Versions Compared

Old Version 78

changes.mady.by.user Pål Axelsson

Saved on

compared with

New Version 79

changes.mady.by.user Pål Axelsson

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Single-Factor and Multi-Factor OTP Devices have similar weaknesses to social engineering as passwords but one OTP code can only be used once and if a time based OTP (TOTP) solution is used the risc risk is further reduced but not negliablenegligible. The use of OTP devices will be deprecated 2025, or earlier, due to the risks with the technology.

SWAMID has published a set of valid choices for second factor and full multi-factor solutions in the SWAMID wiki.

...

Processes for issuing and assigning of multi-factor credentials (second factor or full multi-factor) should be documented together with the inital initial credential issuing in the IMPS, section 5.2.

...

Replacement of second factor or full multi-factor MUST be done using the same methods as listed above for Credential Issuing.

A Subject can replace, or add a second multi-factor, by do a authentication with the current multi-factor, i...lägg till...

  • Om han visar att man har tillgång till sin multifaktor får man byta multifaktor "online"

e. password plus second factor or full multi-factor.


Guidance

Processes for replacement of second factors or full multi-factors should be documented in the IMPS, section 5.3.Rekommendation om att lösenordsbyte ska ske med med både gammalt lösenord och andra faktorn

Even though there is no special criteria for a Subject changing password when a second multi-factor is in use it is recommended that the Subject proof possession of both password and second factor when the Subject changes the password.

5.4 Credential Revocation

...

Processes for revocation of second factors or full multi-factors should be documented in the IMPS, section 5.4.


6. Syntax

Identity Provders iare marked in SAML metadata with the Assurance Certfication

The If a member organisation's Identity Provider is approved for Person-Proofed Multi-Factor it is tagged in the SWAMID federation metadata metadata with the assurance certification attributeattribute http: http://www.swamid.se/policy/authentication/swamid-p2mfaThe

If a member organisation's Identity Provider is approved for Person-Proofed Multi-Factor with high identity assurance it is tagged in the SWAMID federation metadata metadata with the assurance certification attribute: attribute http://www.swamid.se/policy/authentication/swamid-p2mfa-hia

...vi måste även lägga till text om eduPersonAssurance för high assurance...

 (and http://www.swamid.se/policy/authentication/swamid-p2mfa).


In accordance with In accordance with REFEDS MFA Profile: 

  • In a SAML assertion, in compliance with this SWAMID Person-Proofed Multi-Factor Profile or Person-Proofed Multi-Factor with high identity assurance, a performed multi-factor authentication is communicated by that the Identity Provider is asserting the AuthnContextClass https://refeds.org/profile/mfa.
  • In a SAML authentication request a Relying Party can request multi-factor authentication by adding AuthnContextClassRef https://refeds.org/profile/mfa to the authentication request.


When a multi-factor authentication based on the Person-Proofed Multi-Factor with high identity assurance the Identity Provider MUST add the value http://www.swamid.se/policy/authentication/swamid-p2mfa-hia to the attribute eduPersonAssurance. This is the only way a Relying Party can make the difference between the two different levels of multi-factor identity assurance within this profile.


Guidance

The eduPersonAssurance value for Person-Proofed Multi-Factor with high identity assurance should only be released if  a multi-factor authentication occurred.


7. References

[1] SWAMID Identity Assurance Level 2 Profile: http://www.swamid.se/policy/assurance/al2

...