...
| Note |
|---|
With an iOS phone, the physical key has to be attached to the top edge of the phone (aligned horizontally), sometimes it might also be necessary to tilt the physical key towards the phone screen. Attach the keychain when you are asked to use Touch ID or Face ID. The device has to be NFC capable (iPhone 7 or newer). |
MFA Profile
REFEDS (The Research and Education FEDerations group) defines a Multi-Factor Authentication profile which provides a set of recommendations, best practices and their explanations for facilitating unambiguous communication between the SP (Service provider) and IdP (Identity provider) when MFA is required by the SP.
In the context of this document, we are mainly concerned with the SP. Service provider is an application providing access to some services or resourcs which need to be protected using MFA. Indentity provider, on the other hand, is a component able to perform the MFA and return a claim containing the result of the authentication.
The profile specifies details about what is considered to be a sufficient MFA on the side of the IdP, how shoud the SP initiate the request for MFA with IdP, what should be the content and order of the communication messages and what are the possible paths in this authentication process. Part of the profile is the definition of a SAML authentiaciton context for communication between the SP and IdP.
Further information about the individul steps of the process including the massages used to request the IdP to perform MFA, possible return values based on the authentication result as well as configuration regarding MFA enforcement can be found in the SP portion of FAQ.
General information about the MFA profile can be found here and more detailed description of the concept can be found in the FAQ section here.