...

Identity Provider (IdP): The system component that issues Attribute assertions on behalf of Subjects who use them to access the services of Relying Party.

Strong Authentication: A combination of multi-factor authentication and a high assurance that the multi-factor authenticator is distributed to the intended Subject.

Second factor: A second independent factor that is used in addition to the Subject's first factor in order to provide the Subject with the ability to use multi-factor authentication. Normally this means adding a second factor where the subject's first factor is a memorised secret,i.e. a password, or a biometric, i.e. fingerprints.

Full multi-factor: A complete new set of credentials assigned to the Subject in order to provide the Subject with the ability to use multi-factor authentication. This new set of credentials is by itself composed of at least two dependent factors (e.g. a smart card) and does not depend in any way on the normally used memorised secret, i.e. a password, belonging to the Subject.

...

This document defines how a SWAMID member organisation SHOULD implement a Strong Authentication multi-factor solution in order to be certified by SWAMID for Strong Authentication person-proofed multi-factor authentication in a federated environment. A Strong Authentication person-proofed second factor or a person-proofed full multi-factor combines the use of multi-factor authentication with a high an assurance that the multi-factor authenticator is distributed to the intended Subject. .

There is two levels of identity assurance defined for person-proofed identity assurance in this document, one based on the identity proofing in SWAMID Identity Assurance Level 2 Profile [1] and one extended with identity proofing based on proofing with a defined set of identity cards and passports.

This SWAMID Person-Proofed Multi-Factor Profile is a Swedish extension to the This Strong Authentication Profile is a Swedish Higher Education Institution extension to REFEDS Multi-Factor Authentication (MFA) Profile [12].

Guidance

: The intended use of this SWAMID profile is when authentication must be done with a high assurance that it is the correct Subject that is accessing a specific service. Please note that it is possible, or even preferred, to use multi-factor authentication without this high level of identity assurance in a federated environment but that use does not fulfil this strong authentication person-proofed multi-factor profile.

3. Compliance and Audit

Evidence of compliance with this profile MUST be part of the Identity Management Practice Statement (IMPS), maintained as a part of the SWAMID membership process. The Identity Management Practice Statement MUST describe how the organisation fulfils the normative parts of this document.

Audit of this profile uses the same procedures as for SWAMID AL2. The Member organisation MUST perform a successful technical validation of their Identity Provider in the official SWAMID multi-factor validation service.

Guidance

: The validation service is located at https://mfa-check.swamid.seThe Member organisation MUST document valid parts regarding muti-factor in the Identity Management Practice Statement and submit the Identity Management Practice Statement for approval by SWAMID Board of Trustees.

4. Organisational Requirement

The purpose of this section is to define conditions and guidance regarding participating organisations responsibilities.

...

The purpose of this section is to define conditions and guidance regarding participating organisations responsibilitiesregarding use of person-proofed multi-factor authentication.

Only Subjects currently at SWAMID Identity Assurance Level 2 are allowed to authenticate themselves according to this Profile.

A Member Organisation MUST fulfil the REFEDS MFA Profile criteria.

Guidance

: Original criteria repeated  from REFEDS MFA Profile for convenience 

...

• The authentication of the user’s current session used a combination of at least two of the four distinct types of factors defined in ITU-T X.1254: Entity authentication assurance framework, section 3.1.3, authentication factor (something you know, something you have, something you are, something you do).
• The factors used are independent, in that access to one factor does not by itself grant access to other factors.
• The combination of the factors mitigates single-factor only risks related to non-real-time attacks such as phishing, offline cracking, online guessing and theft of a (single) factor.
  

5.1 Credential Operating Environment

The selected second factor or full multi-factor solution MUST be based on the Single-Factor and Multi-Factor Authenticator Types within NIST 800-63B [3].

Second factor (together with a memorised secret or a biometric)

• Single-Factor OTP Device
• Single-Factor Cryptographic Software
• Single-Factor Cryptographic Device

Full multi-factor

• Multi-Factor OTP Device
• Multi-Factor Cryptographic Software
• Multi-Factor Cryptographic Device

Guidance

Guidance: Choice of multi-factor technology for Strong Authentication should be documented in section technology should be documented together with the use of password in the IMPS section 5.1 Credential Operating Environment.

Single-Factor and Multi-Factor OTP Devices have the same weaknes to social engineering as passwords but one OTP code can only be used once and if a time based OTP (TOTP) solution is used the risc is further reduced but not negliable.

Guidance: SWAMID has published a set of valid choices for second factor and full multi-factor solutions in the SWAMID wiki.Only Subjects currently at SWAMID Identity Assurance Level 2 are allowed to authenticate themselves according to this Profile.

5.2 Credential Issuing

...denna behöver delas upp i två, en för MFA under AL2 och en för High Assurance MFA...

...