1. Terminology and Typographical Conventions

The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT","SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in RFC2119.

Text in Italics is non-normative. All other text is normative unless otherwise stated.

All normative parts of the profile is governed by the SWAMID Board of Trustees.

The non-normative (guidance) is maintained by the SWAMID operations team.

1.1 Definition of terminology

Home Organisation: The SWAMID Member Organisation with which a Subject is affiliated, operating the Identity Provider by itself or through a third party.

Member Organisation: Used in this document as a synonym for Home Organisation

Subject: Any natural person, i.e. end user, affiliated with a Home Organisation, e.g. as a teacher, researcher, staff or student.

Relying Party (RP): A Service that relies upon a Subject’s credentials, typically to process a transaction or grant access to information or a system. Also called a Service Provider (SP). 

Identity Provider (IdP): The system component that issues Attribute assertions on behalf of Subjects who use them to access the services of Relying Party.

Second factor: A second independent single factor that is used in addition to the Subject's first factor in order to provide the Subject with the ability to use multi-factor authentication. Normally this means adding a second factor where the subject's first factor is a memorised secret,i.e. a password, or a biometric, i.e. fingerprints.

Full multi-factor: A complete new set of credentials assigned to the Subject in order to provide the Subject with the ability to use multi-factor authentication. This new set of credentials is by itself composed of at least two dependent factors (e.g. a smart card) and does not depend in any way on the normally used memorised secret, i.e. a password, belonging to the Subject.

2. Purpose, Scope and Summary 

This profile defines how a SWAMID member organisation MUST implement a multi-factor solution in order to be certified by SWAMID for person-proofed multi-factor authentication in a federated environment. A person-proofed second factor or a person-proofed full multi-factor combines the use of multi-factor authentication with an assurance that the multi-factor authenticator is distributed to the intended Subject.

There are two levels of identity proofing methods defined for issuing multi-factors, one based on the identity proofing in SWAMID Identity Assurance Level 2 Profile (SWAMID AL2) [1] and one with a high identity assurance based on use of a defined set of identity cards and passports.

This SWAMID Person-Proofed Multi-Factor Profile is an extension to the REFEDS Multi-Factor Authentication (MFA) Profile (REFEDS MFA) [2].

Guidance

The intended use of this SWAMID profile is when authentication must be done with a high assurance that it is the correct Subject that is accessing a specific service. Please note that it is possible, or even preferred, to use multi-factor authentication without this level of identity assurance in a federated environment but that use does not fulfil this person-proofed multi-factor profile.

3. Compliance and Audit

Evidence of compliance with this profile MUST be part of the Identity Management Practice Statement (IMPS), maintained as a part of the SWAMID membership process. The Identity Management Practice Statement MUST describe how the organisation fulfils the normative parts of this document.

SWAMID operations, or another party approved by SWAMID Board of Trustees, conducts an initial audit of the submitted Identity Management Practice Statement. The member MUST annually confirm that their Identity Management Practice Statement is still valid. When there are changes in the identity management process or technology, a new Identity Management Practice Statement MUST be submitted for a renewed audit.

The Member organisation MUST perform a successful technical validation of their Identity Provider through the official SWAMID person-proofed multi-factor validation service to complete the audit.

Guidance

The audit routines for this profile is the same as for SWAMID Identity Assurance Level 2 Profile except the technical validation.

SWAMID person-proofed multi-factor validation service is located at https://mfa-check.swamid.se.

4. Organisational Requirement

The purpose of this section is to define conditions regarding participating organisations responsibilities.

The Member organisation MUST be certified for SWAMID Identity Assurance Level 2 Profile.

5. Operational Requirements

The purpose of this section is to define conditions and guidance regarding use of person-proofed multi-factor authentication.

Only Subjects currently at SWAMID Identity Assurance Level 2 are allowed to authenticate themselves according to this Profile.

A Member Organisation MUST fulfil the REFEDS MFA Profile criteria.

Guidance

Original criteria repeated  from REFEDS MFA Profile for convenience 

By asserting the URI shown above (note: https://refeds.org/profile/mfa), an Identity Provider claims that:

• The authentication of the user’s current session used a combination of at least two of the four distinct types of factors defined in ITU-T X.1254: Entity authentication assurance framework, section 3.1.3, authentication factor (something you know, something you have, something you are, something you do).
• The factors used are independent, in that access to one factor does not by itself grant access to other factors.
• The combination of the factors mitigates single-factor only risks related to non-real-time attacks such as phishing, offline cracking, online guessing and theft of a (single) factor.
  

5.1 Credential Operating Environment

The purpose of this subsection is to ensure adequate strength of Subject credentials and protection against common attack vectors.

The selected second factor or full multi-factor solution MUST be based on the Single-Factor and Multi-Factor Authenticator Types within NIST 800-63B [3].

Second factor (used together with a memorised secret or a biometric)

• Single-Factor OTP Device
• Single-Factor Cryptographic Software
• Single-Factor Cryptographic Device

Full multi-factor

• Multi-Factor OTP Device
• Multi-Factor Cryptographic Software
• Multi-Factor Cryptographic Device

Guidance

Choice of multi-factor technology should be documented together with the use of password in the IMPS, section 5.1.

Single-Factor and Multi-Factor OTP Devices have similar weaknesses to social engineering as passwords but one OTP code can only be used once and if a time based OTP (TOTP) solution is used the risc is further reduced but not negliable.

SWAMID has published a set of valid choices for second factor and full multi-factor solutions in the SWAMID wiki.

5.2 Credential Issuing

The purpose of this subsection is to ensure that the Identity Provider has control over the issuing process of the multi-factor.

The second factor or full multi-factor must be issued separately to the Subjects single factor credential, i.e. password, in accordance with the REFEDS MFA Profile criteria.

<text om två nivåer>

Guidance

Processes for issuing and assigning of multi-factor credentials (second factor or full multi-factor) should be documented together with the inital credential issuing in the IMPS, section 5.2.

5.2.1 Multi-Factor Issuing based on SWAMID Identity Assurance Level 2 Profile (SWAMID MFA-AL2)

Credential Issuing of second factor or full multi-factor fulfilling the SWAMID Identity Assurance Level 2 Profile MUST be done using one of the following methods

1. On-line authenticating the Subject using a multi-factor issued according to SWAMID Person-Proofed Multi-Factor Profile using an external Identity Provider compliant with the SWAMID Person-Proofed Multi-Factor Profile,
2. On-line authenticating the Subject using a multi-factor issued according to the Swedish E-identification system using an external Identity Provider compliant with the the Swedish E-identification Level of Assurance 2 or higher,
3. In-person visit at a service desk in combination with identity proofing as defined by the Swedish Tax Agency for issuance of the Swedish Tax Agency identity card,
4. In-person visit at a service desk in combination with identity proofing with an international passport fulfilling ICAO Doc 9303, an EU/EES national identity card fulfilling the European Commission Regulation No 562/2006 or an EU/EES driving license fulfilling the European Parliament and the Council of European Union Directive 2006/126/EC,
5. Off-line using a registered address (sv. folkbokföringsadress) in combination with a time-limited one time password/pin code,
6. Off-line using a copy of the same identification token as described in 3 or 4 above and a copy of a utility bill in combination with a time-limited one time password/pin code sent to the postal address on the utility bill, or
7. Other identity proofing method deemed equivalent by SWAMID Board of Trustees.

Guidance

Observe that not all Identity Providers within the Swedish E-identfication system can be used for online identity vetting due to Identity Provider policies.

If you are using Identity Providers within the Swedish E-identification system you must also accept authentication via eIDAS with assurance level low, substantial or high if you can bind the identity of the Subject.

Time-limited one time passwords/pins used in 5 & 6 should be valid only as long as needed for postal delivery. By copy in 6 means either a scanned, photo of or hardcopy of the identity card/passport.

5.2.2 Multi-Factor Issuing based on SWAMID Identity Assurance Level 2 Profile and with high identity assurance (SWAMID MFA-HIA)

Credential Issuing of second factor or full multi-factor for fulfilling the SWAMID Identity Assurance Level 2 Profile and with high identity assurance MUST be done using one of the following methods

1. On-line authenticating the Subject using a multi-factor issued according to SWAMID Person-Proofed Multi-Factor Profile with high identity assurance using an external Identity Provider compliant with the SWAMID Person-Proofed Multi-Factor Profile,
2. On-line authenticating the Subject using a multi-factor issued according to the Swedish E-identification system using an external Identity Provider compliant with the the Swedish E-identification Level of Assurance 3 or higher,
3. In-person visit at a service desk in combination with identity proofing as defined by the Swedish Tax Agency for issuance of the Swedish Tax Agency identity card,
4. In-person visit at a service desk in combination with identity proofing with an international passport fulfilling International Civil Aviation Organization (ICAO) Doc 9303 Machine Readable Travel Documents [4], an EU/EES national identity card fulfilling the Regulation (EU) 2016/399 of the European Parliament and of the Council [5] or an EU/EES driving license fulfilling the Directive 2006/126/EC of the European Parliament and of the Council of 20 December 2006 on driving licences [6],
5. Off-line using a certified mail to a postal address (sv. rekommenderat brev med personlig utlämning) in combination with a time-limited one time password/pin code, or
6. Off-line using a certified mail to a postal address (sv. rekommenderat brev med personlig utlämning) with a preregistered device, unique for the Subject, that will be considered as a vetted token on first use.

Guidance

Observe that not all Identity Providers within the Swedish E-identfication system can be used for online identity vetting due to Identity Provider policies.

If you are using Identity Providers within the Swedish E-identification system you must also accept authentication via eIDAS with assurance level substantial or high if you can bind the identity of the Subject.

Time-limited one time passwords/pins used in 5 should be valid only as long as needed for postal delivery of certified mail.

5.3 Credential Renewal and Re-issuing

Renewal of credentials occur when the Subject changes its credential using normal password reset. Re-issuing occurs when credentials have been invalidated.

Replacement of second factor or full multi-factor MUST be done using the same methods as listed above for Credential Issuing.

Guidance

Processes for replacement of second factors or full multi-factors should be documented in the IMPS, section 5.3.

5.4 Credential Revocation

The purpose of this subsection is to ensure that credentials can be revoked.

...här behöver något in...

Guidance

Processes for revocation of second factors or full multi-factors should be documented in the IMPS, section 5.4.

6. Syntax

The member organisation's Identity Provider is tagged in the SWAMID federation metadata with the assurance certification attribute: http://www.swamid.se/policy/authentication/refeds-mfa if <proofing without ID>

The member organisation's Identity Provider is tagged in the SWAMID federation metadata with the assurance certification attribute: http://www.swamid.se/policy/authentication/high-assurance if <proofing with ID>

...vi måste även lägga till text om eduPersonAssurance för high assurance...

In accordance with REFEDS MFA Profile: 

In a SAML assertion, compliance with this Strong Authentication Profile is communicated by asserting the AuthnContextClassRef: https://refeds.org/profile/mfa

7. References

[1] SWAMID Identity Assurance Level 2 Profile: http://www.swamid.se/policy/assurance/al2

[2] REFEDS Multi-Factor Authentication (MFA) Profile: https://refeds.org/profile/mfa

[3] NIST Special Publication 800-63B - Digital Identity Guidelines - Authentication and Lifecycle Management: https://doi.org/10.6028/NIST.SP.800-63b

[4] International Civil Aviation Organization (ICAO) Doc 9303 Machine Readable Travel Documents: https://www.icao.int/publications/pages/publication.aspx?docnum=9303

[5] Regulation (EU) 2016/399 of the European Parliament and of the Council: http://data.europa.eu/eli/reg/2016/399/oj

[6] Directive 2006/126/EC of the European Parliament and of the Council of 20 December 2006 on driving licences: http://data.europa.eu/eli/dir/2006/126/oj