...

Processes for issuing and assigning of multi-factor credentials (second factor or full multi-factor) should be documented together with the use of password in the IMPS, section 5.2.

5.2.1

...

Multi-Factor Issuing based on SWAMID Identity Assurance Level 2 Profile (SWAMID AL2MFA)

Credential Issuing of second factor or full multi-factor at SWAMID AL2 MUST be done using one of the following methods

1. On-line authenticating the Subject with SWAMID Personusing a multi-factor issued according to SWAMID Person-Proofed Multi-Factor Profile using an external Identity Provider compliant with the SWAMID Person-Proofed Multi-Factor , or a comparable multi-factor authentication, using an external Identity ProviderProfile,
2. On-line authenticating the Subject using a multi-factor issued according to the Swedish E-identification system using an external Identity Provider compliant with the the Swedish E-identification Level of Assurance 2 or higher,
3. In-person visit at a service desk in combination with identity proofing as defined by the Swedish Tax Agency for issuance of the Swedish Tax Agency identity card,
4. In-person visit at a service desk in combination with identity proofing with an international passport fulfilling ICAO Doc 9303, an EU/EES national identity card fulfilling the European Commission Regulation No 562/2006 or an EU/EES driving license fulfilling the European Parliament and the Council of European Union Directive 2006/126/EC,
5. Off-line using a registered address (sv. folkbokföringsadress) in combination with a time-limited one time password/pin code,
6. Off-line using a copy of the same identification token as described in 2 3 or 3 4 above and a copy of a utility bill in combination with a time-limited one time password/pin code sent to the postal address on the utility bill, or
7. Other equivalent identity proofing method

Guidance

Multi-Factor solutions provided within the Swedish E-identification system can be used for online identity proofing if allowed by the E-identification issuer. Likewise, authentication via eIDAS with assurance level substantial or high fulfills the requirements.

5.2.2

...

Multi-Factor Issuing based on SWAMID Identity Assurance Level 2 Profile with extended identity verification

...

(SWAMID IDMFA)

Credential Issuing of second factor or full multi-factor for SWAMID High Assurance MUST be done using one of the following methods

1. On-line authenticating the Subject with SWAMID Person-Proofed Multi-Factor with identity card verification, or a comparable multi-factor authentication, using an external Identity Provider compliant with SWAMID Identity Assurance Level 2 Profile Provider compliant with the SWAMID Person-Proofed Multi-Factor Profile or higher,
2. On-line authenticating the Subject using a multi-factor issued according to the Swedish E-identification system using an external Identity Provider compliant with the the Swedish E-identification Level of Assurance 3 or higher,
3. In-person visit at a service desk in combination with identity proofing as defined by the Swedish Tax Agency for issuance of the Swedish Tax Agency identity card,
4. In-person visit at a service desk in combination with identity proofing with an international passport fulfilling International Civil Aviation Organization (ICAO) Doc 9303 Machine Readable Travel Documents [4], an EU/EES national identity card fulfilling the Regulation (EU) 2016/399 of the European Parliament and of the Council [5] or an EU/EES driving license fulfilling the Directive 2006/126/EC of the European Parliament and of the Council of 20 December 2006 on driving licences [6],
5. Off-line using a certified mail to a postal address (sv. rekommenderat brev med personlig utlämning) in combination with a time-limited one time password/pin code, or
6. Off-line using a certified mail to a postal address (sv. rekommenderat brev med personlig utlämning) with a preregistered device, unique for the Subject, that will be considered as a vetted token on first use.

Guidance

Multi-Factor solutions provided within the Swedish E-identification system fulfils the requirements for on-line multi-factor authentication and can be used for online identity proofing if allowed by the E-identification issuer. Likewise, authentication via eIDAS with assurance level substantial or high fulfills the requirements.

Guidance: The second factor or full multi-factor must be issued separately to the Subjects single factor credential, i.e. password, in accordance with the REFEDS MFA Profile criteria.

...