1. Background and Motivation

The REFEDS Multi-Factor Authentication (MFA) Profile has been widely adopted to convey authentication assurance in the Research and Education (R&E) community. Recently, the U.S. National Science Foundation (NSF) mandated MFA for its research.gov grant management portal and announced plans to require phishing-resistant MFA for users with sensitive access in the near future. This evolving requirement signals the need for enhanced authentication assurance capabilities, analogous to the identity assurance framework, to support varying levels of authentication strength.

2. Purpose and Goals

The purpose of the 2025 REFEDS MFA Profile Working Group - Phishing-Resistant MFA Support (PHREMFAS)  is to update the REFEDS authentication assurance profiles to address phishing-resistant MFA in 2025. The primary focus of the working group will be to introduce signaling support for phishing-resistant MFA based on existing standards. Any additional work, including re-organizing how REFEDS expresses overall authentication assurance, should not prevent the group from delivering phishing-resistant MFA signaling support guidance in 2025.

The main objectives of the working g 4roup are to:

1. Review the current suite of authentication assurance profiles, including the REFEDS MFA Profile and SFA Profile.
2. Investigate comparable government and industry guidance (e.g., eIDAS, NIST 800-63, FIDO) to facilitate alignment and broad adoption - leverage a widely accepted definition of phishing-resistant MFA, ala Strong Authentication (as opposed to starting from scratch).
3. Develop updates to the REFEDS authentication assurance profiles to define appropriate levels of authentication assurance and signaling mechanisms.
1. As time permits, investigate metadata “tagging” or signaling needs
2. As time permits, investigate OpenID Federation needs for signaling

3. Scope

The working group will focus on assessing existing profiles, analyzing relevant standards guidance, and drafting proposed updates to the REFEDS MFA Profile. The group will also facilitate community consultation and consensus-building to ensure alignment with international practices and requirements.

4. Deliverables

1. Update the REFEDS MFA Profile, incorporating phishing-resistant MFA definition and signaling requirements.
2. A final report documenting the working group’s findings, recommendations, and updated profiles.
3. (optional) A report summarizing the review of current authentication assurance profiles and relevant government guidance.

5. Timeline

The working group will operate over a period of  9 months, with the following key milestones:

• April - May: Initial assessment and document review.
• June - October: Drafting proposed updates and community consultation.
• November - December: Revision and consensus-building.
• January ‘26: Finalization and publication of the updated profile.

6. Membership and Participation

Membership is open to representatives from the global R&E community, identity and access management experts, and stakeholders with an interest in authentication assurance. The working group will actively seek diverse perspectives and expertise.

7. Governance

The working group will be chaired by a representative elected among working group  volunteers. Decisions will be made by consensus wherever possible, with formal voting conducted if needed.

8. Communication and Meetings

The working group will hold regular virtual meetings and maintain transparent documentation of progress. Communication will be facilitated via mailing lists and collaborative platforms.

9. Approval and Maintenance

This charter is subject to approval by REFEDS and may be revised as needed to reflect evolving community requirements and priorities.