/
MFA enforcement

MFA enforcement

Sign in via ProxyIdP can be additionally secured by enforcing the use of Multi-factor authentication (MFA). The exact forms of MFA supported by ProxyIdP as well as the role of ProxyIdP in this process are described in more detail on the Multi-factor authentication page in the developer section. This page is concerned with various forms of MFA enforcement supported by ProxyIdP and how to set them up.

The process of MFA enforcement is implemented in accordance with REFEDS MFA profile. In this context, ProxyIdP is an Identity Provider (IdP) which performs the MFA and returns the result - a message communicating success or failure of MFA as a response to the authentication request sent by the Service Provider (SP).

Enforcing MFA can be achieved in several ways:

1. Enforce MFA for each user and service

The most basic case where MFA is performed when any given user wants to access a resource or a service provided by the SP. The authentication flow can be undertaken in multiple ways, most commonly using SAML or OIDC messages. Initially, the service provider sends an authentication request to the IdP containing an Authentication Context Class Reference demanding the use of REFEDS MFA profile.

Using