• Q: Is compliance to SFA required in order to qualify for MFA?
    • A: No, both profiles may be used completely independent of each other.

For a more comprehensive REFEDS MFA FAQ please see MFA Profile FAQ.


  • Q: Does SFA impose requirements on password lifetime?
    • A: No, SFA does not require password rotation.
  • Q: Are the passwords whose secret basis is ≥72 characters actually required to have special characters?
    • A: No, SFA does not impose requirements on password complexity. The CSP qualifies to the ≥72 characters if it allows the user to choose their password from that character basis.
  • Q: Does compliance to one profile of SFA/MFA ensure compliance to the other one?
    • A: No. Although MFA is considered the more secure profile, the requirements are significantly different from SFA and vice versa.
  • Q: Does SFA require a strict rate limit?
    • A: No, SFA just requires any protection against online guessing. It is not required to implement specific controls or define a strict rate limit. The organisation itself might decide which measures are appropriate.
  • No labels