The original consultation for the proposed REFEDS MFA Profile V1.1 resulted in a number of important pieces of feedback, largely centred around two issues:
- The changes made to the meaning of the original profile identifier, principally around recency of authentication.
- The explicit recommendation to avoid the ForceAuthn option in SAML, and equivalent constructs in OpenID Connect.
The Working Group held lengthy discussions and considered various alternatives. Ultimately, we recognised that to some degree, the world has begun to move beyond the notion of Multi-Factor Authentication. The future of strong authentication points to a wider variety of phishing-resistant authentication technologies that include some single-factor approaches. Therefore, we consider this revision of the REFEDS MFA Profile a transition stop toward future work. Instead of introducing radical changes, we are proposing a more conservative set of clarifying changes to the original profile.
Compared to the original proposal we submitted for consultation, this new version:
- Maintains the semantics of the original profile identifier while adding additional clarifications.
- Softens several changes proposed in the first consultation from MUST to SHOULD.
- Includes explicit recommendations on how IdPs and SPs should interpret the SAML and OpenID features for forced re-authentication and how the time of authentication should be set.
The latter are expressed as normative, but not mandatory requirements, in recognition of the fact that some existing implementations may not be able to meet them. The language in the SAML 2.0 and OIDC specifications around re-authentication is not clear enough to justify a claim that our interpretations are the only possible ones, but the recommendations in our view fit within the plain language of the specifications, and reflect the most useful behaviour we would seek to encourage to improve interoperability.
We therefore invite a new round of feedback to this revised, and we feel simpler and less ambitious, proposal. We believe the bulk of the feedback during the first consultation is addressed with these changes.
The revised profile is available for consultation as REFEDS MFA Profile v1.2.