The 2025 REFEDS MFA Profile Working Group is pleased to announce a consultation for the proposed REFEDS Multi-Factor Authentication Profile 2.0 specification and the accompanying Practitioner’s Guide. This period of public comment is open until 14 April 2026, and the final publication of the documents is expected to occur in Q2 2026 after the feedback has been considered.
The REFEDS Multi-Factor Authentication (MFA) Profile defines standard signals that allow service providers (SPs) to request multi-factor authentication (MFA) from identity providers (IdPs), and for IdPs to indicate that MFA has successfully occurred in a federated authentication transaction.
The proposed Version 2.0 of the REFEDS MFA Profile:
-
Is backward compatible with the definition of MFA from REFEDS MFA Profile Version 1.2, now referred to as General MFA.
-
Adds a normative definition of Phishing-Resistant MFA.
-
Consolidates the normative SAML and OpenID material from Version 1.2 to reduce duplication, while retaining the explicit rules for their use. The guidance itself includes clarifications, but no normative changes apart from the introduction of a second identifier for Phishing-Resistant MFA.
-
Clarifies profile conformance requirements.
-
Adds examples of using Phishing-Resistant MFA in SAML and OIDC and moves all the examples to an Appendix for better readability.
To learn more about this consultation and to provide feedback, see the REFEDS wiki.
The 2025 REFEDS MFA Profile Working Group is open to everyone and meets weekly until its anticipated closure after the final revisions have been published. For more information about the Working Group, please see the working group home page, linked from the consultation page.