With the start of the global COVID-19 pandemic in 2019 we all experienced an unexpected shift of our daily life and business to the virtual. With that, collaborating services, such as videoconferencing tools or wikis started to become an integral part of our life. In order to access such tools in the higher Research and Education (R&E) space, federated access and single sign on is commonly used. Federated access and the concept of identity federations, such as national federations operated in many cases by NRENs, heavily rely on trust; i.e. trust between Federation Operators (FOs), Identity Providers (IDPs), Service Providers (SP), and users. While trust is multifaceted and requires establishment in many areas, such as organizational trust by adhering to a common set of agreements, or technical trust with the use of signatures and certificates, another important trust dimension is the trust in the user and that the user, who is accessing the service, is indeed the person who (s)he claims to be. To communicate qualitative identity and authentication information of a user, assurance information is used, with the strength being expressed by different Levels of Assurance (LoA) or ‘assurance profiles’. To address the assurance needs in R&E, the REFEDS Assurance Suite was released in 2018, which comprises orthogonal components on identity assurance (the REFEDS Assurance Framework (RAF)) and authentication assurance (Single Factor Authentication profile (SFA), Multi Factor Authentication Profile (MFA)). However, one of the drawbacks identified in the REFEDS RAF identity proofing section is the usage of links to external documents, such as eIDAS, Kantara or IGTF, which makes the framework hard to understand and use. This is why the REFEDS Assurance Working Group decided to evolve the current REFEDS RAF version 1. The version 2 which is in draft status at the time of writing this abstract, will define its own criteria on Identity Proofing (while maintaining backwards compatibility) but will also make other parts of the specification more clear by bringing informative text into the framework. In addition to that, with the National Institute of Health in the U.S. being one of the driving factors, the REFEDS Assurance Working Group formed an MFA Subgroup to also provide supplementary material, particularly implementation guidance, for the REFEDS MFA Profile.
This presentation addresses the evolution of REFEDS Assurance. The talk starts with an overview of the REFEDS Assurance Suite version 1 and its specifications REFEDS RAF, SFA and MFA. The focus of this talk lies in the enhancements provided to REFEDS RAF and MFA as well as the community consultation process.