Versions Compared

Old Version 111

changes.mady.by.user Pål Axelsson

Saved on

compared with

New Version 112

changes.mady.by.user Pål Axelsson

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.


Warningnote
titleFinal DraftTemporary home

This is a SWAMID Final Draft after discussions within the community. This final draft profile will now be presented for SWAMID Board of Trusteesthe established SWAMID Person-Proofed Multi-Factor Profile descided by SWAMID Board of Trustees on the 12th of September 2018. This profile will in the comming weeks move to it's permanent home together with all other SWAMID profiles att https://www.swamid.se/policy/.


Table of Contents
maxLevel3

1. Terminology and Typographical Conventions

The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT","SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in RFC2119.

...

The non-normative (guidance) is maintained by the SWAMID Operations team.

1.1 Definition of terminology

Home Organisation: The SWAMID Member Organisation with which a Subject is affiliated, operating the Identity Provider by itself or through a third party.

...

Full multi-factor: A complete new set of credentials assigned to the Subject in order to provide the Subject with the ability to use multi-factor authentication. This new set of credentials is by itself composed of at least two dependent factors (e.g. a smart card) and does not depend in any way on the normally used knowledge-based authentication factor, i.e. a password, belonging to the Subject.


2. Purpose, Scope and Summary 


This profile defines how a SWAMID member organisation MUST implement a multi-factor solution in order to be certified by SWAMID for person-proofed multi-factor authentication in a federated environment. A person-proofed second factor or a person-proofed full multi-factor combines the use of multi-factor authentication with an assurance that the multi-factor authenticator is distributed to the intended Subject.

...

Please note that it is possible to use Subject self-asserted multi-factor authentication in both a local environment and a federated environment in order for the Home Organisation to raise IT security but it does not raise the identity assurance, i.e. the user is only protecting the usage of his or her own account with a multi-factor authentication. Hence this use case is not covered by this profile.


3. Compliance and Audit

Evidence of compliance with this profile MUST be part of the Identity Management Practice Statement (IMPS), maintained as a part of the SWAMID membership process. The Identity Management Practice Statement MUST describe how the organisation fulfils the normative parts of this document.

...

SWAMID person-proofed multi-factor validation service is located at https://mfa-check.swamid.se.


4. Organisational Requirement

The purpose of this section is to define conditions regarding participating organisations responsibilities.

...

The Member organisation MUST be certified for SWAMID Identity Assurance Level 2 Profile.


5. Operational Requirements

The purpose of this section is to define conditions and guidance regarding use of person-proofed multi-factor authentication.

...

  • The authentication of the user’s current session used a combination of at least two of the four distinct types of factors defined in ITU-T X.1254: Entity authentication assurance framework, section 3.1.3, authentication factor (something you know, something you have, something you are, something you do).
  • The factors used are independent, in that access to one factor does not by itself grant access to other factors.
  • The combination of the factors mitigates single-factor only risks related to non-real-time attacks such as phishing, offline cracking, online guessing and theft of a (single) factor.


5.1 Credential Operating Environment

The purpose of this subsection is to ensure adequate strength of Subject credentials and protection against common attack vectors.

...

If the Relying Party requires that the multi-factor login must not use Single-Sign On the member organisation's Identity Provider must be able to require that the Subject do a new multi-factor login even though the Subject already have a multi-factor session active with the Identity Provider.



5.2 Credential Issuing

The purpose of this subsection is to ensure that the Identity Provider has control over the issuing process of the multi-factor.

...

Not all Subjects within an Identity Provider need to use the same credential types, some of them can only use passwords, some Person-Proofed Multi-Factors and some Person-Proofed Multi-Factors with high identity assurance. A Subject can also have multiple credentials types at the same time but it is however important that the Home Organisation maintain a record of credential types a Subject can use and can correctly inform Relying Parties about the credential type used if requested by the Relying Party.

