This consultation is now CLOSED
Background
This proposal is an update of the current v1.2 of the REFEDS MFA Profile. It has been developed by a sub-group of the REFEDS Assurance working group. Work by the group to make this proposal can be tracked on the working group home page. Please see Charter for the 2025 REFEDS MFA Profile Working Group for more background to the proposed update.
Comments to the proposed changes are welcome from all REFEDS participants or those with an interest in MFA usage within research and education federations.
Overview
The REFEDS Multi-Factor Authentication (MFA) Profile defines standard signals that allow service providers (SPs) to request multi-factor authentication (MFA) from identity providers (IdPs), and for IdPs to indicate that MFA has successfully occurred in a federated authentication transaction.
Version 2.0 of the REFEDS MFA Profile:
- Is backward compatible with the definition of MFA from REFEDS MFA Profile Version 1.2, now referred to as General MFA.
- Adds a normative definition of Phishing-Resistant MFA.
- Consolidates the normative SAML and OpenID material from Version 1.2 to reduce duplication, while retaining the explicit rules for their use. The guidance itself includes clarifications, but no normative changes apart from the introduction of a second identifier for Phishing-Resistant MFA.
- Clarifies profile conformance requirements.
- Adds examples of using Phishing-Resistant MFA in SAML and OIDC and moves all the examples to an Appendix for better readability.
Two pdfs are available for the consultation:
Proposed REFEDS Multi-Factor Authentication Profile v2.0
Practitioner’s Guide for REFEDS Multi-Factor Authentication Profile v2.0
All comments should be made on consultations@lists.refeds.org or added to the comment log below, comments posted to other channels will not be included in the consultation review
Change Log:
| Document (profile or guide) | Line/Reference # from doc | Proposed Change or Query | Proposer / Affiliation / (optional) Contact details | Action / Decision (please leave blank) | |
|---|---|---|---|---|---|
| 1 | profile | 8-10 | Nice haiku | Fredrik Domeij, Sunet, fredrik.domeij@umu.se | |
| 2 | guide | 163 | Nice illustration | Fredrik Domeij, Sunet | |
| 3 | profile | 178, 185 | "If the SP/RP requests General MFA" → "If the SP/RP only requests General MFA" "If the SP/RP requests Phishing-Resistant MFA" → "If the SP/RP only requests Phishing-Resistant MFA". Elsewhere in the guide, and the general saml spec, describe acceptable behavior if an SP requests multiple authncontexts. The current text makes it sound like you need to return an error if you can't satisfy one of the context classes, while I believe it is if you can't satisfy any of the requested context classes. | patrick@cirrusidentity.com | |
| 4 | profile and guide | general | REFEDS specs/profiles/reports should include editor/contributor attributions. | Albert Wu / InCommon | |
| 5 | profile | 83-88 | Seems too weak and could be easily overlooked by the reader. At minimum, I would suggest adding "and is not recommended" to the first sentence. I'd also suggest emphasizing "internal policies", perhaps by bolding that phrase. This could really get an organization in trouble and it should be clearer that the practice is very much not a good idea and is to be avoided. | RuthAnne (by e-mail list) | |
| 6 | profile | 116-119 | "In general terms, multi-factor authentication refers to the use of an additional, non-password challenge included as part of login, typically in combination with a password". I think the use of 'additional' is a bit confusing. Additional to what? In section 3.1, it says any two or more factors. So maybe → "In general terms, multi-factor authentication refers to the use of multiple distinct factors during login, often a password in combination with another factor" | Phil Smart, Jisc (philip.smart@jisc.ac.uk) | |
| 7 | profile/guide | I would recommend not using the word "identifier" to describe the ACR values. I would recommend referring to them as "ACR values", instead, to avoid confusion with subject identifiers. | Nicole Roy, InCommon | ||
| 8 | profile | 88 | Propose changing 'Using the value defined in this Profile' to 'Using any of the values defined in this Profile' - as we now have more than one value. | Alan Buxey (by e-mail list) | |
