by Fredrik Domeij
The update of the Profile has been quite a journey. It started in the Fall of 2020 when the National Institute of Health in the U.S. announced a timeline for introducing the requirement of REFEDS MFA to access some of their systems. A subgroup of the REFEDS Assurance group was formed to update the MFA Profile FAQ to clarify the requirements of the Profile. During that work, it became obvious that the MFA Profile was quite thin regarding its specific requirements and that they could be interpreted in different ways.
The subgroup was assigned the task of identifying ambiguities in the Profile and laying out the future of the Profile. As work progressed a v1.1 update of the Profile went to community consultation, including details on requirements and implementation details in SAML and OIDC, and specific requirements regarding session lifetime and forced authentication. The v1.1 consultation concluded that some of the proposed requirements broke backward compatibility in an unacceptable way.
The subgroup continued their work, almost putting a v2.0 version of the Profile with distinct identifiers for timing and forced authentication out until it settled on the proposed v1.2 version of the Profile, mostly identical to the v1.1 version except that the timing and forced authentication were recommendations and not hard requirements. After a new consultation round for v1.2 and some minor editing to adhere to the consultation comments, the Profile was accepted by the REFEDS Steering Committee. The Profile is complemented with an updated FAQ.
We have a fantastic community including competent individuals willing to spend their valuable time digging into details defining profiles and standards making our world interoperable and others participating in consultation with a wide variety of knowledge ensuring the profiles work in the real world.
Before the closure of the MFA Subgroup, we would like to give some final notes to share the insights gained during our work on this update and to offer recommendations for potential future endeavours: A Note from the REFEDS MFA Profile v1.2 Editors.
Thank you all!
Fredrik Domeij, Chair of the REFEDS Assurance MFA Subgroup, Sunet