...

Replacement of second factor or full multi-factor MUST be done using the same methods as listed above for Credential Issuing.

Guidance

Processes for replacement of second factors or full multi-factors should be documented in the IMPS, section 5.3.

By doing a multi-factor authentication according to this profile a Subject can replace the currently issued multi-factor or add a second multi-factor at the same identity proofing level as the Subject's currently issued multi-factor .

Guidance

Processes for replacement of second factors or full multi-factors should be documented in the IMPS, section 5.3as long as the used multi-factor authentication is on the same level or higher.

Even though there is no special criteria for a Subject changing password when a second multi-factor is in use it is recommended that the Subject proof possession of both password and second factor when the Subject changes the password.

...

• Stop the Subject's ability to use multi-factor authentication,
• Stop the use of multi-factor authentication if the second factor or full multi-factor has been compromised, or
• Allow the Subject to replace the second factor or full multi-factor.
  

The Member Organisation MUST revoke a second factor or full multi-factor along with all other credentials belonging to the Subject when the Subject is no longer affiliated with the Member Organisation. (Detta krav ställer vi inte idag, är det något vi vill ställa krav på? Det ger problem för de lärosäten med "för alltid konton.)

Guidance

Processes for revocation of second factors or full multi-factors should be documented in the IMPS, section 5.4.

...