Versions Compared

Old Version 39

changes.mady.by.user Pål Axelsson

Saved on

compared with

New Version 40

changes.mady.by.user Pål Axelsson

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Guidance: The intended use of this SWAMID profile is when authentication must be done with a high assurance that it is the correct Subject that is accessing a specific service. Please note that it is possible, or even preferred, to use multi-factor authentication without this high level of assurance in a federated environment but that use does not fulfil this strong authentication profile.

3.

...

Compliance and Audit

Evidence of compliance with this profile MUST be part of the Identity Management Practice Statement, maintained as a part of the SWAMID membership process. The Identity Management Practice Statement MUST describe how the organisation fulfils the normative parts of this document.

Audit of this profile uses the same procedures as SWAMID AL2.


The Member organisation MUST perform a successful technical validation of their Identity Provider in the official SWAMID multi-factor validation service.

Guidance: The validation service is located at https://mfa-check.swamid.se

The member organisation's Identity Provider is tagged in the SWAMID federation metadata with the assurance certification attribute: http://www.swamid.se/policy/authentication/refeds-mfa

In accordance with REFEDS MFA Profile: 

In a SAML assertion, compliance with this Strong Authentication Profile is communicated by asserting the AuthnContextClassRef: https://refeds.org/profile/mfa

4. Compliance and Audit

The Member organisation MUST be certified for SWAMID Identity Assurance Level 2 Profile [2].

Only Subjects currently at SWAMID Identity Assurance Level 2 are allowed to authenticate themselves according to this Profile.


The Member organisation MUST document valid parts regarding muti-factor in the Identity Management Practice Statement and submit the Identity Management Practice Statement for approval by SWAMID Board of Trustees.


4. Organisational Requirement

...

The purpose of this section is to define conditions and guidance regarding participating organisations responsibilities.


The Member organisation MUST be certified for SWAMID Identity Assurance Level 2 Profile [2].

5. Operational Requirements

The purpose of this section is to define conditions and guidance regarding participating organisations responsibilities.


A Member Organisation MUST fulfil the REFEDS MFA Profile criteria.

Guidance: Original criteria repeated  from REFEDS MFA Profile for convenience 

By asserting the URI shown above (note: https://refeds.org/profile/mfa), an Identity Provider claims that:

  • The authentication of the user’s current session used a combination of at least two of the four distinct types of factors defined in ITU-T X.1254: Entity authentication assurance framework, section 3.1.3, authentication factor (something you know, something you have, something you are, something you do).
  • The factors used are independent, in that access to one factor does not by itself grant access to other factors.
  • The combination of the factors mitigates single-factor only risks related to non-real-time attacks such as phishing, offline cracking, online guessing and theft of a (single) factor.


5.1 Credential Operating Environment

...

The selected second factor or full multi-factor solution MUST be based on the Single-Factor and Multi-Factor Authenticator Types within NIST 800-63B [3].


Guidance: Choice of multi-factor technology for Strong Authentication should be documented in section 5.1 Credential Operating Environment.

Guidance: SWAMID has published a set of valid choices for second factor and full multi-factor solutions in the SWAMID wiki.


Only Subjects currently at SWAMID Identity Assurance Level 2 are allowed to authenticate themselves according to this Profile.

5.2 Credential Issuing

...denna behöver delas upp i två, en för MFA under AL2 och en för High Assurance MFA.

...

..


Credential Issuing of second factor or full multi-factor

...

at SWAMID AL2 MUST be done using one of the following methods

  1. On-line multi-factor authenticating the Subject with SWAMID AL2 Profile or higher level using an external Identity Provider compliant with SWAMID AL2 Profile or higher 

  2. In-person visit at a service desk in combination with identity proofing as defined by the Swedish Tax Agency for issuance of the Swedish Tax Agency identity card

  3. In-person visit at a service desk in combination with identity proofing with an international passport fulfilling International Civil Aviation Organization (ICAO) Doc 9303 Machine Readable Travel Documents [4], an EU/EES national identity card fulfilling the Regulation (EU) 2016/399 of the European Parliament and of the Council [5] or an EU/EES driving license fulfilling the Directive 2006/126/EC of the European Parliament and of the Council of 20 December 2006 on driving licences [6].

