...
This multi-factor profile is an extension to REFEDS Multi-Factor Authentication (MFA) Profile (https://refeds.org/profile/mfa)[1], applicable for Swedish Higher Education.
...
The Member organisation MUST be certified for SWAMID Identity Assurance Level 2 Profile [2].
Only subjects currently at SWAMID Identity Assurance Level 2 are allowed to authenticate themselves according to this Profile.
...
- Choice of multi-factor technology MUST be documented in section 5.1 Credential Operating Environment.
The selected second factor or full multi-factor solution MUST be based on the Single-Factor and Multi-Factor Authenticator Types within NIST 800-63B [3].
Guidance: SWAMID has published a set of valid choices for second factor and full multi-factor solutions in the SWAMID wiki. Processes for issuing and assigning of credentials (second factor or full multi-factor) MUST be documented in 5.2 Credential Issuing (more precisely in 5.2.5).
Issuing of second factor or full multi-factor MUST be done using one of the following methods
On-line multi-factor authenticating the Subject with SWAMID MFA Profile or higher level using an external Identity Provider compliant with SWAMID MFA Profile or higher
In-person visit at a service desk in combination with identity proofing as defined by the Swedish Tax Agency for issuance of the Swedish Tax Agency identity card
In-person visit at a service desk in combination with identity proofing with an international passport fulfilling ICAO Doc 9303 International Civil Aviation Organization (ICAO) Doc 9303 Machine Readable Travel Documents [4], an EU/EES national identity card fulfilling the Regulation (EU) 2016/399 of the European Parliament and of the Council [5] or an EU/EES driving license fulfilling the Directive 2006/126/EC of the European Parliament and of the Council of 20 December 2006 on driving licences [6].
Off-line using a certified mail to a postal address (sv. rekommenderat brev med personlig utlämning) in combination with a time-limited one time password/pin code.
- Off-line using a certified mail to a postal address (sv. rekommenderat brev med personlig utlämning) with a preregistered device, unique for the user, that will be considered as a vetted token on first use.
Guidance: The second factor or full multi-factor must be issued separately to to the user credentials in accordance with the REFEDS MFA Profile criteria.
Guidance a: Multi-Factor solutions provided within the Swedish E-identification system fulfils the requirements for on-line multi-factor authentication and can be used for online identity vetting if allowed by the E-identification issuer. Likewise, authentication via eIDAS with assurance level substantial or high fulfils the requirements.- Processes for replacement of additional factors or full multi-factor MUST be documented in 5.3 Credential Renewal and Re-issuing.
Replacement of second factor or full multi-factor MUST be done using the same methods as listed above for Credential Issuing. - Processes for revocation of second factor or full multi-factor MUST be documented in 5.4 Credential Revokation
...
- The authentication of the user’s current session used a combination of at least two of the four distinct types of factors defined in ITU-T X.1254: Entity authentication assurance framework, section 3.1.3, authentication factor (something you know, something you have, something you are, something you do) [4].
- The factors used are independent, in that access to one factor does not by itself grant access to other factors.
- The combination of the factors mitigates single-factor only risks related to non-real-time attacks such as phishing, offline cracking, online guessing and theft of a (single) factor.
...
Guidance: The validation service is located at https://mfa-check.swamid.se
6. References
[1] REFEDS Multi-Factor Authentication (MFA) Profile: https://refeds.org/profile/mfa
[2] SWAMID Identity Assurance Level 2 ProfileDirective 2006/126/EC of the European Parliament and of the Council of 20 December 2006 on driving licences: http://datawww.europaswamid.euse/elipolicy/dir/2006/126/ojassurance/al2
[3] NIST Special Publication 800-63B - Digital Identity Guidelines - Authentication and Lifecycle Management: https://doi.org/10.6028/NIST.SP.800-63b
REFEDS Multi-Factor Authentication (MFA) Profile[4] International Civil Aviation Organization (ICAO) Doc 9303 Machine Readable Travel Documents: https://refeds.org/profile/mfawww.icao.int/publications/pages/publication.aspx?docnum=9303
[5] Regulation (EU) 2016/399 of the European Parliament and of the Council: http://data.europa.eu/eli/reg/2016/399/ojSWAMID Identity Assurance Level 2 Profile
[6] Directive 2006/126/EC of the European Parliament and of the Council of 20 December 2006 on driving licences: http://wwwdata.swamid.se/policy/assurance/al2europa.eu/eli/dir/2006/126/oj