Q: Does MFA impose requirements on the quality of the two factors?
A: No, only that they are independent. In that sense, MFA is more like an interoperability profile unlike SFA which is more specific on the properties of the factor.
- Q: Is compliance to SFA required in order to qualify for MFA?
A: No, both profiles may be used completely independent of each other.
- Q: Does SFA impose requirements on password lifetime?
- A: No, SFA does not require password rotation.
- Q: Are the passwords whose secret basis is ≥72 characters actually required to have special characters?
- A: No, SFA does not impose requirements on password complexity. The CSP qualifies to the ≥72 characters if it allows the user to choose their password from that character basis.
- Q: Does compliance to one profile of SFA/MFA ensure compliance to the other one?
- A: No. Although MFA is considered the more secure profile, the requirements are significantly different from SFA and vice versa.
- Q: Does SFA require a strict rate limit?
- A: No, SFA just requires any protection against online guessing. It is not required to implement specific controls or define a strict rate limit. The organisation itself might decide which measures are appropriate.
Testing your SAML Identity Provider
- SWITCHaai’s attribute test service has a button you can click to ask the SP request SFA, MFA or "MFA or SFA" authentication context from your IdP (you need to first log in to that page "normally" via your IdP)
- Examples on SFA/MFA authentication contexts in SAML 2.0 and OIDC protocol flow
- MFA/SFA configuration examples - Shibboleth (as SAML IdP)
- MFA/SFA configuration examples - SimpleSAMLphp (as SAML IdP)
- MFA/SFA with ADFS (as SAML IdP)
There are some useful documents on supporting MFA over on the InCommon wiki. We hope to develop more advice and guidelines soon. You might be interested in: