Enforcing multi-factor authentication for university members

Until now, either a service in the edu-ID federation could protect the login process with multi-factor authentication (MFA) or an edu-ID user herself. Now edu-ID also allows universities to define rules for all their users that enforce the use of MFA.

The edu-ID service now introduces the Organisational Authentication Policy. This allows all universities and organisations with edu-ID integration to define the security level at which the authentication of their members should take place.

The Organisational Authentication Policy allows the following authentication parameters to be controlled:

• • The security level: permission for one-factor authentication or enforcement of two-factors
  • The type of authorised means for the second factor (SMS or TOTP aka. Google Authenticator)
  • The duration of an MFA session, i.e. when a new MFA authentication must take place on the same device (the default is 30 days)

This policy is not defined for an entire university, but per person. This means that the policy is defined individually for each member. As an example, this would allow a university to enforce a general obligation to use MFA, but also to define exceptions for individual members for whom the use of MFA is not reasonable.

The policy is therefore a user-specific parameter. The university defines this for each of its members and transmits it to Switch edu-ID. The existing interface between the university IAM and edu-ID (i.e. the push or pull interface) is used for this.

The Organisational Authentication Policy is now available for all universities and organisations with edu-ID integration. The detailed documentation can be found here: https://help.switch.ch/eduid/docs/services/login/auth/orgpolicy/

(Illustration: bsd studio / stock.adobe.com)