...

The selected second factor or full multi-factor solution technology MUST be based on the Single-Factor and Multi-Factor Authenticator Types within NIST 800-63B [3].

...

• Multi-Factor OTP Device
• Multi-Factor Cryptographic Software
• Multi-Factor Cryptographic Device

The selected second factor or full multi-factor technology MUST be protected against credential cloning and MUST NOT be possible to move between physical devices.

Guidance

Choice of multi-factor technology should be documented together with the use of password in the IMPS, section 5.1.

...

1. On-line authenticating the Subject using a Person-Proofed Multi-Factor, or higher, using an external Identity Provider compliant with the SWAMID Person-Proofed Multi-Factor Profile,
2. On-line authenticating the Subject using a multi-factor issued according to the Swedish E-identification system using an external Identity Provider compliant with the the Swedish E-identification Level of Assurance 2 or higher,
3. On-line authenticating the Subject using a Person-Proofed Multi-Factor, or higher, already issued to the Subject in the Home Organisation's Identity Provider,
4. In-person visit at a service desk in combination with identity proofing as defined by the Swedish Tax Agency for issuance of the Swedish Tax Agency identity card,
5. In-person visit at a service desk in combination with identity proofing with an international passport fulfilling ICAO Doc 9303, an EU/EES national identity card fulfilling the European Commission Regulation No 562/2006 or an EU/EES driving license fulfilling the European Parliament and the Council of European Union Directive 2006/126/EC,
6. Off-line using a postal registered address (sv. folkbokföringsadress) in combination with a time-limited one time activation password/pin code,
7. Off-line using a copy of the same identification token as described in 3 4 or 4 5 above and a copy of a utility bill, not older than 3 month, in combination with a time-limited one time activation password/pin code sent to the postal address on the utility bill,
8. Off-line using a postal registered address (sv. folkbokföringsadress) with a preregistered device, unique for the Subject, that will be considered as a Person-Proofed Multi-Factor on first use,
9. Off-line using a copy of the same identification token as described in 3 4 or 4 5 above and a copy of a utility bill, not older than 3 month, with a preregistered device, unique for the Subject, sent to the postal address on the utility bill that will be considered as a Person-Proofed Multi-Factor on first use, or
10. Other identity proofing method deemed equivalent by SWAMID Board of Trustees.

...

If you are using Identity Providers within the Swedish E-identification system you must also accept authentication via eIDAS with assurance level low, substantial or high if you can bind the identity of the Subject.

Allowing the user to add multiple multi-factors (3 above) by proving proof of possession increase the flexibility for the users, i.e. allow multiple devices or software cryptographic keys tied to the same user.

Time-limited one time passwords/pins used in 5 6 & 6 7 should be valid only as long as needed for postal delivery. By copy in 6 7 means either a scanned, photo of or hardcopy of the identity card/passport.

...

1. On-line authenticating the Subject using a Person-Proofed Multi-Factor with high identity assurance using an external Identity Provider compliant with the SWAMID Person-Proofed Multi-Factor Profile,
2. On-line authenticating the Subject using a multi-factor issued according to the Swedish E-identification system using an external Identity Provider compliant with the the Swedish E-identification Level of Assurance 3 or higher,
3. On-line authenticating the Subject using a Person-Proofed Multi-Factor with high identity assurance already issued to the Subject in the Home Organisation's Identity Provider,
4. In-person visit at In-person visit at a service desk in combination with identity proofing as defined by the Swedish Tax Agency for issuance of the Swedish Tax Agency identity card,
5. In-person visit at a service desk in combination with identity proofing with an international passport fulfilling International Civil Aviation Organization (ICAO) Doc 9303 Machine Readable Travel Documents [4], an EU/EES national identity card fulfilling the Regulation (EU) 2016/399 of the European Parliament and of the Council [5] or an EU/EES driving license fulfilling the Directive 2006/126/EC of the European Parliament and of the Council of 20 December 2006 on driving licences [6],
6. Off-line using a postal certified mail (sv. rekommenderat brev med personlig utlämning) in combination with a time-limited one time activation password/pin code, or
7. Off-line using a postal certified mail (sv. rekommenderat brev med personlig utlämning) with a preregistered device, unique for the Subject, that will be considered as a Person-Proofed Multi-Factor with high identity assurance on first use.

...

If you are using Identity Providers within the Swedish E-identification system you must also accept authentication via eIDAS with assurance level substantial or high if you can bind the identity of the Subject.

Allowing the user to add multiple multi-factors (3 above) by proving proof of possession increase the flexibility for the users, i.e. allow multiple devices or software cryptographic keys tied to the same user.

Time-limited one time passwords/pins used in 5 should be valid only as long as needed for postal delivery of certified mail.

...