...
Identity Provider (IdP): The system component that issues Attribute assertions on behalf of Subjects who use them to access the services of Relying Party.
First factor: The primary knowledge-based authentication factor (i.e., “something you know”) used by the Subject when the Subject is authenticating with single-factor authentication. An inherent authentication factor (i.e., “something you are") can not be used as a standalone single authentication factor but can be used together with a second factor.
Second factor: A second independent single factor that possession-based authentication factor (i.e., “something you have”) that is used in addition to the Subject's first factor in order to provide the Subject with the ability to use multi-factor authentication. Normally this means adding a second factor where the subject's first factor is a memorised secret, i.e. a password, or a biometric, i.e. fingerprints.
Full multi-factor: A complete new set of credentials assigned to the Subject in order to provide the Subject with the ability to use multi-factor authentication. This new set of credentials is by itself composed of at least two dependent factors (e.g. a smart card) and does not depend in any way on the normally used memorised secret, i.e. a password, belonging to the Subject.
...
- On-line authenticating the Subject using a Person-Proofed Multi-Factor, or higher, using an external Identity Provider compliant with the SWAMID Person-Proofed Multi-Factor Profile,
- On-line authenticating the Subject using a multi-factor issued according to the Swedish E-identification system using an external Identity Provider compliant with the the Swedish E-identification Level of Assurance 2 or higher,
- In-person visit at a service desk in combination with identity proofing as defined by the Swedish Tax Agency for issuance of the Swedish Tax Agency identity card,
- In-person visit at a service desk in combination with identity proofing with an international passport fulfilling ICAO Doc 9303, an EU/EES national identity card fulfilling the European Commission Regulation No 562/2006 or an EU/EES driving license fulfilling the European Parliament and the Council of European Union Directive 2006/126/EC,
- Off-line using a postal registered address (sv. folkbokföringsadress) in combination with a time-limited one time activation password/pin code,
- Off-line using a copy of the same identification token as described in 3 or 4 above and a copy of a utility bill, not older than 3 month, in combination with a time-limited one time activation password/pin code sent to the postal address on the utility bill,
- Off-line using a postal registered address (sv. folkbokföringsadress) with a preregistered device, unique for the Subject, that will be considered as a Person-Proofed Multi-Factor on first use,
- Off-line using a copy of the same identification token as described in 3 or 4 above and a copy of a utility bill, not older than 3 month, with a preregistered device, unique for the Subject, sent to the postal address on the utility bill that will be considered as a Person-Proofed Multi-Factor on first use, or
- Other identity proofing method deemed equivalent by SWAMID Board of Trustees.
...
- On-line authenticating the Subject using a Person-Proofed Multi-Factor with high identity assurance using an external Identity Provider compliant with the SWAMID Person-Proofed Multi-Factor Profile,
- On-line authenticating the Subject using a multi-factor issued according to the Swedish E-identification system using an external Identity Provider compliant with the the Swedish E-identification Level of Assurance 3 or higher,
- In-person visit at a service desk in combination with identity proofing as defined by the Swedish Tax Agency for issuance of the Swedish Tax Agency identity card,
- In-person visit at a service desk in combination with identity proofing with an international passport fulfilling International Civil Aviation Organization (ICAO) Doc 9303 Machine Readable Travel Documents [4], an EU/EES national identity card fulfilling the Regulation (EU) 2016/399 of the European Parliament and of the Council [5] or an EU/EES driving license fulfilling the Directive 2006/126/EC of the European Parliament and of the Council of 20 December 2006 on driving licences [6],
- Off-line using a postal certified mail (sv. rekommenderat brev med personlig utlämning) in combination with a time-limited one time activation password/pin code, or
- Off-line using a postal certified mail (sv. rekommenderat brev med personlig utlämning) with a preregistered device, unique for the Subject, that will be considered as a Person-Proofed Multi-Factor with high identity assurance on first use.
...
Time-limited one time passwords/pins used in 5 should be valid only as long as needed for postal delivery of certified mail.
5.2.3 Multiple Multi-Factor Identity Proofing levels within one Identity Provider
A SWAMID Member Organisation MAY implement both Person-Proofed Multi-Factor and Person-Proofed Multi-Factor with high identity assurance within one Identity Provider.
...
Renewal of credentials occur when the Subject changes its credential using normal password reset. Re-issuing occurs when credentials have been invalidated.Replacement of second factor or full multi-factor MUST be done using the same methods as listed above for Credential Issuingcredentials have been invalidated.
Guidance
Processes for for replacement of second factors or full multi-factors should be documented in the IMPS, section 5.3.
5.3.1 Credential Renewal
All Subjects MUST be able change a software-based second factor.
Subjects MUST demonstrate possession of credentials by doing a multi-factor authentication before being allowed to replace a second factor or full multi-factor.
Guidance.3.
By doing a multi-factor authentication according to this profile a Subject can replace the currently issued multi-factor or add a second multi-factor at the same identity proofing level as the Subject's currently issued multi-factor as long as the used multi-factor authentication is on the same level or higher.
Even though there is no special criteria for a Subject changing password when a second multi-factor is in use it is recommended that the Subject proof possession of proof possession of both password and second factor when the Subject changes the password.
5.3.2 Credential Re-issuing
Re-issuing of second factor or full multi-factor MUST be done using the same methods as listed in 5.2.1 or 5.2.2 depending on level of identity assurance for Credential Issuing.
5.4 Credential Revocation
...