Automated deployment: Wed Dec 6 17:07:31 UTC 2023 3d9b820

session-management/index.html

@@ -526,10 +526,37 @@ <h1 class="app-page-heading">
 <p>Therefore, connected services that use NHS login as an Identity Provider (IdP) and Authentication Service must align to the following NIST standards.</p>
 <p><a href="https://gbr01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fnvlpubs.nist.gov%2Fnistpubs%2FSpecialPublications%2FNIST.SP.800-63c.pdf&amp;data=05%7C01%7Cbrendan.plant1%40nhs.net%7C331c3500f34d492d3ff808dad120bb8d%7C37c354b285b047f5b22207b48d774ee3%7C0%7C0%7C638052235748476884%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&amp;sdata=YrDvEUd%2FAdQcHwRpprfmxMBgjxb06Eau2v0D4gIK2zc%3D&amp;reserved=0">NIST 800- 63C Digital Identity Guidelines: Federation and Assertions (nist.gov)</a> is used to provide guidance around the NHS login use of and operation of OIDC, with further detail within the NHS login External Interface Specification.</p>
 <p><a href="https://gbr01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fnvlpubs.nist.gov%2Fnistpubs%2FSpecialPublications%2FNIST.SP.800-63b.pdf&amp;data=05%7C01%7Cbrendan.plant1%40nhs.net%7C331c3500f34d492d3ff808dad120bb8d%7C37c354b285b047f5b22207b48d774ee3%7C0%7C0%7C638052235748476884%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&amp;sdata=geXgNSYNrg9LvpDcD8%2BA%2F5tqwDQQTXDkPmixdrexW%2Fc%3D&amp;reserved=0">NIST 800-63B Digital Identity Guidelines: Authentication and Lifecycle Management (nist.gov)</a> is used to define the Authentication Assurance levels which support the operation of NHS login.  Where Authentication Solutions are used alongside NHS login, they should also meet an AAL level of 2.</p>
-<p>NIST 80063B also refers to the requirement for reauthentication of the AAL2 service, and a mandatory statement that the session must be terminated when either of the periods below are reached:</p>
+<hr>
+<h2>Session Management and Refresh Tokens##</h2>
+<h1>Definitions</h1>
 <ul>
-<li>at least once per 12 hours during an extended usage session, regardless of user activity</li>
-<li>reauthentication of the subscriber to be repeated following any period of inactivity lasting 30 minutes or longer.</li>
+<li>Standalone web application - a partner's own independently accessed web application, intended for consumption by users via any web browser (regardless of device type)</li>
+<li>standalone mobile application - a partner's own independently accessed mobile application, intended for installation and consumption by users on a mobile phone or tablet device</li>
+<li>user-to-app authentication - a biometric or PIN prompt that validates repeat-access to a mobile application after a full authentication journey has been completed on initial access to the app. <br><br>Note: this is distinct from the action taken by the user to unlock their device. Although the application may use the same operating system-level mechanism to implement a biometrics or a PIN, this is an additional check after the user has unlocked the device</li>
+</ul>
+<hr>
+<h1>Guidance</h1>
+ <br>
+<p><strong>A) For standalone web applications, and standalone mobile applications that do not implement user-to-app authentication:</strong>
+<br></p>
+<p>The user must complete a full authentication journey:</p>
+<ul>
+<li>after 30 minutes of inactivity within the application</li>
+<li>after 12 hours of continuous usage</li>
+</ul>
+<p>The application must automatically redirect the user to the authentication journey at the end of each period, without user interaction.</p>
+<p><strong>B) For mobile applications that implement user-to-app authentication:</strong></p>
+<p>The user must complete a full authentication journey:</p>
+<ul>
+<li>the first time they access the application</li>
+<li>at least every 30 days thereafter</li>
+</ul>
+<p>If user-to-app authentication is optional, the application must comply with the requirements outlined in A) until the user configures it.</p>
+<p>In addition, the application must carry out a user-to-app authentication check:</p>
+<ul>
+<li>after 5 minutes of inactivity within the application. The application must make this prompt automatically without user interaction</li>
+<li>on reopening the application if it has been in the background for more than one minute</li>
+<li>on reopening the application if it has been closed (regardless of elapsed time)</li>
 </ul>