1. Terminology and Typographical Conventions

The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT","SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in RFC2119.

Text in Italics is non-normative. All other text is normative unless otherwise stated.

All normative parts of the profile is governed by the SWAMID Board of Trustees.

The non-normative (guidance) is maintained by the SWAMID operations team.

1.1 Definition of terminology

Home Organisation: The SWAMID Member Organisation with which a Subject is affiliated, operating the Identity Provider by itself or through a third party.

Member Organisation: Used in this document as a synonym for Home Organisation

Subject: Any natural person, i.e. end user, affiliated with a Home Organisation, e.g. as a teacher, researcher, staff or student.

Relying Party (RP): A Service that relies upon a Subject’s credentials, typically to process a transaction or grant access to information or a system. Also called a Service Provider (SP). 

Identity Provider (IdP): The system component that issues Attribute assertions on behalf of Subjects who use them to access the services of Relying Party.

Second factor: A second independent factor that is used in addition to the Subject's first factor in order to provide the Subject with the ability to use multi-factor authentication. Normally this means adding a second factor where the subject's first factor is a memorised secret,i.e. a password, or a biometric, i.e. fingerprints.

Full multi-factor: A complete new set of credentials assigned to the Subject in order to provide the Subject with the ability to use multi-factor authentication. This new set of credentials is by itself composed of at least two dependent factors (e.g. a smart card) and does not depend in any way on the normally used memorised secret, i.e. a password, belonging to the Subject.

2. Purpose, Scope and Summary 

This document defines how a SWAMID member organisation SHOULD implement a multi-factor solution in order to be certified by SWAMID for person-proofed multi-factor authentication in a federated environment. A person-proofed second factor or a person-proofed full multi-factor combines the use of multi-factor authentication with an assurance that the multi-factor authenticator is distributed to the intended Subject.

There are two levels of identity proofing defined for person-proofed multi-factor in this profile, one based on the identity proofing in SWAMID Identity Assurance Level 2 Profile [1] and one extended with identity proofing based on proofing with a defined set of identity cards and passports.

This SWAMID Person-Proofed Multi-Factor Profile is a Swedish extension to the REFEDS Multi-Factor Authentication (MFA) Profile [2].

Guidance

The intended use of this SWAMID profile is when authentication must be done with a high assurance that it is the correct Subject that is accessing a specific service. Please note that it is possible, or even preferred, to use multi-factor authentication without this level of identity assurance in a federated environment but that use does not fulfil this person-proofed multi-factor profile.

3. Compliance and Audit

Evidence of compliance with this profile MUST be part of the Identity Management Practice Statement (IMPS), maintained as a part of the SWAMID membership process. The Identity Management Practice Statement MUST describe how the organisation fulfils the normative parts of this document.

Audit of this profile uses the same procedures as for SWAMID AL2. The Member organisation MUST perform a successful technical validation of their Identity Provider in the official SWAMID multi-factor validation service.

Guidance

The validation service is located at https://mfa-check.swamid.se.

4. Organisational Requirement

The purpose of this section is to define conditions regarding participating organisations responsibilities.

The Member organisation MUST be certified for SWAMID Identity Assurance Level 2 Profile [2].

5. Operational Requirements

The purpose of this section is to define conditions and guidance regarding use of person-proofed multi-factor authentication.

Only Subjects currently at SWAMID Identity Assurance Level 2 are allowed to authenticate themselves according to this Profile.

A Member Organisation MUST fulfil the REFEDS MFA Profile criteria.

Guidance

Original criteria repeated  from REFEDS MFA Profile for convenience 

By asserting the URI shown above (note: https://refeds.org/profile/mfa), an Identity Provider claims that:

• The authentication of the user’s current session used a combination of at least two of the four distinct types of factors defined in ITU-T X.1254: Entity authentication assurance framework, section 3.1.3, authentication factor (something you know, something you have, something you are, something you do).
• The factors used are independent, in that access to one factor does not by itself grant access to other factors.
• The combination of the factors mitigates single-factor only risks related to non-real-time attacks such as phishing, offline cracking, online guessing and theft of a (single) factor.
  

5.1 Credential Operating Environment

The selected second factor or full multi-factor solution MUST be based on the Single-Factor and Multi-Factor Authenticator Types within NIST 800-63B [3].

Second factor (together with a memorised secret or a biometric)

• Single-Factor OTP Device
• Single-Factor Cryptographic Software
• Single-Factor Cryptographic Device

Full multi-factor

• Multi-Factor OTP Device
• Multi-Factor Cryptographic Software
• Multi-Factor Cryptographic Device

Guidance

Choice of multi-factor technology should be documented together with the use of password in the IMPS section 5.1 Credential Operating Environment.

Single-Factor and Multi-Factor OTP Devices have the same weaknes to social engineering as passwords but one OTP code can only be used once and if a time based OTP (TOTP) solution is used the risc is further reduced but not negliable.

SWAMID has published a set of valid choices for second factor and full multi-factor solutions in the SWAMID wiki.

