Publication History:

V1.0  Published 07 June 2017 (current)

1.     Introduction

This Multi-Factor Authentication (MFA) Profile specifies requirements that an authentication event must meet in order to communicate the usage of MFA. It also defines a SAML authentication context for expressing this in SAML.

The MFA Authentication Context can be used by Service Providers to request that Identity Providers perform MFA as defined below and by IdPs to notify SPs that MFA was used.

The Profile Recommendation is based on the OASIS Authentication Context for SAML [1] and the MFA Interop Final Report by InCommon [2].

2.     Scope

It should be noted that there are other assurance related issues, such as identity proofing and registration, that may be of concern to SPs when authenticating users. This profile, however, does not establish any requirements for those other issues; these may be addressed by other REFEDS profiles [3].

3.     Syntax

In a SAML assertion, compliance is communicated by asserting the AuthnContextClassRef:

4.     Criteria

By asserting the URI shown above, an Identity Provider claims that:

  • The authentication of the user’s current session used a combination of at least two of the four distinct types of factors defined in ITU-T X.1254: Entity authentication assurance framework, section 3.1.3, authentication factor (something you know, something you have, something you are, something you do) [4].
  • The factors used are independent, in that access to one factor does not by itself grant access to other factors.
  • The combination of the factors mitigates single-factor only risks related to non-real-time attacks such as phishing, offline cracking, online guessing and theft of a (single) factor.

5.     References

[1] Kemp, John at al.  “Authentication Context for the OASIS Security Assertion Markup Language(SAML) V2.” 15 March 2005:

[2] Herrington, Karen et al.  “Multi-Factor Authentication (MFA) Interoperability Profile Working Group Final Report.”  23 June 2016:

[3] REFEDS Profiles are listed at:

[4] International Telecommunication Union. “Series X. Data Networks, Open System Communication and Security. Cyberspace security – Identity management. Entity authentication assurance framework. Standard X.1254.” September 2012: