Page History

Children Display

title	Guidance on SFA/MFA

Testing your SAML Identity Provider

To test whether your Identity Provider releases SFA/MFA you can use the SWITCHaai’s attribute test service

User instructions:

Q: Does MFA impose requirements on the quality of the two factors?
- A: No, only that they are independent. In that sense, MFA is more like an interoperability profile unlike SFA which is more specific on the properties of the factor.
Q: Is compliance to SFA required in order to qualify for MFA?

For a more comprehensive REFEDS MFA FAQ please see MFA Profile FAQ.

Q: Does SFA impose requirements on password lifetime?
- A: No, SFA does not require password rotation.
Q: Are the passwords whose secret basis is ≥72 characters actually required to have special characters?
- A: No, SFA does not impose requirements on password complexity. The CSP qualifies to the ≥72 characters if it allows the user to choose their password from that character basis.
Q: Does compliance to one profile of SFA/MFA ensure compliance to the other one?
- A: No. Although MFA is considered the more secure profile, the requirements are significantly different from SFA and vice versa.
Q: Does SFA require a strict rate limit?
- A: No, SFA just requires any protection against online guessing. It is not required to implement specific controls or define a strict rate limit. The organisation itself might decide which measures are appropriate.

...

a button you can click to ask the SP request SFA, MFA or "MFA or SFA" authentication context from your IdP

...

There are some useful documents on supporting MFA over on the Shibboleth and InCommon wiki:

...