...

The purpose of this subsection is to ensure that the Identity Provider has control over the issuing process of the multi-factor.

Any existing Credential (for example a password) belonging to the Subject MUST NOT be used in the The second factor or full multi-factor must be issued to the Subjects without only using the current single factor credential, i.e. password, for identity proofing in accordance with the REFEDS MFA Profile criteria.

Subjects within an Identity Provider MAY use single factor authentication and multi-factor authentication independently of each other, i.e. all Subjects need not be issued multi-factor credentials.

The second factor or full multi-factor must be issued to the Subjects without using the current single factor credential, i.e. password, for identity proofing in accordance with the REFEDS MFA Profile criteria.

Not all Subjects within an Identity Not all Subjects within an Identity Provider need to use the same credential types, some of them can only use passwords, some Person-Proofed Multi-Factors and some Person-Proofed Multi-Factors with high identity assurance. A Subject can also have multiple crentials credentials types at the same time but it is however important that the Home Organisation maintain a record of credential types a Subject can use and can correctly inform Relying Parties about the credential type used if requested by the Relying Party.

Person-Proofed Multi-Factor (SWAMID P2MFA)

...

Processes for issuing and assigning of multi-factor credentials (second factor or full multi-factor) should be documented together with the initial credential issuing in the IMPS, section 5.2.

...

It's not recommended for a specific Subject to have Person-Proofed Multi-Factors and a Person-Proofed Multi-

...

Factors with high identity assurance at the same time due the importance to differentiate between them in time of authentication and attribute release.

5.2.1 Issuing a Person-Proofed Multi-Factor

Credential Issuing of second factor or full multi-factor fulfilling the SWAMID Identity Assurance Level 2 Profile MUST be done using one of the following methods

1. On-line authenticating the Subject using a Person-Proofed Multi-Factor, or higher, using an external Identity Provider compliant with the SWAMID Person-Proofed Multi-Factor Profile,
2. On-line authenticating the Subject using a multi-factor issued according to the Swedish E-identification system using an external Identity Provider compliant with the the Swedish E-identification Level of Assurance 2 or higher,
3. In-person visit at a service desk in combination with identity proofing as defined by the Swedish Tax Agency for issuance of the Swedish Tax Agency identity card,
4. In-person visit at a service desk in combination with identity proofing with an international passport fulfilling ICAO Doc 9303, an EU/EES national identity card fulfilling the European Commission Regulation No 562/2006 or an EU/EES driving license fulfilling the European Parliament and the Council of European Union Directive 2006/126/EC,
5. Off-line using a postal registered address (sv. folkbokföringsadress) in combination with a time-limited one time activation password/pin code,
6. Off-line using a copy of the same identification token as described in 3 or 4 above and a copy of a utility bill, not older than 3 month, in combination with a time-limited one time activation password/pin code sent to the postal address on the utility bill,
7. Off-line using a postal registered address (sv. folkbokföringsadress) with a preregistered device, unique for the Subject, that will be considered as a Person-Proofed Multi-Factor on first use,
8. Off-line using a copy of the same identification token as described in 3 or 4 above and a copy of a utility bill, not older than 3 month, with a preregistered device, unique for the Subject, sent to the postal address on the utility bill that will be considered as a Person-Proofed Multi-Factor on first use, or
9. Other identity proofing method deemed equivalent by SWAMID Board of Trustees.

...

1. On-line authenticating the Subject using a Person-Proofed Multi-Factor with high identity assurance using an external Identity Provider compliant with the SWAMID Person-Proofed Multi-Factor Profile,
2. On-line authenticating the Subject using a multi-factor issued according to the Swedish E-identification system using an external Identity Provider compliant with the the Swedish E-identification Level of Assurance 3 or higher,
3. In-person visit at a service desk in combination with identity proofing as defined by the Swedish Tax Agency for issuance of the Swedish Tax Agency identity card,
4. In-person visit at a service desk in combination with identity proofing with an international passport fulfilling International Civil Aviation Organization (ICAO) Doc 9303 Machine Readable Travel Documents [4], an EU/EES national identity card fulfilling the Regulation (EU) 2016/399 of the European Parliament and of the Council [5] or an EU/EES driving license fulfilling the Directive 2006/126/EC of the European Parliament and of the Council of 20 December 2006 on driving licences [6],
5. Off-line using a postal certified mail (sv. rekommenderat brev med personlig utlämning) in combination with a time-limited one time activation password/pin code, or
6. Off-line using a postal certified mail (sv. rekommenderat brev med personlig utlämning) with a preregistered device, unique for the Subject, that will be considered as a Person-Proofed Multi-Factor with high identity assurance on first use.

...

The Member Organisation MUST revoke the Subject's ability to use multi-factor authentication according to the SWAMID Person-Proofed Multi-Factor Profile if the Subject's Credentials is known to be compromised .The Member Organisation MUST revoke a second factor or full multi-factor along with all other credentials belonging to the Subject when the Subject is no longer affiliated with the Member Organisation. (Detta krav ställer vi inte idag, är det något vi vill ställa krav på? Det ger problem för de lärosäten med "för alltid konton.) - Å andra sidan är Subject per definition en individ som är affiliated with the Home Organisation. Vad sägs om Guidance nedan?or misused.

Guidance

Processes for revocation of second factors or full multi-factors should be documented in the IMPS, section 5.4.

...