6. Manage the Credential Lifecycle

Active credentials require regular maintenance. This use case describes the most common credential maintenance activities:

Reset a credential - An employee or contractor forgets the password or PIN associated with a credential and requests a reset.
Renew a credential - An employee or contractor’s credential is expiring or their identity information changes, so they request a replacement credential. You must renew a credential prior to the expiration date; otherwise, the employee or contractor must go through the issuance process again.
Revoke a credential - An employee or contractor is no longer eligible for their credential (like separating from the issuing agency). The sponsor, supervisor, or administrator requests a revocation of all associated credentials and enterprise accounts.

You should periodically review your employee or contractors’ eligibility for credentials to identify potential orphaned data.

Use Cases

In this use case, an administrator needs to reset a password or PIN for an employee or contractor credential.

1. Initiate the request	An employee or contractor forgets their password or PIN, and requests a reset. If the request is valid, the identity management system approves the request.
2. Issue a reset	The system issues a password/PIN reset, which may be a temporary password or a link to a web-based reset form.
3. Reset the credential	The employee or contractor resets their password or PIN.

In this use case, an administrator needs to issue a new credential to replace one that will expire soon or has outdated identity information.

1. Initiate the request	An individual requests a renewal for an employee or contractor’s credential. This individual may be the employee or contractor, their supervisor, or an administrator with approval authority. This could also be an automated process triggered by schedules or specific events.
2. Review the request	The identity management system reviews the request and verifies that the employee or contractor qualifies for a renewed credential. If so, approve the request.
3. Replace the credential	The system issues a new credential to the employee or contractor, and updates the associated enterprise identity record.

In this use case, an administrator needs to revoke an active credential.

1. Initiate the request	An individual sends a separation notification or a notice of a lost or compromised credential, requesting revocation. This individual may be the employee or contractor, their supervisor, HR, or a security team member.
2. Disable the credential	The administrator invalidates the credential. Depending on your agency, an individual or a system may perform this task.
3. Return the credential	If the revoked credential is physical or hardware-based, the administrator returns the credential to the appropriate individual. This individual may be a supervisor, HR, or security team member.

An employee or contractor may have attempted to use a credential and input the PIN information incorrectly several times up to an agency-defined limit and has locked their account or credential. The employee or contractor requests a PIN reset. The employee or contractor is directed to an unlock service; has to verify information again to prove they are the same person issued the original credential; and follows prompts to unlock their credential, generating a new PIN in the process.
Reset - I want to verify the identity of an employee or contractor that has already been issued a credential and reset their PIN or password so that they can continue to access enterprise resources.
Renew - I want to verify the identity and eligibility of an employee or contractor, who has a previously issued credential that is near expiration, so that they may be issued a new enterprise credential to maintain their ability to access enterprise resources.
Revoke - I want to remove access to enterprise resources for an employee or contractor so that they can no longer use the protected resource.