| 9 | profile | #3 - I think it would be useful for the longevity of this specification and to aid in the current transition away from passwords if the specification didn't mention "passwords" as being "generally" part of the authentication, how it reads to me now it guides the implementer towards the idea of an MFA to be used after the use of password in the authentication flow. This to promote and highlight the use of "Something the user is"/"Something the user knows" to be used in combination with "Something the user has" to complete the requirements in one step instead of two (pin or biometric to unlock the Passkey in the same authentication flow). This is probably the better user experience and promotes the use of "Something the user has" as the first and default factor. For example:
| Zacharias Törnblom | ||
| 10 | profile | #3.2, 129 & 130 The requirement for the factors independence while novel will in practice be more difficult to navigate since login managers (i.e. password managers) now create and host both Passwords and Passkeys. Would it make sense for it be changed to Should for general MFA, and Must for phising resistent MFA? | Zacharias Törnblom | ||
| 11 | profile | #3.5 and how it relates to 3.3 & 4.2.4 Would it be worth considering that SSO cannot be utilized for instances requiring Phising-Resistent MFA (preventing a third party using the users signaled Phising resistent SSO)? When asking for PHR a service provider Should also signal to re-authenticate, before signaling PHR the identity provider Should re-authenticate the user using their phising resistent factor at a minimum | Zacharias Törnblom | ||
| 12 | Profile | 146-151 | Regarding Section 3.5, Phishing-Resistant MFA, the text states: "MUST NOT rely on authentication secrets (e.g., passwords, one-time codes, or challenges) that a remote attacker could capture, replay, or instruct the user to reveal." Could this phrasing be clarified? Strictly speaking, no system is entirely devoid of secrets. Even with FIDO/WebAuthn or Passkeys, cryptographic secrets exist and could (at least theoretically) be compromised, especially when using platform authenticators or password managers with synchronization features. Is the intention here to specifically exclude secrets that are accessible to or revealable by the user, rather than the underlying cryptographic keys? | Peter Havekes, SURF | |
| 13 | Guide | Guide 55-56 | Guide 55-56 Lines 59-62 state it correctly: So 55-56 seem to conflict with 59-62, unless 55-56 are meant for an IdP that cannot satisfy PHR for anyone -- and if so, that should be stated. I'd say taht 74-78 have the same problem (i.e. MUST on returning an error), although there is wiggle room with 75-76 -- if the IdP hands the user off to a MFA serv ice that does not end up returning the suer, then one could claim the IdP "followed the path of 75-76 by at least "attempting to re-authenticate the user at the right strength". In general, it can be problematic to have MUSTs around returning an error meessage, because if you are handing off the user, from the IdP, to another service (e.g. Duo), you may or may not "get the user back", If you don't, you cannot return the error message to the SP, you simply never return the user to the SP. | Michael Grady, Unicon | |
| 14 | profile | 225-227 | While I understood what this text was saying after reading it a couple of times, the fact that I had to read it several times to be clear suggests to me the language could be improved: 225- 227 "4.2.3.3 Any factor contributing to that timestamp SHOULD require active intervention by the user (e.g., entering a password, approving a push, touching a security key)." something like "The timestamp value SHOULD reflect an active intervention by the user (e.g., entering a password, approving a push, touching a security key)." ? Or make it "timestamp value" in the above? | Michael Grady, Unicon | |
| 15 | Guide | 182-183 | "IdPs and SPs should consider publishing an errorURL in their SAML metadata, as defined in What errorURL for an SP? And did I just miss it, or is a reference for [ErrorURL] missing? | Michael Grady, Unicon | |
| 16 | Profile | 152 | For clarity, it might be helpful to explicitly refer back to 3.1 in "... and at least one factor is a... ". Something like "... and at least one factor of the types listed in 3.1 is a..." | Mark Rank, Cirrus Identity | |
| 17 | Profile | 24 | The use of "Profile" (capital P) implies a defined term. This should be either added to the definitions in section 2, or defined in line 15 - The REFEDS Multi-Factor Authentication (MFA) Profile ("Profile"). The latter looks a bit weird though. | John Scullen (AAF) | |
| 18 | Profile | 24 | Replace: The Profile is intended for those involved in operating and integrating ... with: The Profile is intended for operators and integrators of .... | John Scullen (AAF) | |
| 19 | Profile | General comment | Surely this is an issue for anyone operating federated authentication infrastructure - it's not just an R&E problem. Has anyone else worked on solutions outside of R&E? If not, we should get this in front of someone at the OpenID Foundation or other relevant standards groups. It probably has wider potential application than R&E. | John Scullen (AAF) | |
