...

There are two levels of identity proofing assurance methods defined for person-proofed issuing multi-factor in this profilefactors, one based on the identity proofing in SWAMID Identity Assurance Level 2 Profile (SWAMID AL2) [1] and one with a high identity proofing assurance based on identity verification with a defined set of identity cards and passports.

...

5.1 Credential Operating Environment

The purpose of this subsection is to ensure adequate strength of Subject credentials and protection against common attack vectors.

The selected second factor or full multi-factor solution MUST be based on the Single-Factor and Multi-Factor Authenticator Types within NIST 800-63B [3].

...

SWAMID has published a set of valid choices for second factor and full multi-factor solutions in the SWAMID wiki.

5.2 Credential Issuing

The purpose of this subsection is to ensure that the Identity Provider has control over the issuing process of the multi-factor.

The second factor or full multi-factor must be issued separately to the Subjects single factor credential, i..denna behöver delas upp i två, en för MFA under AL2 och en för High Assurance MFA...e. password, in accordance with the REFEDS MFA Profile criteria.

<text om två nivåer>

Guidance

Processes for issuing and assigning of multi-factor credentials (second factor or full multi-factor) should be documented together with the use of password in the IMPS, section 5.2.

5.2.1 Multi-Factor Issuing based on SWAMID Identity Assurance Level 2 Profile (SWAMID

...

MFA-AL2)

Credential Issuing of second factor or full multi-factor at SWAMID AL2 MUST be done using one of the following methods

1. On-line authenticating the Subject using a multi-factor issued according to SWAMID Person-Proofed Multi-Factor Profile using an external Identity Provider compliant with the SWAMID Person-Proofed Multi-Factor Profile,
2. On-line authenticating the Subject using a multi-factor issued according to the Swedish E-identification system using an external Identity Provider compliant with the the Swedish E-identification Level of Assurance 2 or higher,
3. In-person visit at a service desk in combination with identity proofing as defined by the Swedish Tax Agency for issuance of the Swedish Tax Agency identity card,
4. In-person visit at a service desk in combination with identity proofing with an international passport fulfilling ICAO Doc 9303, an EU/EES national identity card fulfilling the European Commission Regulation No 562/2006 or an EU/EES driving license fulfilling the European Parliament and the Council of European Union Directive 2006/126/EC,
5. Off-line using a registered address (sv. folkbokföringsadress) in combination with a time-limited one time password/pin code,
6. Off-line using a copy of the same identification token as described in 3 or 4 above and a copy of a utility bill in combination with a time-limited one time password/pin code sent to the postal address on the utility bill, or
7. Other equivalent identity proofing method deemed equivalent by SWAMID Board of Trustees.

Guidance

Multi-Factor solutions provided within the Swedish E-identification system Please observe that not all Identity Providers within the Swedish E-identfication system can be used for online identity proofing if allowed by the vetting.

If you are using Identity Providers within the Swedish E-identification  issuer. Likewise, system you must also accept authentication via eIDAS with assurance level substantial or high fulfills the requirementsif you can bind the identity of the Subject.

5.2.2 Multi-Factor Issuing based on SWAMID Identity Assurance Level 2 Profile and with

...

high identity

...

assurance (SWAMID

...

MFA-HIA)

Credential Issuing of second factor or full multi-factor for SWAMID High Assurance MUST be done using one of the following methods

1. On-line authenticating the Subject with SWAMID Personusing a multi-factor issued according to SWAMID Person-Proofed Multi-Factor Profile with identity card verification, or a comparable multi-factor authentication, using high identity assurance using an external Identity Provider compliant Provider compliant with the SWAMID Person-Proofed Multi-Factor Profile or higher,
2. On-line authenticating the Subject using a multi-factor issued according to the Swedish E-identification system using an external Identity Provider compliant with the the Swedish E-identification Level of Assurance 3 or higher,
3. In-person visit at a service desk in combination with identity proofing as defined by the Swedish Tax Agency for issuance of the Swedish Tax Agency identity card,
4. In-person visit at a service desk in combination with identity proofing with an international passport fulfilling International Civil Aviation Organization (ICAO) Doc 9303 Machine Readable Travel Documents [4], an EU/EES national identity card fulfilling the Regulation (EU) 2016/399 of the European Parliament and of the Council [5] or an EU/EES driving license fulfilling the Directive 2006/126/EC of the European Parliament and of the Council of 20 December 2006 on driving licences [6],
5. Off-line using a certified mail to a postal address (sv. rekommenderat brev med personlig utlämning) in combination with a time-limited one time password/pin code, or
6. Off-line using a certified mail to a postal address (sv. rekommenderat brev med personlig utlämning) with a preregistered device, unique for the Subject, that will be considered as a vetted token on first use.

Guidance

Multi-Factor solutions provided within the Swedish E-identification system fulfils the requirements for on-line multi-factor authentication and Please observe that not all Identity Providers within the Swedish E-identfication system can be used for online identity proofing if allowed by the E-identification issuer. Likewise, authentication via eIDAS with assurance level substantial or high fulfills the requirements.

Guidance: The second factor or full multi-factor must be issued separately to the Subjects single factor credential, i.e. password, in accordance with the REFEDS MFA Profile criteria.

vetting.

If you are using Identity Providers Guidance a: Multi-Factor solutions provided within the Swedish E-identification system fulfils the requirements for on-line multi-factor authentication and can be used for online identity vetting if allowed by the E-identification issuer. Likewise, you must also accept authentication via eIDAS with assurance level substantial or high fulfills the requirementsif you can bind the identity of the Subject.

5.3 Credential Renewal and Re-issuing

Renewal of credentials occur when the Subject changes its credential using normal password reset. Re-issuing occurs when credentials have been invalidated.

Replacement of second factor or full multi-factor MUST be done using the same methods as listed above for Credential Issuing.

Guidance

: Processes for replacement of additional factors or full multi-factor should be documented in IMPS section 5.3 Credential Renewal and Re-issuing.

5.4 Credential Revocation

The purpose of this subsection is to ensure that credentials can be revoked.

...här behöver något in...

...