...

1. Terminology and Typographical Conventions

The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT","SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in RFC2119.

...

The non-normative (guidance) is maintained by the SWAMID operations team.

1.1 Definition of terminology

Home Organisation: The SWAMID Member Organisation with which a Subject is affiliated, operating the Identity Provider by itself or through a third party.

...

Full multi-factor: A complete new set of credentials assigned to the Subject in order to provide the Subject with the ability to use multi-factor authentication. This new set of credentials is by itself composed of at least two dependent factors (e.g. a smart card) and does not depend in any way on the normally used memorised secret, i.e. a password, belonging to the Subject.

2. Purpose, Scope and Summary 

This document defines how a SWAMID member organisation SHOULD implement a Strong Authentication solution in order to be certified by SWAMID for Strong Authentication in a federated environment. A Strong Authentication combines the use of multi-factor authentication with a high assurance that the multi-factor authenticator is distributed to the intended Subject. 

...

Guidance: The intended use of this SWAMID profile is when authentication must be done with a high assurance that it is the correct Subject that is accessing a specific service. Please note that it is possible, or even preferred, to use multi-factor authentication without this high level of assurance in a federated environment but that use does not fulfil this strong authentication profile.

3. Compliance and Audit

Evidence of compliance with this profile MUST be part of the Identity Management Practice Statement, maintained as a part of the SWAMID membership process. The Identity Management Practice Statement MUST describe how the organisation fulfils the normative parts of this document.

...

The Member organisation MUST document valid parts regarding muti-factor in the Identity Management Practice Statement and submit the Identity Management Practice Statement for approval by SWAMID Board of Trustees.

4. Organisational Requirement

The purpose of this section is to define conditions and guidance regarding participating organisations responsibilities.

...

The Member organisation MUST be certified for SWAMID Identity Assurance Level 2 Profile [2].

5. Operational Requirements

The purpose of this section is to define conditions and guidance regarding participating organisations responsibilities.

...

• The authentication of the user’s current session used a combination of at least two of the four distinct types of factors defined in ITU-T X.1254: Entity authentication assurance framework, section 3.1.3, authentication factor (something you know, something you have, something you are, something you do).
• The factors used are independent, in that access to one factor does not by itself grant access to other factors.
• The combination of the factors mitigates single-factor only risks related to non-real-time attacks such as phishing, offline cracking, online guessing and theft of a (single) factor.
  
  

5.1 Credential Operating Environment

The selected second factor or full multi-factor solution MUST be based on the Single-Factor and Multi-Factor Authenticator Types within NIST 800-63B [3].

...

Only Subjects currently at SWAMID Identity Assurance Level 2 are allowed to authenticate themselves according to this Profile.

5.2 Credential Issuing

...denna behöver delas upp i två, en för MFA under AL2 och en för High Assurance MFA...

...

Guidance a: Multi-Factor solutions provided within the Swedish E-identification system fulfils the requirements for on-line multi-factor authentication and can be used for online identity vetting if allowed by the E-identification issuer. Likewise, authentication via eIDAS with assurance level substantial or high fulfills the requirements.

5.3 Credential Renewal and Re-issuing

Replacement of second factor or full multi-factor MUST be done using the same methods as listed above for Credential Issuing.

Guidance: Processes for replacement of additional factors or full multi-factor should be documented in IMPS section 5.3 Credential Renewal and Re-issuing.

5.4 Credential Revocation

...här behöver något in...

Guidance: Processes for revocation of second factor or full multi-factor MUST be documented in 5.4 Credential Revokation

6. Syntax

The member organisation's Identity Provider is tagged in the SWAMID federation metadata with the assurance certification attribute: http://www.swamid.se/policy/authentication/refeds-mfa if <proofing without ID>

...

In a SAML assertion, compliance with this Strong Authentication Profile is communicated by asserting the AuthnContextClassRef: https://refeds.org/profile/mfa

7. References

[1] REFEDS Multi-Factor Authentication (MFA) Profile: https://refeds.org/profile/mfa

...