Things to consider when using maker–checker authorization

Whereas unassigning an authenticator is protected by maker–checker authorization, deleting an authenticator is currently not. However, when deleting an authenticator, the respective device is implicitly unassigned before it is deleted from the data store. The unassignment operation in this case is not subject to maker–checker authorization. This special case allows bypassing maker–checker authorization.

An administrator can circumvent maker–checker authorization for unassigning an authenticator, by just deleting the device.

To prevent this, do not assign the Delete DIGIPASS privilege to administrators, who have also the Unassign DIGIPASS privilege assigned and are supposed to unassign authenticators in a controlled environment with maker–checker authorization enabled.