...

Identity Provider (IdP): The system component that issues Attribute assertions on behalf of Subjects who use them to access the services of Relying Party.

First factor:  The primary knowledge-based authentication factor (i.e., “something you know”) used by the Subject when the Subject is authenticating with single-factor authentication. An inherent authentication factor (i.e., “something you are") can not be used as a standalone single authentication factor but can be used together with a second factor.

Second factor: A second independent single factor that possession-based authentication factor (i.e., “something you have”) that is used in addition to the Subject's first factor in order to provide the Subject with the ability to use multi-factor authentication. Normally this means adding a second factor where the subject's first factor is a memorised secret, i.e. a password, or a biometric, i.e. fingerprints.

Full multi-factor: A complete new set of credentials assigned to the Subject in order to provide the Subject with the ability to use multi-factor authentication. This new set of credentials is by itself composed of at least two dependent factors (e.g. a smart card) and does not depend in any way on the normally used memorised secret, i.e. a password, belonging to the Subject.

...

1. On-line authenticating the Subject using a Person-Proofed Multi-Factor, or higher, using an external Identity Provider compliant with the SWAMID Person-Proofed Multi-Factor Profile,
2. On-line authenticating the Subject using a multi-factor issued according to the Swedish E-identification system using an external Identity Provider compliant with the the Swedish E-identification Level of Assurance 2 or higher,
3. In-person visit at a service desk in combination with identity proofing as defined by the Swedish Tax Agency for issuance of the Swedish Tax Agency identity card,
4. In-person visit at a service desk in combination with identity proofing with an international passport fulfilling ICAO Doc 9303, an EU/EES national identity card fulfilling the European Commission Regulation No 562/2006 or an EU/EES driving license fulfilling the European Parliament and the Council of European Union Directive 2006/126/EC,
5. Off-line using a postal registered address (sv. folkbokföringsadress) in combination with a time-limited one time activation password/pin code,
6. Off-line using a copy of the same identification token as described in 3 or 4 above and a copy of a utility bill, not older than 3 month, in combination with a time-limited one time activation password/pin code sent to the postal address on the utility bill,
7. Off-line using a postal registered address (sv. folkbokföringsadress) with a preregistered device, unique for the Subject, that will be considered as a Person-Proofed Multi-Factor on first use,
8. Off-line using a copy of the same identification token as described in 3 or 4 above and a copy of a utility bill, not older than 3 month, with a preregistered device, unique for the Subject, sent to the postal address on the utility bill that will be considered as a Person-Proofed Multi-Factor on first use, or
9. Other identity proofing method deemed equivalent by SWAMID Board of Trustees.

...

1. On-line authenticating the Subject using a Person-Proofed Multi-Factor with high identity assurance using an external Identity Provider compliant with the SWAMID Person-Proofed Multi-Factor Profile,
2. On-line authenticating the Subject using a multi-factor issued according to the Swedish E-identification system using an external Identity Provider compliant with the the Swedish E-identification Level of Assurance 3 or higher,
3. In-person visit at a service desk in combination with identity proofing as defined by the Swedish Tax Agency for issuance of the Swedish Tax Agency identity card,
4. In-person visit at a service desk in combination with identity proofing with an international passport fulfilling International Civil Aviation Organization (ICAO) Doc 9303 Machine Readable Travel Documents [4], an EU/EES national identity card fulfilling the Regulation (EU) 2016/399 of the European Parliament and of the Council [5] or an EU/EES driving license fulfilling the Directive 2006/126/EC of the European Parliament and of the Council of 20 December 2006 on driving licences [6],
5. Off-line using a postal certified mail (sv. rekommenderat brev med personlig utlämning) in combination with a time-limited one time activation password/pin code, or
6. Off-line using a postal certified mail (sv. rekommenderat brev med personlig utlämning) with a preregistered device, unique for the Subject, that will be considered as a Person-Proofed Multi-Factor with high identity assurance on first use.

...

Time-limited one time passwords/pins used in 5 should be valid only as long as needed for postal delivery of certified mail.

5.2.3 Multiple Multi-Factor Identity Proofing levels within one Identity Provider

A SWAMID Member Organisation MAY implement both Person-Proofed Multi-Factor and Person-Proofed Multi-Factor with high identity assurance within one Identity Provider.

...

Renewal of credentials occur when the Subject changes its credential using normal password reset. Re-issuing occurs when credentials have been invalidated.Replacement of second factor or full multi-factor MUST be done using the same methods as listed above for Credential Issuingcredentials have been invalidated.

Guidance

Processes for for replacement of second factors or full multi-factors should be documented in the IMPS, section 5.3.

5.3.1 Credential Renewal

All Subjects MUST be able change a software-based second factor.

Subjects MUST demonstrate possession of credentials by doing a multi-factor authentication before being allowed to replace a second factor or full multi-factor.

Guidance.3.

By doing a multi-factor authentication according to this profile a Subject can replace the currently issued multi-factor or add a second multi-factor at the same identity proofing level as the Subject's currently issued multi-factor as long as the used multi-factor authentication is on the same level or higher.

Even though there is no special criteria for a Subject changing password when a second multi-factor is in use it is recommended that the Subject proof possession of proof possession of both password and second factor when the Subject changes the password.

5.3.2 Credential Re-issuing

Re-issuing of second factor or full multi-factor MUST be done using the same methods as listed in 5.2.1 or 5.2.2 depending on level of identity assurance for Credential Issuing.

5.4 Credential Revocation

...