5.2 Credential Issuing

...denna behöver delas upp i två, en för MFA under AL2 och en för High Assurance MFA...

Credential Issuing of second factor or full multi-factor at SWAMID AL2 MUST be done using one of the following methods

1. On-line multi-factor authenticating the Subject with SWAMID AL2 Profile or higher level using an external Identity Provider compliant with SWAMID AL2 Profile or higher 

2. In-person visit at a service desk in combination with identity proofing as defined by the Swedish Tax Agency for issuance of the Swedish Tax Agency identity card

3. In-person visit at a service desk in combination with identity proofing with an international passport fulfilling International Civil Aviation Organization (ICAO) Doc 9303 Machine Readable Travel Documents [4], an EU/EES national identity card fulfilling the Regulation (EU) 2016/399 of the European Parliament and of the Council [5] or an EU/EES driving license fulfilling the Directive 2006/126/EC of the European Parliament and of the Council of 20 December 2006 on driving licences [6].

1. Off-line using a registered address (sv .folkbokföringsadress) in combination with a time-limited one time password/pin code,

2. Off-line using a copy of the same identification token as describedin b) or c) above and a copy of a utility bill in combination with a time-limited one time password/pin code sent to the postal address on the utility bill, or

3. Other equivalent identity proofing method

Credential Issuing of second factor or full multi-factor for SWAMID High Assurance MUST be done using one of the following methods

1. 1. On-line multi-factor authenticating the Subject with SWAMID MFA Profile or higher level using an external Identity Provider compliant with SWAMID MFA Profile or higher 

   2. In-person visit at a service desk in combination with identity proofing as defined by the Swedish Tax Agency for issuance of the Swedish Tax Agency identity card

   3. In-person visit at a service desk in combination with identity proofing with an international passport fulfilling International Civil Aviation Organization (ICAO) Doc 9303 Machine Readable Travel Documents [4], an EU/EES national identity card fulfilling the Regulation (EU) 2016/399 of the European Parliament and of the Council [5] or an EU/EES driving license fulfilling the Directive 2006/126/EC of the European Parliament and of the Council of 20 December 2006 on driving licences [6].

   4. Off-line using a certified mail to a postal address (sv. rekommenderat brev med personlig utlämning) in combination with a time-limited one time password/pin code.

   5. Off-line using a certified mail to a postal address (sv. rekommenderat brev med personlig utlämning) with a preregistered device, unique for the Subject, that will be considered as a vetted token on first use.

Guidance: Processes for issuing and assigning of credentials (second factor or full multi-factor) for Strong Authentication should be documented in 5.2 Credential Issuing (more precisely in 5.2.5).

Guidance: The second factor or full multi-factor must be issued separately to the Subjects single factor credential, i.e. password, in accordance with the REFEDS MFA Profile criteria.

Guidance a: Multi-Factor solutions provided within the Swedish E-identification system fulfils the requirements for on-line multi-factor authentication and can be used for online identity vetting if allowed by the E-identification issuer. Likewise, authentication via eIDAS with assurance level substantial or high fulfills the requirements.

5.3 Credential Renewal and Re-issuing

Replacement of second factor or full multi-factor MUST be done using the same methods as listed above for Credential Issuing.

Guidance: Processes for replacement of additional factors or full multi-factor should be documented in IMPS section 5.3 Credential Renewal and Re-issuing.

5.4 Credential Revocation

...här behöver något in...

Guidance: Processes for revocation of second factor or full multi-factor MUST be documented in 5.4 Credential Revokation

6. Syntax

The member organisation's Identity Provider is tagged in the SWAMID federation metadata with the assurance certification attribute: http://www.swamid.se/policy/authentication/refeds-mfa if <proofing without ID>

The member organisation's Identity Provider is tagged in the SWAMID federation metadata with the assurance certification attribute: http://www.swamid.se/policy/authentication/high-assurance if <proofing with ID>

...vi måste även lägga till text om eduPersonAssurance för high assurance...

In accordance with REFEDS MFA Profile: 

In a SAML assertion, compliance with this Strong Authentication Profile is communicated by asserting the AuthnContextClassRef: https://refeds.org/profile/mfa

7. References

[1] REFEDS Multi-Factor Authentication (MFA) Profile: https://refeds.org/profile/mfa

[2] SWAMID Identity Assurance Level 2 Profile: http://www.swamid.se/policy/assurance/al2

[3] NIST Special Publication 800-63B - Digital Identity Guidelines - Authentication and Lifecycle Management: https://doi.org/10.6028/NIST.SP.800-63b

[4] International Civil Aviation Organization (ICAO) Doc 9303 Machine Readable Travel Documents: https://www.icao.int/publications/pages/publication.aspx?docnum=9303

[5] Regulation (EU) 2016/399 of the European Parliament and of the Council: http://data.europa.eu/eli/reg/2016/399/oj

[6] Directive 2006/126/EC of the European Parliament and of the Council of 20 December 2006 on driving licences: http://data.europa.eu/eli/dir/2006/126/oj