Versions Compared

Old Version 29

changes.mady.by.user Pål Axelsson

Saved on

compared with

New Version 30

changes.mady.by.user Pål Axelsson

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Warning
titleDraft

This is a SWAMID working draft for discussions within the community. This profile may after discussion be changed.!


1. Terminology and Typographical Conventions

The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT","SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in RFC2119.

...

The non-normative (guidance) is maintained by the SWAMID operations team.

1.1 Definition of terminology

Home Organisation: The SWAMID Member Organisation with which a Subject is affiliated, operating the Identity Provider by itself or through a third party.

...

Full multi-factor: A complete new set of credentials assigned to the subject in order to provide the subject with the ability to use multi-factor authentication. This new set of credentials is by itself composed of at least two dependent factors (e.g. a smart card) and does not depend in any way on the normally used memorised secret (i.e. a password) belonging to the subject.


2. Purpose, Scope and Summary 


This document defines how a SWAMID member organisation SHOULD implement multi-factor authentication a strong authentication solution in order to be certified by SWAMID for strong authentication in a federated environment. A strong authentication combines the use of multi-factor authentication in a federated environment.with a high assurance that the multi-factor authenticator is distributed to the intended user. 

This multi-factor profile is an extension to REFEDS Multi-Factor Authentication (MFA) Profile [1], applicable for Swedish Higher Education.


Guidance: This intended use of this SWAMID profile is when authentication must be done with a high assurance that it is the correct user that is accessing a specific service. It is possible, or even preferred, to use multi-factor authentication without this high level of assurance in a federated environment but that use does not fulfil this strong authentication profile.


3. Syntax

The member organisation's Identity Provider is tagged in the SWAMID federation metadata with the assurance certification attribute: http://www.swamid.se/policy/authentication/refeds-mfa

...

In a SAML assertion, compliance is communicated by asserting the AuthnContextClassRef: https://refeds.org/profile/mfa


4. Compliance and Audit

The Member organisation MUST be certified for SWAMID Identity Assurance Level 2 Profile [2].

...

The Member organisation MUST document valid parts regarding muti-factor in the Identity Management Practice Statement and submit the Identity Management Practice Statement for approval by SWAMID Board of Trustees.

  •  Choice of multi-factor technology MUST be documented in section 5.1 Credential Operating Environment.

    The selected second factor or full multi-factor solution MUST be based on the Single-Factor and Multi-Factor Authenticator Types within NIST 800-63B [3].

    Guidance: SWAMID has published a set of valid choices for second factor and full multi-factor solutions in the SWAMID wiki.

  • Processes for issuing and assigning of credentials (second factor or full multi-factor) MUST be documented in 5.2 Credential Issuing (more precisely in 5.2.5).

    Issuing of second factor or full multi-factor MUST be done using one of the following methods

      1. On-line multi-factor authenticating the Subject with SWAMID MFA Profile or higher level using an external Identity Provider compliant with SWAMID MFA Profile or higher

      2. In-person visit at a service desk in combination with identity proofing as defined by the Swedish Tax Agency for issuance of the Swedish Tax Agency identity card

      3. In-person visit at a service desk in combination with identity proofing with an international passport fulfilling International Civil Aviation Organization (ICAO) Doc 9303 Machine Readable Travel Documents [4], an EU/EES national identity card fulfilling the Regulation (EU) 2016/399 of the European Parliament and of the Council [5] or an EU/EES driving license fulfilling the Directive 2006/126/EC of the European Parliament and of the Council of 20 December 2006 on driving licences [6].

      4. Off-line using a certified mail to a postal address (sv. rekommenderat brev med personlig utlämning) in combination with a time-limited one time password/pin code.

      5. Off-line using a certified mail to a postal address (sv. rekommenderat brev med personlig utlämning) with a preregistered device, unique for the user, that will be considered as a vetted token on first use.


    Guidance: The second factor or full multi-factor must be issued separately     to to the user credentials in accordance with the REFEDS MFA Profile criteria.

    Guidance a: Multi-Factor solutions provided within the Swedish E-identification system fulfillsfulfils     the requirements for on-line multi-factor authentication and can be used for online identity vetting if allowed by the E-identification issuer. Likewise, authentication via eIDAS with assurance level substantial or high fulfills the requirements.

  • Processes for replacement of additional factors or full multi-factor MUST be documented in 5.3 Credential Renewal and Re-issuing.

    Replacement of second factor or full multi-factor MUST be done using the same methods as listed above for Credential Issuing.

  • Processes for revocation of second factor or full multi-factor MUST be documented in 5.4 Credential Revokation


5. Criteria

A Member Organisation MUST fulfil the REFEDS MFA Profile criteria.

...

Guidance: The validation service is located at https://mfa-check.swamid.se


6. References

[1] REFEDS Multi-Factor Authentication (MFA) Profilehttps://refeds.org/profile/mfa

...