Person-Proofed Multi-Factor (SWAMID AL2-MFA)

A multi-factor authenticator issued and proofed to a Subject fulfiling the requirements the SWAMID Identity Assurance Level 2 Profile with additional identity proofing requirements for on-line proofing.

Person-Proofed Multi-Factor with high identity assurance (SWAMID AL2-MFA-HI)

A multi-factor authenticator issued and proofed to a Subject fulfiling the requirements the SWAMID Identity Assurance Level 2 Profile with additional identity proofing requirements based on verifying the Subject with defined identity cards or passports.

...

It's not recommended for a specific Subject to have Person-Proofed Multi-Factors and a Person-Proofed Multi-Factors with high identity assurance at the same time due the importance to differentiate between them in time of authentication and attribute release.

Anchor
SWAMID-AL2-MFA
SWAMID-AL2-MFA
5.2.1 Issuing a Person-Proofed Multi-Factor (SWAMID AL2-MFA)

Credential Issuing of second factor or full multi-factor fulfilling the SWAMID Identity Assurance Level 2 Profile MUST be done using one of the following methods

...

Time-limited one time passwords/pins used in 6 & 7 should be valid only as long as needed for postal delivery. By copy in 7 means either a scanned, photo of or hardcopy of the identity card/passport.

Anchor
SWAMID-AL2-MFA-HI
SWAMID-AL2-MFA-HI
5.2.2 Issuing a Person-Proofed Multi-Factor with high identity assurance (SWAMID AL2-MFA-HI)

Credential Issuing of second factor or full multi-factor for fulfilling the SWAMID Identity Assurance Level 2 Profile and with high identity assurance MUST be done using one of the following methods

...

The Member Organisation MUST maintain a record of all Subjects' Credentials and identity proofing level used to issue them.

5.3 Credential Renewal and Re-issuing

Renewal of credentials occur when the Subject changes its credential using normal password reset. Re-issuing occurs when credentials have been invalidated.

...

Processes for replacement of second factors or full multi-factors should be documented in the IMPS, section 5.3.

5.3.1 Credential Renewal

All Subjects MUST be able change a software-based second factor.

...

Even though there is no special criteria for a Subject changing password when a second multi-factor is in use it is recommended that the Subject proof possession of both password and second factor when the Subject changes the password.

5.3.2 Credential Re-issuing

Re-issuing of second factor or full multi-factor MUST be done using the same methods as listed in 5.2.1 or 5.2.2 depending on level of identity assurance for Credential Issuing.


5.4 Credential Revocation

The purpose of this subsection is to ensure that credentials can be revoked.

...

Processes for revocation of second factors or full multi-factors should be documented in the IMPS, section 5.4.

5.4.1 The Member Organisation's ability to Revoke Credentials

The Member Organisation MUST be able to revoke a Subject's second factor or full multi-factor in order to

  • Stop the Subject's ability to use multi-factor authentication
  • Allow the Subject to replace the second factor or full multi-factor.

5.4.2 The Member Organisation's obligation to Revoke Credentials

The Member Organisation MUST revoke the Subject's ability to use multi-factor authentication according to the SWAMID Person-Proofed Multi-Factor Profile if the Subject's Credentials is known to be compromised or misused.

...

If an individual is not longer affiliated with a Home Organisation, i.e. no longer a Subject, all of the Credentials belonging to that should be revoked in order to avoid a situation where only the username and password are inactivated and later re-activated with a second token becoming active without a re-issuing of the second factor.


6. Syntax

If a member organisation's Identity Provider is approved for Person-Proofed Multi-Factor the Identity Provider is tagged in the SWAMID metadata with the assurance certification attribute http://www.swamid.se/policy/authentication/swamid-al2-mfa

...

SWAMID will provide configurations examples in the SWAMID wiki for the most used Identity Provider softwares.


7. References

[1] SWAMID Identity Assurance Level 2 Profile: http://www.swamid.se/policy/assurance/al2

...