...

The selected second factor or full multi-factor technology MUST be protected against credential cloning and MUST NOT be possible to move between physical devices.

If the Relying Party requires that the multi-factor login must not use Single-Sign On the member Member organisation's Identity Provider MUST be able to require that the Subject do a new multi-factor login even though the Subject already have a multi-factor session active with the Identity Provider MUST support renewed multi-factor authentication if requested by the Relying Party.

Guidance

Choice of multi-factor technology should be documented together with the use of password in the IMPS, section 5.1.

Single-Factor and Multi-Factor OTP Devices have similar weaknesses to social engineering as passwords but one OTP code can only be used once and if a time based OTP (TOTP) solution is used the risk is further reduced but not negligible. The use of OTP devices will be deprecated 2025, or earlier, due to the risks with the technology.

SWAMID has published a set of valid choices for second factor and full multi-factor solutions in the SWAMID wiki.

If the Relying Party requires that the multi-factor login must not use Single-Sign On the member organisation's Identity Provider must be able to require that the Subject do a new multi-factor login even though the Subject already have a multi-factor session active with the Identity Provider.

5.2 Credential Issuing

The purpose of this subsection is to ensure that the Identity Provider has control over the issuing process of the multi-factor.

...