Versions Compared

Old Version 34

changes.mady.by.user Pål Axelsson

Saved on

compared with

New Version 35

changes.mady.by.user Pål Axelsson

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Subject: Any natural person, i.e. end user, affiliated with a Home Organisation, e.g. as a teacher, researcher, staff or student.

...

Identity Provider (IdP): The system component that issues Attribute assertions on behalf of Subjects who use them to access the services of Relying Party.

Strong Authentication: A combination of multi-factor authentication and a high assurance that the multi-factor authenticator is distributed to the intended Subject.

Second factor: A second independent factor that is used in addition to the subjectSubject's first factor in order to provide the subjectSubject with the ability to use multi-factor authentication. Normally this means adding a second factor where the subject's first factor is a memorised secret (i.e. a password).

Full multi-factor: A complete new set of credentials assigned to the subject the Subject in order to provide the subject Subject with the ability to use multi-factor authentication. This new set of credentials is by itself composed of at least two dependent factors (e.g. a smart card) and does not depend in any way on the normally used memorised secret (i.e. a password) belonging to the subjectSubject.


2. Purpose, Scope and Summary 

...

This document defines how a SWAMID member organisation SHOULD implement a strong aStrong Authentication solution in order to be certified by SWAMID for strong authentication Strong Authentication in a federated environment. A strong authentication combines the use of multi-factor authentication with a high assurance that the multi-factor authenticator is distributed to the intended userSubject

This strong authentication profile is an extension to REFEDS Multi-Factor Authentication (MFA) Profile [1] and is applicable for Swedish Higher Education.

...

Guidance: The intended use of this SWAMID profile is when authentication must be done with a high assurance that it is the correct user that Subject that is accessing a specific service. Please note that it is possible, or even preferred, to use multi-factor authentication without this high level of assurance in a federated environment but that use does not fulfil this strong authentication profile.

...

The Member organisation MUST be certified for SWAMID Identity Assurance Level 2 Profile [2].

Only subjects Subjects currently at SWAMID Identity Assurance Level 2 are allowed to authenticate themselves according to this Profile.

...

  •  Choice of multi-factor technology MUST be documented in section 5.1 Credential Operating Environment.

    The selected second factor or full multi-factor solution MUST be based on the Single-Factor and Multi-Factor Authenticator Types within NIST 800-63B [3].

    Guidance: SWAMID has published a set of valid choices for second factor and full multi-factor solutions in the SWAMID wiki.

  • Processes for issuing and assigning of credentials (second factor or full multi-factor) MUST be documented in 5.2 Credential Issuing (more precisely in 5.2.5).

    Issuing of second factor or full multi-factor MUST be done using one of the following methods

      1. On-line multi-factor authenticating the Subject with SWAMID MFA Profile or higher level using an external Identity Provider compliant with SWAMID MFA Profile or higher

      2. In-person visit at a service desk in combination with identity proofing as defined by the Swedish Tax Agency for issuance of the Swedish Tax Agency identity card

      3. In-person visit at a service desk in combination with identity proofing with an international passport fulfilling International Civil Aviation Organization (ICAO) Doc 9303 Machine Readable Travel Documents [4], an EU/EES national identity card fulfilling the Regulation (EU) 2016/399 of the European Parliament and of the Council [5] or an EU/EES driving license fulfilling the Directive 2006/126/EC of the European Parliament and of the Council of 20 December 2006 on driving licences [6].

      4. Off-line using a certified mail to a postal address (sv. rekommenderat brev med personlig utlämning) in combination with a time-limited one time password/pin code.

      5. Off-line using a certified mail to a postal address (sv. rekommenderat brev med personlig utlämning) with a preregistered device, unique for the userSubject, that will be considered as a vetted token on first use.


    Guidance: The second factor or full multi-factor must be issued separately     to to the user credentials the Subjects single factor credential, i.e. password, in accordance with the REFEDS MFA Profile criteria.

    Guidance a: Multi-Factor solutions provided within the Swedish E-identification system fulfils     the requirements for on-line multi-factor authentication and can be used for online identity vetting if allowed by the E-identification issuer. Likewise, authentication via eIDAS with assurance level substantial or high fulfills the requirements.

  • Processes for replacement of additional factors or full multi-factor MUST be documented in 5.3 Credential Renewal and Re-issuing.

    Replacement of second factor or full multi-factor MUST be done using the same methods as listed above for Credential Issuing.

  • Processes for revocation of second factor or full multi-factor MUST be documented in 5.4 Credential Revokation

...