Versions Compared

Old Version 89

changes.mady.by.user Pål Axelsson

Saved on

compared with

New Version 90

changes.mady.by.user Pål Axelsson

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

A multi-factor authenticator issued and proofed to a Subject fulfiling the requirements the SWAMID Identity Assurance Level 2 Profile with additional identity proofing requirements for on-line proofing.

Person-Proofed Multi-Factor with high identity assurance (SWAMID P2MFA-

...

HI)

A multi-factor authenticator issued and proofed to a Subject fulfiling the requirements the SWAMID Identity Assurance Level 2 Profile with additional identity proofing requirements based on verifying the Subject with defined identity cards or passports.

...

The purpose of this subsection is to ensure that credentials can be revoked.


Guidance

Processes for revocation of second factors or full multi-factors should be documented in the IMPS, section 5.4.

5.4.1 The Member Organisation's ability to Revoke Credentials

...

The Member Organisation MUST revoke the Subject's ability to use multi-factor authentication according to the SWAMID Person-Proofed Multi-Factor Profile if the Subject's Credentials is known to be compromised or misused.


GuidanceProcesses for revocation of second factors or full multi-factors should be documented in the IMPS, section 5.4.

If a Subject's second factor or full multi-factor has been misused or compromised the multi-factor should be revoked and the Subject should not be able to a create a new one until the Subject is formally informed why the multi-factor was revoked.

If an individual is not longer affiliated with a Home Organisation, i.e. no longer a Subject, all of the Credentials belonging to that should be revoked in order to avoid a situation where only the username and password are inactivated and later re-activated with a second token becoming active without a re-issuing of the second factor.

...

If a member organisation's Identity Provider in addition is approved for Person-Proofed Multi-Factor with high identity assurance the Identity Provider is also tagged in the SWAMID metadata with the assurance certification attribute http://www.swamid.se/policy/authentication/swamid-p2mfa-hia.


In accordance with REFEDS MFA Profile: 

...

When a Subject performs a multi-factor authentication based on the Person-Proofed Multi-Factor with high identity assurance the Identity Provider MUST add the value http://www.swamid.se/policy/authentication/swamid-p2mfa-hiahi to the attribute eduPersonAssurance of the Subject in order for the Relaying Party to be able to distinguish between the two identity proofing levels of multi-factor authentication.

...