...
A multi-factor authenticator issued and proofed to a Subject fulfiling the requirements the SWAMID Identity Assurance Level 2 Profile with additional identity proofing requirements for on-line proofing.
Person-Proofed Multi-Factor with high identity assurance (SWAMID P2MFA-HIA)
...
If a member organisation's Identity Provider is approved for Person-Proofed Multi-Factor it the Identity Provider is tagged in the SWAMID metadata with the assurance certification attribute http://www.swamid.se/policy/authentication/swamid-p2mfa.
If a member organisation's Identity Provider in addition is approved for Person-Proofed Multi-Factor with high identity assurance it the Identity Provider is also tagged in the SWAMID metadata with the assurance certification attribute http://www.swamid.se/policy/authentication/swamid-p2mfa-hia (and http://www.swamid.se/policy/authentication/swamid-p2mfa).
In accordance with REFEDS MFA Profile:
- In a SAML assertion, in compliance with this Person-Proofed Multi-Factor Profile or Person-Proofed Multi-Factor with high identity assurance, a performed multi-factor authentication is communicated by that the Identity Provider is asserting the AuthnContextClass https://refeds.org/profile/mfa.
- In a SAML authentication request a Relying Party can request multi-factor authentication by adding AuthnContextClassRef https://refeds.org/profile/mfa to the authentication request.
When a Subject performs a multi-factor authentication based on the Person-Proofed Multi-Factor with high identity assurance the Identity Provider MUST add the value http://www.swamid.se/policy/authentication/swamid-p2mfa-hia to the attribute eduPersonAssurance . This is the only way a Relying Party can make a difference of the Subject in order for the Relaying Party to be able to distinguish between the two different identity proofing levels of multi-factor identity assurance within this profileauthentication.
Guidance
The eduPersonAssurance value for Person-Proofed Multi-Factor with high identity assurance should only be released if a multi-factor authentication occurred.
...