From 72573a84921d0090e33c1ddfc02c3e5a880c3b25 Mon Sep 17 00:00:00 2001 From: John Kemp Date: Wed, 5 Mar 2025 13:01:58 -0500 Subject: [PATCH] remove MFA as a requirement Multi-factor implies more than one factor. I believe it should mention phishing resistance as a security property, rather than "factors". --- ipsie-levels.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ipsie-levels.md b/ipsie-levels.md index f59e2ac..8374347 100644 --- a/ipsie-levels.md +++ b/ipsie-levels.md @@ -7,7 +7,7 @@ Each level includes the previous level (_e.g._ SL3 includes the requirements of | IPSIE
LEVEL| Application (aka RP) | Identity Service | |---------------|----------------------------------------------------------------------------|----------------------------------------------------------------------------------------------------------------| -| SL1 | - MUST meet NIST 800-63-4 FAL2 compliance
- Session lifetime MUST be set from the assertion | - MUST meet NIST 800-63-4 FAL2 Compliance
- MUST enforce MFA and communicate an authentication class to the Application | +| SL1 | - MUST meet NIST 800-63-4 FAL2 compliance
- Session lifetime MUST be set from the assertion | - MUST meet NIST 800-63-4 FAL2 Compliance
- MUST enforce phishing resistance (such as MFA, or passkeys) and communicate an authentication class to the Application | | SL2 | - MUST terminate sessions at the request of the Identity Service| - MUST enforce authentication method requests from Application | | SL3 | - MUST communicate session state changes to Identity Service | - MUST communicate user, session, and device state changes to the Application | ||||