Subscriber Accounts

This section is normative.

Subscriber Accounts

The CSP SHALL establish and maintain a unique subscriber account for each active subscriber in its identity system from the time of enrollment to the time of account closure. The CSP establishes a subscriber account to record each subscriber as a unique identity within its identity service and to maintain a record of all authenticators associated with that account.

The CSP SHALL assign a unique identifier to each subscriber account. The identifier SHOULD be randomly generated by the CSP’s system and of sufficient length and entropy to ensure uniqueness within its user population and to support federation with RPs, where applicable. The identifier MAY be used as a subject identifier in the generation of assertions, consistent with [SP800-63C].

At a minimum, the CSP SHALL include the following information in each subscriber account:

• The unique identifier associated with the subscriber account
• Any subject identifiers established for the subscriber, including any RP-specific subject identifiers
• A record of the identity proofing steps completed for the subscriber, including:
  • The type and issuer of identity evidence
  • The type of proofing (i.e., remote unattended, remote attended, on-site attended, on-site unattended)
  • The validation and verification methods used
  • The use of a trusted referee or other exception handling process
  • The use of an applicant reference, including a unique identifier for the applicant reference
• Maximum IAL successfully achieved for the identity proofing of the subscriber
• Records of any applicant consent agreements related to the collection and processing of information about the applicant throughout the subscriber account life cycle, including biometrics
• All authenticators currently bound to the subscriber account, whether registered at enrollment or subsequent to enrollment
• Attributes that were validated during the identity proofing process or in subsequent transactions to support RP access

The CSP may enroll and establish a subscriber account for applicants who have not been identity-proofed (e.g., pseudonymous accounts) and record such status in the subscriber account.

Subscriber Account Access

The CSP SHALL provide the capability for subscribers to authenticate and access information in their subscriber account.

For subscriber accounts that contain personal information, this capability SHALL be accomplished through AAL2 or AAL3 authentication processes using authenticators that are registered to the subscriber account.

Subscriber Account Maintenance and Updates

The CSP SHALL provide the capability for a subscriber to request that information be updated in their subscriber account. The CSP MAY provide a mechanism for subscribers to directly update non-core attributes.

With the exception of physical addresses, the CSP SHALL validate any changes to core attribute information maintained in the subscriber account. The CSP SHOULD validate a change to the subscriber’s physical address if it is considered a core attribute by the CSP.

The CSP SHALL notify the subscriber of any updates made to information in the subscriber account.

The CSP SHALL provide the capability for the subscriber to report any unauthorized access or potential compromise to information in their subscriber account.

Subscriber Account Suspension or Termination

The CSP SHALL promptly suspend or terminate the subscriber account when one of the following occurs:

• The subscriber elects to terminate their subscriber account with the CSP.
• The CSP determines that the subscriber account has been compromised.
• The CSP determines that the subscriber has violated the policies or rules for participation in the CSP identity service.
• The CSP determines that the subscriber account is inactive in accordance with the policies or rules established by the CSP.
• The CSP receives notification of a subscriber’s death from an authoritative source.
• The CSP receives a legal instrument instructing it to terminate a subscriber’s account.
• The CSP ceases identity system and services operations.

The CSP SHALL notify the subscriber if their account has been suspended or terminated. Such notices SHALL include information about why the account was suspended or terminated, reactivation or renewal options, and any options for redress if the subscriber thinks the account was suspended or terminated in error.

The CSP SHALL delete all personal information from the subscriber account records following account termination in accordance with the record retention and disposal requirements, as documented in its practices statement (see Sec. 3.1).

Data Breach Notification

In the event of a data breach of CSP records, the CSP SHALL provide notification to subscribers whose personal information may have been exposed to unauthorized access. Such notification SHALL include information about the breach and actions for subscribers to take to recover or maintain access to their accounts and to protect against any unauthorized disclosure of their personal information. The CSP SHALL send such notifications as expeditiously as possible to the subscribers’ validated address.

Multiple Subscriber Account Scenarios

Some CSPs need to support a single user’s ability to interact with the CSP while fulfilling different roles or personas. For example, a subscriber may interact as themselves and also as a representative of a business across different services supported by the CSP. Another scenario is a CSP that serves both commercial and federal RPs and must maintain a separation between its services. To limit fraud and avoid redundant costs and processes, CSPs SHOULD provide users with a means to manage multiple user personas without having to create multiple subscriber accounts. If this is not possible, and multiple subscriber accounts are supported for a single subscriber, the CSP SHOULD implement its subscriber accounts in a manner that avoids unnecessary re-proofing of the same subscriber (e.g., linking accounts via a common identifier or through biometric or attribute resolution).

If multiple subscriber accounts are permitted for a single subscriber, the following requirements apply:

1. The CSP SHALL develop and document their process for reviewing and assessing subscribers with multiple accounts to identify possible fraud.
2. The CSP SHALL maintain a mapping of all accounts associated with a unique government identifier or common core attributes.
3. The CSP SHALL provide individuals with visibility into the full list of subscriber accounts associated with their identity.
4. The CSP SHOULD allow subscribers to block the creation of additional accounts using their personal information.

Similar scenarios can also occur when RPs use the services of multiple CSPs. This is known as account linking, and Sec. 3.8.1 of [SP800-63C] describes the association of an RP subscriber account with multiple CSP/IdP accounts.