Refine adaptive authN authZ requirements to resolve #3071 (#3086)

Author: tghosth

5.0/en/0x15-V6-Authentication.md

@@ -10,6 +10,8 @@ Whilst of the requirments in this chapter are based on the second section of the
 
 Also, NIST SP 800-63 terminology can sometimes be different and the chapter often uses more commonly understood terminology, to increase clarity.
 
+One common feature of more advanced applications is the ability to adapt the authentication stages required based on various risk factors. This feature is covered in the "Authorization" chapter since these mechanisms also need to be considered for authorization decisions.
+
 ## V6.1 Authentication Documentation
 
 This section contains requirements detailing the authentication documentation that should be maintained for an application. This is crucial to implement and assess how the relevant authentication controls should be configured.

5.0/en/0x17-V8-Authorization.md

@@ -15,8 +15,8 @@ Comprehensive authorization documentation is essential to ensure that security d
 | :---: | :--- | :---: | :---: |
 | **8.1.1** | Verify that authorization documentation defines rules for restricting function-level and data-specific access based on consumer permissions and resource attributes. | 1 | v5.0.be-1.4.7 |
 | **8.1.2** | Verify that authorization documentation defines rules for field-level access restrictions based on consumer permissions and resource attributes. | 2 | v5.0.be-1.4.8 |
-| **8.1.3** | Verify that authorization documentation defines a consumer's environmental and contextual attributes (such as time of day, location, IP address, or device) that must be used in the application to make security decisions, including those pertaining to authentication and authorization. | 3 | v5.0.be-1.4.6 |
-| **8.1.4** | Verify that authorization documentation considers environmental and contextual factors in decision-making, in addition to function-level, data-specific, and field-level authorization. | 3 | v5.0.be-1.4.9 |
+| **8.1.3** | Verify that the application's documentation defines the environmental and contextual attributes (including but not limited to, time of day, user location, IP address, or device) that are used in the application to make security decisions, including those pertaining to authentication and authorization. | 3 | v5.0.be-1.4.6 |
+| **8.1.4** | Verify that authentication and authorization documentation defines how environmental and contextual factors are used in decision-making, in addition to function-level, data-specific, and field-level authorization. This should include the attributes evaluated, thresholds for risk, and actions taken (e.g., allow, challenge, deny, step-up authentication.) | 3 | v5.0.be-1.4.9 |
 
 ## V8.2 General Authorization Design