Versions Compared

Old Version 86

changes.mady.by.user Pål Axelsson

Saved on

compared with

New Version 87

changes.mady.by.user Eskil Swahn

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

The non-normative (guidance) is maintained by the SWAMID operations Operations team.

1.1 Definition of terminology

...

The purpose of this subsection is to ensure that the Identity Provider has control over the issuing process of the multi-factor.

Any existing Credential (for example a password) belonging to the Subject MUST NOT be used in the identity proofing in accordance with the REFEDS MFA Profile criteria.

Different Subjects within an Identity Provider MAY use single factor authentication and multi-factor authentication independently of each other.

The second factor or full multi-factor must be issued to the Subjects without using the current single factor credential, i.e. password, for identity proofing in accordance with the REFEDS MFA Profile criteria.

Not all Subjects within an Identity Provider need to use the same credential types, some of them can only use passwords, some Person-Proofed Multi-Factors and some Person-Proofed Multi-Factors with high identity assurance. A Subject can also have multiple crentials types at the same time but it is however important that the Home Organisation maintain a record of credential types a Subject can use and can correctly inform Relying Parties about Parties about the credential type used if requested by the Relying Party.

Person-Proofed Multi-Factor (SWAMID P2MFA)

...

  1. On-line authenticating the Subject using a Person-Proofed Multi-Factor, or higher, using an external Identity Provider compliant with the SWAMID Person-Proofed Multi-Factor Profile,
  2. On-line authenticating the Subject using a multi-factor issued according to the Swedish E-identification system using an external Identity Provider compliant with the the Swedish E-identification Level of Assurance 2 or higher,
  3. In-person visit at a service desk in combination with identity proofing as defined by the Swedish Tax Agency for issuance of the Swedish Tax Agency identity card,
  4. In-person visit at a service desk in combination with identity proofing with an international passport fulfilling ICAO Doc 9303, an EU/EES national identity card fulfilling the European Commission Regulation No 562/2006 or an EU/EES driving license fulfilling the European Parliament and the Council of European Union Directive 2006/126/EC,
  5. Off-line using a postal registered address (sv. folkbokföringsadress) in combination with a time-limited one time activation password/pin code,
  6. Off-line using a copy of the same identification token as described in 3 or 4 above and a copy of a utility bill, not older than 3 month, in combination with a time-limited one time activation password/pin code sent to the postal address on the utility bill,
  7. Off-line using a postal registered address (sv. folkbokföringsadress) with a preregistered device, unique for the Subject, that will be considered as a Person-Proofed Multi-Factor on first use,
  8. Off-line using a copy of the same identification token as described in 3 or 4 above and a copy of a utility bill, not older than 3 month, with a preregistered device, unique for the Subject, sent to the postal address on the utility bill that will be considered as a Person-Proofed Multi-Factor on first use, or
  9. Other identity proofing method deemed equivalent by SWAMID Board of Trustees.

...

  1. On-line authenticating the Subject using a Person-Proofed Multi-Factor with high identity assurance using an external Identity Provider compliant with the SWAMID Person-Proofed Multi-Factor Profile,
  2. On-line authenticating the Subject using a multi-factor issued according to the Swedish E-identification system using an external Identity Provider compliant with the the Swedish E-identification Level of Assurance 3 or higher,
  3. In-person visit at a service desk in combination with identity proofing as defined by the Swedish Tax Agency for issuance of the Swedish Tax Agency identity card,
  4. In-person visit at a service desk in combination with identity proofing with an international passport fulfilling International Civil Aviation Organization (ICAO) Doc 9303 Machine Readable Travel Documents [4], an EU/EES national identity card fulfilling the Regulation (EU) 2016/399 of the European Parliament and of the Council [5] or an EU/EES driving license fulfilling the Directive 2006/126/EC of the European Parliament and of the Council of 20 December 2006 on driving licences [6],
  5. Off-line using a postal certified mail (sv. rekommenderat brev med personlig utlämning) in combination with a time-limited one time activation password/pin code, or
  6. Off-line using a postal certified mail (sv. rekommenderat brev med personlig utlämning) with a preregistered device, unique for the Subject, that will be considered as a Person-Proofed Multi-Factor with high identity assurance on first use.

...

Time-limited one time passwords/pins used in 5 should be valid only as long as needed for postal delivery of certified mail.


5.

...

2.3 Multiple Identity Proofing levels within an Identity Provider

A SWAMID Member Organisation MAY implement both Person-Proofed Multi-Factor and Person-Proofed Multi-Factor with high identity assurance within one Identity Provider.

The Member Organisation must maintain a record of all Subjects' Credentials and identity proofing level used to issue them.

5.3 Credential Renewal and Re-issuing

Renewal of credentials occur when the Subject changes

...

Renewal of credentials occur when the Subject changes its credential using normal password reset. Re-issuing occurs when credentials have been invalidated.

...

  • Stop the Subject's ability to use multi-factor authentication,
  • Stop the use of multi-factor authentication if the second factor or full multi-factor has been compromised, or
  • Allow the Subject to replace the second factor or full multi-factor.


The Member Organisation MUST revoke a second factor or full multi-factor along with all other credentials belonging to the Subject when the Subject is no longer affiliated with the Member Organisation. (Detta krav ställer vi inte idag, är det något vi vill ställa krav på? Det ger problem för de lärosäten med "för alltid konton.) - Å andra sidan är Subject per definition en individ som är affiliated with the Home Organisation. Tycker denna skrivning delvis fixar situationen att om mitt konto (användarnamn + lösenord) inaktiveras pga att jag är tjänstledig eller på annat sätt frånvaro så väcker man inte bara upp mitt konto på nytt när jag kommer tillbaka och så får jag tillbaka andra faktorn på köpet utan komplett Re-issue i så fall.


Punkten som du lade till som punkt 2 står i Guidance nedan. Tog därför bort den igen.


Guidance

Processes for revocation of second factors or full multi-factors should be documented in the IMPS, section 5.4.

...