  1. Off-line using a registered address (sv .folkbokföringsadress) in combination with a time-limited one time password/pin code,

  2. Off-line using a copy of the same identification token as describedin b) or c) above and a copy of a utility bill in combination with a time-limited one time password/pin code sent to the postal address on the utility bill, or

  3. Other equivalent identity proofing method



Credential Issuing of second factor or full multi-factor for

...

SWAMID High Assurance MUST be done using one of the following methods

    1. On-line multi-factor authenticating the Subject with SWAMID MFA Profile or higher level using an external Identity Provider compliant with SWAMID MFA Profile or

...

    1. higher 

    2. In-person visit at a

...

    1. service desk in combination with identity proofing as defined by the Swedish Tax Agency for issuance of the Swedish Tax Agency identity card

    2. In-person visit at a service desk in combination with identity proofing with an international passport fulfilling International Civil Aviation Organization (ICAO) Doc 9303 Machine Readable Travel Documents [4], an EU/EES national identity card fulfilling the Regulation (EU) 2016/399 of the European Parliament and of the Council [5] or an EU/EES driving license fulfilling the Directive 2006/126/EC of the European Parliament and of the Council of 20 December 2006 on driving licences [6].

    3. Off-line using a certified mail to a postal address (sv. rekommenderat brev med personlig utlämning) in combination with a time-limited one time password/pin code.

    4. Off-

...

    1. line using a certified mail to a postal address (sv. rekommenderat brev med personlig utlämning) with a preregistered device, unique for the Subject, that will be considered as a vetted token on first use.



Guidance: Processes for issuing and assigning of credentials (second factor or full multi-factor) for Strong Authentication should be documented in 5.2 Credential Issuing (more precisely in 5.2.5).

Guidance: The second factor or full multi-factor must be issued

...

separately to the Subjects single factor credential, i.e. password,

...

 in accordance with the REFEDS MFA Profile criteria.

Guidance a: Multi-Factor solutions provided within the Swedish E-identification system fulfils the requirements for on-line multi-factor authentication and can be used for online identity

...

vetting if

...

 allowed by the E-identification issuer. Likewise, authentication via eIDAS with assurance level substantial or high fulfills

...

the requirements.

...


5.3 Credential Renewal and Re-issuing

...

Replacement of second factor or full multi-factor MUST be done using the same methods as listed above for Credential Issuing.

Guidance: Processes for replacement of additional factors or full multi-factor should be documented in IMPS section 5.3 Credential Renewal and Re-issuing.

5.4 Credential Revocation

...här behöver något in...

Guidance: Processes for revocation of second factor or full multi-factor MUST be documented in 5.4 Credential Revokation

...


6.

...

Syntax

The member organisation's Identity Provider is tagged in the SWAMID federation metadata with the assurance certification attribute: http://www.swamid.se/policy/authentication/refeds-mfa if <proofing without ID>

The member organisation's Identity Provider is tagged in the SWAMID federation metadata with the assurance certification attribute: http://www.swamid.se/policy/authentication/high-assurance if <proofing with ID>

...vi måste även lägga till text om eduPersonAssurance för high assurance...

In accordance with REFEDS MFA Profile: 

In a SAML assertion, compliance with this Strong Authentication Profile is communicated by asserting the AuthnContextClassRef: https://refeds.org/profile/mfa

7

A Member Organisation MUST fulfil the REFEDS MFA Profile criteria.

Guidance: Original criteria repeated  from REFEDS MFA Profile for convenience 

By asserting the URI shown above (note: https://refeds.org/profile/mfa), an Identity Provider claims that:

  • The authentication of the user’s current session used a combination of at least two of the four distinct types of factors defined in ITU-T X.1254: Entity authentication assurance framework, section 3.1.3, authentication factor (something you know, something you have, something you are, something you do).
  • The factors used are independent, in that access to one factor does not by itself grant access to other factors.
  • The combination of the factors mitigates single-factor only risks related to non-real-time attacks such as phishing, offline cracking, online guessing and theft of a (single) factor.

The Member organisation MUST perform a successful technical validation of their Identity Provider in the official SWAMID multi-factor validation service.

Guidance: The validation service is located at https://mfa-check.swamid.se

...

. References

[1] REFEDS Multi-Factor Authentication (MFA) Profilehttps://refeds.org/profile/mfa

...