Versions Compared

Old Version 58

changes.mady.by.user Pål Axelsson

Saved on

compared with

New Version 59

changes.mady.by.user Pål Axelsson

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

There are two levels of identity proofing assurance defined for person-proofed multi-factor in this profile, one based on the identity proofing in SWAMID Identity Assurance Level 2 Profile Profile (SWAMID AL2) [1] and one with identity proofing based on identity verification with a defined set of identity cards and passports.

This SWAMID Person-Proofed Multi-Factor Profile is a an extension to the REFEDS Multi-Factor Authentication (MFA) Profile (REFEDS MFA) [2].


Guidance

The intended use of this SWAMID profile is when authentication must be done with a high assurance that it is the correct Subject that is accessing a specific service. Please note that it is possible, or even preferred, to use multi-factor authentication without this level of identity assurance in a federated environment but that use does not fulfil this person-proofed multi-factor profile.

...

Evidence of compliance with this profile MUST be part of the Identity Management Practice Statement (IMPS), maintained as a part of the SWAMID membership process. The Identity Management Practice Statement MUST describe how the organisation fulfils the normative parts of this document.

SWAMID operations, or another party approved by SWAMID Board of Trustees, conducts an initial audit of the submitted Identity Management Practice Statement. The member MUST annually confirm that their Identity Management Practice Statement is still valid. When there are changes in the identity management process or technology, a new Identity Management Practice Statement MUST be submitted for a renewed audit.

Audit of this profile uses the same procedures as for SWAMID AL2. The Member organisation MUST perform a successful technical validation of their Identity Provider in through the official SWAMID person-proofed multi-factor validation service to complete the audit.


Guidance

The audit routines for this profile is the same as for SWAMID Identity Assurance Level 2 Profile except the technical validation.

SWAMID person-proofed multi-factor validation service is located at https://mfa-check.swamid.se.

...

The Member organisation MUST be certified for SWAMID Identity Assurance Level 2 Profile [2].


5. Operational Requirements

...

Single-Factor and Multi-Factor OTP Devices have the same weaknes have similar weaknesses to social engineering as passwords but one OTP code can only be used once and if a time based OTP (TOTP) solution is used the risc is further reduced but not negliable.

...

  1. On-line authenticating the Subject with SWAMID Person-Proofed Multi-Factor Profile, or a comparable multi-factor authentication, using an external Identity Provider compliant with SWAMID Assurance Level 2 or higher,
  2. In-person visit at a service desk in combination with identity proofing as defined by the Swedish Tax Agency for issuance of the Swedish Tax Agency identity card,
  3. In-person visit at a service desk in combination with identity proofing with an international passport fulfilling ICAO Doc 9303, an EU/EES national identity card fulfilling the European Commission Regulation No 562/2006 or an EU/EES driving license fulfilling the European Parliament and the Council of European Union Directive 2006/126/EC,
  4. Off-line using a registered address (sv. folkbokföringsadress) in combination with a time-limited one time password/pin code,
  5. Off-line using a copy of the same identification token as described in 2 or 3 above and a copy of a utility bill in combination with a time-limited one time password/pin code sent to the postal address on the utility bill, or
  6. Other equivalent identity proofing method

...

  1. On-line authenticating the Subject with SWAMID Person-Proofed Multi-Factor Profile with identity verification, or a comparable multi-factor authentication, using an external Identity Provider compliant with SWAMID Identity Assurance Level 2 Profile or higher,
  2. In-person visit at a service desk in combination with identity proofing as defined by the Swedish Tax Agency for issuance of the Swedish Tax Agency identity card,
  3. In-person visit at a service desk in combination with identity proofing with an international passport fulfilling International Civil Aviation Organization (ICAO) Doc 9303 Machine Readable Travel Documents [4], an EU/EES national identity card fulfilling the Regulation (EU) 2016/399 of the European Parliament and of the Council [5] or an EU/EES driving license fulfilling the Directive 2006/126/EC of the European Parliament and of the Council of 20 December 2006 on driving licences [6],
  4. Off-line using a certified mail to a postal address (sv. rekommenderat brev med personlig utlämning) in combination with a time-limited one time password/pin code, or
  5. Off-line using a certified mail to a postal address (sv. rekommenderat brev med personlig utlämning) with a preregistered device, unique for the Subject, that will be considered as a vetted token on first use.

...