This is a SWAMID working draft for discussions within the community. The correct title for this profile will be "SWAMID Multi-Factor Authentication (MFA) Profile". |
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT","SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in RFC2119.
Text in Italics is non-normative. All other text is normative unless otherwise stated.
All normative parts of the profile is governed by the SWAMID Board of Trustees.
The non-normative (guidance) is maintained by the SWAMID operations team.
Home Organisation: The SWAMID Member Organisation with which a Subject is affiliated, operating the Identity Provider by itself or through a third party.
Member Organisation: Used in this document as a synonym for Home Organisation
Subject: Any natural person affiliated with a Home Organisation, e.g. as a teacher, researcher, staff or student.
Relying Party (RP): A Service that relies upon a Subject’s credentials, typically to process a transaction or grant access to information or a system. Also called a Service Provider (SP).
Identity Provider (IdP): The system component that issues Attribute assertions on behalf of Subjects who use them to access the services of Relying Party.
Second factor: A second independent factor that is used in addition to the subject's first factor in order to provide the subject with the ability to use multi-factor authentication. Normally this means adding a second factor where the subject's first factor is a memorised secret (i.e. a password).
Full multi-factor: A complete new set of credentials assigned to the subject in order to provide the subject with the ability to use multi-factor authentication. This new set of credentials is by itself composed of at least two dependent factors (e.g. a smart card) and does not depend in any way on the normally used memorised secret (i.e. a password) belonging to the subject.
This document defines how a SWAMID member organisation SHOULD implement a multi-factor authentication solution in order to be certified by SWAMID for of multi-factor authentication in a federated environment.
This multi-factor profile is an extension to REFEDS Multi-Factor Authentication (MFA) Profile [1], applicable for Swedish Higher Education.
The member organisation's Identity Provider is tagged in the SWAMID federation metadata with the assurance certification attribute: http://www.swamid.se/policy/authentication/refeds-mfa
In accordance with REFEDS MFA Profile:
In a SAML assertion, compliance is communicated by asserting the AuthnContextClassRef: https://refeds.org/profile/mfa
The Member organisation MUST be certified for SWAMID Identity Assurance Level 2 Profile [2].
Only subjects currently at SWAMID Identity Assurance Level 2 are allowed to authenticate themselves according to this Profile.
The Member organisation MUST document valid parts regarding muti factor in the Identity Management Practice Statement and submit the Identity Management Practice Statement for approval by SWAMID Board of Trustees.
Processes for issuing and assigning of credentials (second factor or full multi-factor) MUST be documented in 5.2 Credential Issuing (more precisely in 5.2.5).
Issuing of second factor or full multi-factor MUST be done using one of the following methods
On-line multi-factor authenticating the Subject with SWAMID MFA Profile or higher level using an external Identity Provider compliant with SWAMID MFA Profile or higher
In-person visit at a service desk in combination with identity proofing as defined by the Swedish Tax Agency for issuance of the Swedish Tax Agency identity card
In-person visit at a service desk in combination with identity proofing with an international passport fulfilling International Civil Aviation Organization (ICAO) Doc 9303 Machine Readable Travel Documents [4], an EU/EES national identity card fulfilling the Regulation (EU) 2016/399 of the European Parliament and of the Council [5] or an EU/EES driving license fulfilling the Directive 2006/126/EC of the European Parliament and of the Council of 20 December 2006 on driving licences [6].
Off-line using a certified mail to a postal address (sv. rekommenderat brev med personlig utlämning) in combination with a time-limited one time password/pin code.
Guidance: The second factor or full multi-factor must be issued separately to to the user credentials in accordance with the REFEDS MFA Profile criteria.
Guidance a: Multi-Factor solutions provided within the Swedish E-identification system fulfils the requirements for on-line multi-factor authentication and can be used for online identity vetting if allowed by the E-identification issuer. Likewise, authentication via eIDAS with assurance level substantial or high fulfils the requirements.
A Member Organisation MUST fulfil the REFEDS MFA Profile criteria.
Guidance: Original criteria repeated from REFEDS MFA Profile for convenience
By asserting the URI shown above (note: https://refeds.org/profile/mfa), an Identity Provider claims that:
The Member organisation MUST perform a successful technical validation of their Identity Provider in the official SWAMID multi-factor validation service.
Guidance: The validation service is located at https://mfa-check.swamid.se
[1] REFEDS Multi-Factor Authentication (MFA) Profile: https://refeds.org/profile/mfa
[2] SWAMID Identity Assurance Level 2 Profile: http://www.swamid.se/policy/assurance/al2
[3] NIST Special Publication 800-63B - Digital Identity Guidelines - Authentication and Lifecycle Management: https://doi.org/10.6028/NIST.SP.800-63b
[4] International Civil Aviation Organization (ICAO) Doc 9303 Machine Readable Travel Documents: https://www.icao.int/publications/pages/publication.aspx?docnum=9303
[5] Regulation (EU) 2016/399 of the European Parliament and of the Council: http://data.europa.eu/eli/reg/2016/399/oj
[6] Directive 2006/126/EC of the European Parliament and of the Council of 20 December 2006 on driving licences: http://data.europa.eu/eli/dir/2006/126/oj