The REFEDS SFA Profile has been developed to complement the existing REFEDS MFA Profile.

The SFA Profile has been developed by the GÉANT Joint Research Activity on T&I Future Technologies and through discussion and preliminary consultation with the REFEDS Assurance Group. Particular attention has been paid to ensure the SFA Profile makes sense within the context of the REFEDS Assurance Framework proposal that is exposed to a parallel consultation.  For more information, see the Assurance Working Group space. 

Mikael Linden has written a useful background blog on the consultation.


The consultation CLOSED on Friday 22nd June 2018. 

Participants are invited to:

  • Review and comment on the proposed REFEDS SFA Profile and its suitability for publication as a REFEDS profile. 

Following the consultation all comments will be taken back to the Assurance working group for review and if appropriate the Profile will then be forwarded to the REFEDS Steering Committee for sign-off and publication on the REFEDS website as per the REFEDS participants agreement

The document for the consultation is available as an attachment  to this page.  Background on the Assurance Working Group is available.  All comments should be made on: or added to the change log below.  Comments posted to other lists will not be included in the consultation review. 

Change Log

Change Log for the REFEDS SFA Profile Consultation.  Please fill in your comments and change requests below. Line numbers are available in the document for ease of reference.

NumberLine / ReferenceProposed Change or QueryProposerAction / Decision (please leave blank)
1GeneralThe proposal sticks quite closely to NIST's guidelines ( - it would be helpful to add a statement on whether these guidelines are in line with NIST 800-63B to allow people to self audit more easilyHannah Short (CERN)All NIST references were removed from the main document to avoid the impression that there is a connection to the NIST guidelines. Only the terminology used is aligned with NIST which is stated in the newly created appendix A.
2Chapter 4, TableCould those pools be opened, from where this amount of characters is taken from? Like "e.g. 52 letters (a-z)(A-Z)"

Sami Silén (CSC)

Appendix B was added which contains some examples of character sets.
3Chapter 4, TableKind of minor notice, but might be something to open up a little bit. Reading this table after reading this NIST guidelines, I had problems to understand that second line in each "Authenticator type". It didn't mean secrets chosen randomly by the CSP (Which was the assumption I had got from the NIST document). Both of lines are subscriber chosen and length is just different because of wider pool.Sami Silén (CSC)Appendix A was added which defines the authenticator types used in the profile. This avoids the need to look into the NIST guidelines. Appendix B provides some examples, which should make it clear how to use the table.
4Chapter 4, listSuggest giving the required conditions names, so they can be referenced. E.g. SFA-1 (secret strength), SFA2 (secret lifetime), SFA3 (replacement). Not sure if it's worth referring to the sub-options.Jens Jensen (STFC)The unordered list in section 4 has been replaced by a numbered list for easy referencing.
  • No labels