MFA FAQ
Q: Does MFA impose requirements on the quality of the two factors?
A: No, only that they are independent. In that sense, MFA is more like an interoperability profile unlike SFA which is more specific on the properties of the factor.
- Q: Is compliance to SFA required in order to qualify for MFA?
A: No, both profiles may be used completely independent of each other.
SFA FAQ
- Q: Does SFA impose requirements on password lifetime?
- A: No, SFA does not require password rotation.
- Q: Are the passwords whose secret basis is ≥72 characters actually required to have special characters?
- A: No, SFA does not impose requirements on password complexity. The CSP qualifies to the ≥72 characters if it allows the user to choose their password from that character basis.
- Q: Does compliance to one profile of SFA/MFA ensure compliance to the other one?
- A: No. Although MFA is considered the more secure profile, the requirements are significantly different from SFA and vice versa.
- Q: Does SFA require a strict rate limit?
- A: No, SFA just requires any protection against online guessing. It is not required to implement specific controls or define a strict rate limit. The organisation itself might decide which measures are appropriate.
Testing your SAML Identity Provider
- SWITCHaai’s attribute test service has a button you can click to ask the SP request SFA, MFA or "MFA or SFA" authentication context from your IdP
Supporting Materials
- Examples on SFA/MFA authentication contexts in SAML 2.0 and OIDC protocol flow
- MFA/SFA configuration examples - Shibboleth (as SAML IdP)
- MFA/SFA configuration examples - SimpleSAMLphp (as SAML IdP)
- MFA/SFA with ADFS (as SAML IdP)
There are some useful documents on supporting MFA over on the Shibboleth and InCommon wiki: