Versions Compared

Old Version 87

changes.mady.by.user Eskil Swahn

Saved on

compared with

New Version 88

changes.mady.by.user Eskil Swahn

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Any existing Credential (for example a password) belonging to the Subject MUST NOT be used in the identity proofing in accordance with the REFEDS MFA Profile criteria.

Different Subjects within an Identity Provider MAY use single factor authentication and multi-factor authentication independently of each other, i.e. all Subjects need not be issued multi-factor credentials.

The second factor or full multi-factor must be issued to the Subjects without using the current single factor credential, i.e. password, for identity proofing in accordance with the REFEDS MFA Profile criteria.

...

Time-limited one time passwords/pins used in 5 should be valid only as long as needed for postal delivery of certified mail.


5.2.3 Multiple Multi-Factor Identity Proofing levels within

...

one Identity Provider

A SWAMID Member Organisation MAY implement both Person-Proofed Multi-Factor and Person-Proofed Multi-Factor with high identity assurance within one Identity Provider.

The Member Organisation must MUST maintain a record of all Subjects' Credentials and identity proofing level used to issue them.

...

Renewal of credentials occur when the Subject changes its credential using normal password reset. Re-issuing occurs when credentials have been invalidated.


Replacement of second factor or full multi-factor MUST be done using the same methods as listed above for Credential Issuing.


Guidance

Processes for replacement of second factors or full multi-factors should be documented in the IMPS, section 5.3.

...

The purpose of this subsection is to ensure that credentials can be revoked.


5.4.1 The Member Organisation's ability to Revoke Credentials


The Member Organisation MUST be able to revoke a Subject's second factor or full multi-factor in order to

  • Stop the Subject's ability to use multi-factor authentication
  • Allow the Subject to replace the second factor or full multi-factor.


5.4.2 The Member Organisation's obligation to Revoke Credentials


The Member Organisation MUST revoke the Subject's ability to use multi-factor authentication according to the SWAMID Person-Proofed Multi-Factor Profile if the Subject's Credentials is known to be compromised.

The Member Organisation MUST revoke a second factor or MUST revoke a second factor or full multi-factor along with all other credentials belonging to the Subject when the Subject is no longer affiliated with the Member Organisation. (Detta krav ställer vi inte idag, är det något vi vill ställa krav på? Det ger problem för de lärosäten med "för alltid konton.) - Å andra sidan är Subject per definition en individ som är affiliated with the Home Organisation. Tycker denna skrivning delvis fixar situationen att om mitt konto (användarnamn + lösenord) inaktiveras pga att jag är tjänstledig eller på annat sätt frånvaro så väcker man inte bara upp mitt konto på nytt när jag kommer tillbaka och så får jag tillbaka andra faktorn på köpet utan komplett Re-issue i så fall.

Punkten som du lade till som punkt 2 står i Guidance nedan. Tog därför bort den igen.

Guidance

Vad sägs om Guidance nedan?


Guidance

Processes for Processes for revocation of second factors or full multi-factors should be documented in the IMPS, section 5.4.

If a Subject's second factor or full multi-factor has been misused or compromised the multi-factor should be revoked and the Subject should not be able to a create a new one until the Subject is formally informed why the multi-factor was revokedbeen misused or compromised the multi-factor should be revoked and the Subject should not be able to a create a new one until the Subject is formally informed why the multi-factor was revoked.

If an individual is not longer affiliated with a Home Organisation, i.e. no longer a Subject, all of the Credentials belonging to that should be revoked in order to avoid a situation where only the username and password are inactivated and later re-activated with a second token becoming active without a re-issuing of the second factor.


6. Syntax

If a member organisation's Identity Provider is approved for Person-Proofed Multi-Factor the Identity Provider is tagged in the SWAMID metadata with the assurance certification attribute http://www.swamid.se/policy/authentication/swamid-p2mfa

...