The introduction of REFEDS MFA Profile v1.2 represents a significant milestone in the REFEDS community's ongoing commitment to fortify and expand the adoption of robust authentication practices across the global research and education community. While revising the profile text, the editors endeavoured to strike a delicate balance among crucial and sometimes conflicting priorities. We strove to craft a profile that is not only easily understandable but also practical for a diverse array of practitioners, all the while reinforcing authentication practices throughout our community.
The notion of “stronger authentication” evolves rapidly. The Profile should continue to adapt to the changing needs of our community. Moreover, this Profile is a collective asset of the entire REFEDS community. We enthusiastically invite more brilliant minds and passionate individuals to take up the mantle and contribute to the ongoing enhancement of this Profile.
We write this note to share the insights gained during our work on this update and to offer recommendations for potential future endeavours.
Crafting a practically deployable and globally applicable standard.
A key developmental objective for REFEDS MFA Profile v1.2 is to ensure its broad adoption by practitioners worldwide, accommodating diverse regulatory domains and a range of technical capabilities. Instead of meticulously outlining the pinnacle of best practices in stronger authentication, this profile aims to capture the essence of "better authentication" that the majority of our community can rely on for secure access to sensitive systems. In other words, we prioritise progress over perfection. Given the absence of a universally accepted definition for "stronger authentication," this profile also aims to ignite a conversation within the R&E community. In this context, the profile acts as a starting point, not the ultimate destination. We encourage practitioners to use this profile as a tool for unified communication, promoting the adoption of "better authentication" while collectively refining our understanding of what "better" entails as we move forward into the future together.
“Quality of Authentication” over “Methods of Authentication”
The inaugural release of the REFEDS MFA Profile in 2017 aimed to establish a common vocabulary for practitioners, allowing them to indicate the necessity or use of a more robust authentication method beyond password-only authentication in federated access transactions. Given the need for this signal to be applicable across diverse regulatory and technology domains, and recognising the rapid evolution of authentication techniques, the profile, while considering specific authentication methods, intentionally refrained from precisely specifying or constraining the exact methods employed.
In v1.2, our continued emphasis remains on describing the "Quality of Authentication" rather than prescribing specific "Methods of Authentication." We believe this focus is pivotal in promoting widespread adoption and fostering a unified conversation around the concept of "better authentication."
Continuity matters.
The group’s primary chartered objective in making the Profile update was to make the Profile more understandable for newcomers. To do so, we had initially postulated that there wasn’t yet a significant adoption of the Profile and that we could introduce more precise/prescriptive, but backward incompatible, changes to clarify certain behavioural details such as valid session length, or “Remember Me” settings. We learned from community feedback that we were wrong. The REFEDS MFA Profile already had a substantial adoption base in parts of the REFEDS community. Introducing backward incompatible changes, while clarifying the Profile’s intent, created significant rollout challenges which is why V1.1 was never released. Instead, we followed up with V1.2 with backward compatible wording while still signalling what we believe are best practices and clarifying expectations among Profile adopters.
We strongly encourage future editors to take to heart this vital lesson: cultivating increased adoption necessitates inclusivity, particularly for the early adopters who have invested significantly in championing the cause. While revolutionary changes may be thrilling, the key to sustained progress lies in thoughtful evolution.
MFA doesn’t only happen in SAML.
Given that SAML (Security Assertion Markup Language) stands as the predominant federated access messaging protocol within the REFEDS community, the initial REFEDS MFA Profile, like many other standards, operated under the assumption that communication would take place via SAML.
We are challenging that assumption. Good authentication practices should apply everywhere regardless of the messaging protocol. As our community evolves and embraces new technologies, the essence of this Profile should continue to apply. We introduced explicit binding for SAML and OIDC in v1.2 to illustrate the separation and relationship between “better authentication practices” and specific messaging protocol mechanics employed to signal them. As new technologies are adopted in our community, we encourage the development of additional binding profiles to detail those relationships.
Stronger authentication doesn’t have to be “multi-factor”.
Throughout the development of this Profile, we have asked ourselves one question: given the Profile’s emphasis on “Quality of Authentication”, does it have to be “multi-factor”?
With continued advancements in authentication technology, our answer is no, certainly not for long.
When the need arises, we believe that this Profile should evolve to further emphasise “better” or “stronger” authentication rather than “multi-factor”. That may mean a change in the Profile name itself. Multi-factor authentication is one way to achieve stronger authentication, but it shouldn’t be the sole criteria used to define “stronger authentication”.
Earlier Working Materials
REFEDS MFA Profile v1.2 is the culmination of over two years of material compilation. These efforts helped orient and prioritise the Profile revision work. This process included the production of a draft v1.1 Profile, which received valuable feedback from the community. The following links direct you to these earlier works.
The Beginning
MFA Profile Priorities - The REFEDS MFA Subgroup’s initial recommendation is to update the (original) REFEDS MFA Profile.
Working document for MFA Profile Priorities - An early internal document to prioritise MFA Profile update priorities.
Gathering Community Feedback
Recording and Slides from the October 6 2022 REFEDS Community Chat
REFEDS MFA Profile v1.1 Consultation - The community consultation proceedings for the REFEDS MFA Profile v1.1.
Editors’ Note for REFEDS MFA Profile v1.1 - A note attached to v1.1 text to clarify the intent/thinking behind the work.
Journey to v1.2
Editor’s Response to REFEDS MFA Profile v1.1 Consultation and Next Steps - A note attached to the REFEDS MFA Profile v1.2 consultation
REFEDS MFA Profile v1.2 Consultation - The community consultation proceedings for the REFEDS MFA Profile v1.2.
About the REFEDS Profile v1.2 Editors
The REFEDS MFA Subgroup consists of committed community volunteers with a collective passion for advancing universal and user-friendly trustworthy federated access. While numerous contributors have helped shape REFEDS MFA Profile v1.2, the following individuals stand out as the primary contributors.
Fredrik Domeij / Sweden / Sunet / Chair, REFEDS MFA Subgroup
Scott Cantor / USA / The Ohio State University / Shibboleth Consortium
Eric Goodman / USA / University of California, Office of the President
Alan Buxey / The United Kingdom / MyUNiDAYS Ltd.
Albert Wu / USA / InCommon