...
| Warning | ||
|---|---|---|
| ||
This is a SWAMID working draft for discussions within the community. This draft profile may be changed based on the discussions! |
Table of Contents
1. Terminology and Typographical Conventions
...
Identity Provider (IdP): The system component that issues Attribute assertions on behalf of Subjects who use them to access the services of Relying Party.
First factor: The primary A knowledge-based authentication factor (i.e., “something you know”) or an inherent authentication factor (i.e., “something you are") used by the Subject when the Subject is authenticating with together with a second factor to form a multi-factor. Traditionally the knowledge-based factor is the password used used for single-factor authentication. An inherent authentication factor (i.e., “something you are") can not be used as a standalone single authentication factor but can be used together with a second -factor.
Second factor: A second independent independent possession-based authentication factor (i.e., “something you have”) that is used in addition to the Subject's first factor in order to provide the Subject with the ability to use multi-factor authentication.
...
Not all Subjects within an Identity Provider need to use the same credential types, some of them can only use passwords, some Person-Proofed Multi-Factors and some Person-Proofed Multi-Factors with high identity assurance. A Subject can also have multiple credentials types at the same time but it is however important that the Home Organisation maintain a record of credential types a Subject can use and can correctly inform Relying Parties about the credential type used if requested by the Relying Party.
Person-Proofed Multi-Factor (SWAMID
...
AL2-MFA)
A multi-factor authenticator issued and proofed to a Subject fulfiling the requirements the SWAMID Identity Assurance Level 2 Profile with additional identity proofing requirements for on-line proofing.
Person-Proofed Multi-Factor with high identity assurance (SWAMID
...
AL2-MFA-HI)
A multi-factor authenticator issued and proofed to a Subject fulfiling the requirements the SWAMID Identity Assurance Level 2 Profile with additional identity proofing requirements based on verifying the Subject with defined identity cards or passports.
...
It's not recommended for a specific Subject to have Person-Proofed Multi-Factors and a Person-Proofed Multi-Factors with high identity assurance at the same time due the importance to differentiate between them in time of authentication and attribute release.
| Anchor | ||||
|---|---|---|---|---|
|
Credential Issuing of second factor or full multi-factor fulfilling the SWAMID Identity Assurance Level 2 Profile MUST be done using one of the following methods
...
Time-limited one time passwords/pins used in 5 & 6 should be valid only as long as needed for postal delivery. By copy in 6 means either a scanned, photo of or hardcopy of the identity card/passport.
| Anchor | ||||
|---|---|---|---|---|
|
Credential Issuing of second factor or full multi-factor for fulfilling the SWAMID Identity Assurance Level 2 Profile and with high identity assurance MUST be done using one of the following methods
...
If a member organisation's Identity Provider is approved for Person-Proofed Multi-Factor the Identity Provider is tagged in the SWAMID metadata with the assurance certification attribute http://www.swamid.se/policy/authentication/swamid-al2-p2mfamfa.
If a member organisation's Identity Provider in addition is approved for Person-Proofed Multi-Factor with high identity assurance the Identity Provider is also tagged in the SWAMID metadata with the assurance certification attribute http://www.swamid.se/policy/authentication/swamid-p2mfaal2-mfa-hi.
In accordance with REFEDS MFA Profile:
...
When a Subject performs a multi-factor authentication based on the Person-Proofed Multi-Factor with high identity assurance the Identity Provider MUST add the value http://www.swamid.se/policy/authentication/swamid-p2mfaal2-mfa-hi to the attribute eduPersonAssurance of the Subject in order for the Relaying Party to be able to distinguish between the two identity proofing levels of multi-factor authentication.
...