential
In this use case, an administrator needs to revoke an active credential.
- An employee or contractor may have attempted to use a credential and input the PIN information incorrectly several times up to an agency-defined limit and has locked their account or credential. The employee or contractor requests a PIN reset. The employee or contractor is directed to an unlock service; has to verify information again to prove they are the same person issued the original credential; and follows prompts to unlock their credential, generating a new PIN in the process.
- Reset - I want to verify the identity of an employee or contractor that has already been issued a credential and reset their PIN or password so that they can continue to access enterprise resources.
- Renew - I want to verify the identity and eligibility of an employee or contractor, who has a previously issued credential that is near expiration, so that they may be issued a new enterprise credential to maintain their ability to access enterprise resources.
- Revoke - I want to remove access to enterprise resources for an employee or contractor so that they can no longer use the protected resource.