By Mikkel Hald, 22/09/23
Multi-Factor Authentication (“MFA”) is when you identify online using more than one “credential” at the same time – e.g. password combined with a telephone app. And many of WAYF's user organisations support their users' being able to identify using MFA when accessing their institutional accounts.
In an identity federation like WAYF, both the provider of a service and a user organisation using that service can have an interest in users identifying using MFA prior to accessing the service. But it can be difficult at the technical level for the parties to communicate about this requirement.
That is why we have now implemented the ability to specify the MFA requirement for a service in its configuration (so-called “metadata”) at WAYF – with WAYF then telling the login system of the user's organisation to do MFA whenever she attempts to access the service. AzureAD, ADFS and Microfocus Access Manager are among those login system softwares able to interpret the MFA signal sent by WAYF.
The provider of a service can, in the configuration for the service at WAYF, specify what user organisations must use MFA with the service – and correspondingly, each user organisation in its configuration at WAYF can specify with which services MFA must be triggered. And so both parties have the ability to require MFA in transactions between them. In case both parties specify something for the other party, WAYF will heed what is specified by the user organisation. For that reason and others, the service should always check what method was actually used, in the login token('s AuthnContext field).
In WAYF's configuration editor the field RequestedAuthnContext is where to specify the requirement for MFA (or other login methods, for that matter). In the Provider sub-field it can be specified to what services or user organisations the requirement applies. If no Provider is specified, WAYF will apply the login method requirement for all login transactions involving the service or user organisation configured.
For instance, the user organisation Technical University of Denmark (DTU) in its configuration can specify a requirement for the MFA method identified by the URI http://schemas.microsoft.com/claims/multipleauthn to be used in any transaction involving the service with the federation ID (i.e. entityID/client-id) https://filesender.deic.dk. In the Provider field, the federation IDs of all services and user organisations participating in WAYF or eduGAIN can be searched.