| 20 | Profile | 38 | "common identifiers". I had a question mark over this as I went through. Similar to Nicole's comment #7, maybe "acr values" would be clearer. | John Scullen (AAF) | |
| 21 | Profile | 49 | Replace: characteristics of methods of authentication, with: characteristics of authentication methods | John Scullen (AAF) | |
| 22 | Profile | 53 | Awkward title. Maybe you could try "Threat Coverage", "Scope of Threat Mitigation" or "Threats Mitigated by this Profile". Alternatively you could split it into two sections: "Threats Addressed" and "Out of Scope Threats" or something along those lines | John Scullen (AAF) | |
| 23 | Profile | 72 | Replace: Federation Protocols; it also with: Federation Protocols. It also | John Scullen (AAF) | |
| 24 | Profile | 73 | Replace: guidance for interpreting them with: guidance for interpreting the signals | John Scullen (AAF) | |
| 25 | Profile | 75-76 | Revise sentence to: This profile does not address other assurance-related topics such as identity proofing, registration or endpoint/device management, which may be covered by other REFEDS profiles... | John Scullen (AAF) | |
| 26 | Profile | 83 | value > values ?? | John Scullen (AAF) | |
| 27 | Profile | 86-88 | Consider revising the last sentence of this paragraph to: This Profile should not be used for MFA signalling within an organisation. | John Scullen (AAF) | |
| 28 | Profile | 104-105 | Table should have terms sorted in alphabetical order to make them easier to find and probably include a definition for "Profile" | John Scullen (AAF) | |
| 29 | Profile | 173 | Replace: has to be chosen to with: must | John Scullen (AAF) | |
| 30 | Profile | 173-175 | This sentence is a bit awkward. How about?: The authentication strength identifier asserted by an IdP/OP must both reflect the authentication method(s) actually performed during the session and comply with any values requested by the SP. | John Scullen (AAF) | |
| 31 | Profile | 180 | Replace: it MUST still assert only with: it MUST only assert | John Scullen (AAF) | |
| 32 | Profile | 193-195 | Revise to: This is a key reason this Profile should not be used for internal use cases. Local MFA policies may allow exceptions that diverge from these requirements. | John Scullen (AAF) | |
| 33 | Profile | 212-213 | There's a lot going on in the last part of the sentence. One of these options might be easier to understand without diluting the meaning too much? …when the user first actively authenticates during the SSO session. or …when the user first successfully completes an authentication step that requires user interaction. | John Scullen (AAF) | |
| 34 | Profile | 260 | Replace: IdPs that issue an error with: the error | John Scullen (AAF) | |
| 35 | Profile | 283 | Replace: OPs that issue an error with: the error | John Scullen (AAF) | |
| 36 | Profile | No reference implementation has been published, confounding the consultation process. | Matthew X. Economou (email) | ||
| 37 | Profile | Relying parties cannot depend on any response to authentication requests referencing non-standard authentication context classes, an interoperability issue with the original version of the profile that goes unaddressed in the revision. Relying parties also have no way to probe identity provider behavior beforehand as some identity providers delay processing an authentication request until after a user has authenticated as a safety measure. | Matthew X. Economou (email) | ||
| 38 | Profile | Likewise, identity providers risk causing spurious authentication failures by referencing, unprompted, non-standard authentication context classes in their responses, an interoperability issue with the original version of the profile that also goes unaddressed in the revision. This has the practical effect of driving relying parties whose missions prioritize interoperability, e.g., emergency response, out of the trust federation. | Matthew X. Economou (email) | ||
| 39 | Profile | How the profile relates to standard authentication context declarations (including standard authentication context classes) remains undefined in the revision. The revised profile's suggestion to use exact comparisons for requested authentication contexts along with the practitioner's guide's suggestion to avoid requesting both General MFA and Phishing-Resistant MFA only adds to this uncertainty. | Matthew X. Economou (email) | ||
| 40 | Profile | The revised profile implies but does not specify a period of transition to Phishing-Resistant MFA. The community should commit to a sunset date for General MFA. | Matthew X. Economou (email) |