Attribute Quality
The edu-ID attribute quality model is inspired by the eCH-0171 specification. The following verification levels are supported by edu-ID:
verification level | description | swissEduIDAssuranceLevel value | label in my edu-ID |
1 - low | Self-declared attributes by the user, on an online form of the SWITCH edu-ID web site. | https://eduid.ch/def/loa1 | |
2 - medium | Requires an automated validation process. The user triggers a validation process that is programmatically executed on the SWITCH edu-ID IdP. | https://eduid.ch/def/loa2 | |
3 - high | Requires an in-person validation process, either physically at a service desk or online in a video session. An attribute is verified by a person based on a non-governmental document, certificate or identification card or better. | (not implemented yet) |
Quality of Affiliation Attributes
The quality of affiliation attributes, who are entirely under control of participating universities, is not formally defined. However, the Federation Patrner Agreement requires that only current organization members can have an affiliation, and that the affiliation attributes are validated by the organization. Most universities perform an in-person ID check in their onboarding process.
Although not formally guaranteed, current affiliations and their attributes can safely assumed to have loa2 level.
Quality of Personal Attributes
Attribute quality statements in the personal part of an edu-ID identity are expressed in the meta-attribute swissEduIDAssuranceLevel.
Quality statements are made on attribute level. Basically, the SWITCH edu-ID data model represents for each attribute its verification status and a timestamp of the last verification. Multi-valued attributes have only a single verification status and timestamp.
Attribute | Possible Verification Levels | Comment |
loa1: self-declared by user and not verified loa2: provided by an organization |
||
loa1: self-declared by user and not verified loa2: provided by an organization |
||
loa1: (not supported) loa2:
|
In the personal part of an edu-ID account this attribute always contains exactly one email address, and it is always verified. |
|
loa1: self-declared by user and not verified loa2: self-declared by user and matches with value in one of the user's affiliations |
||
loa1: dateOfBirth is self-declared by user and not verified. loa2: Provided by an organization or derived from a dateOfBirth provided by an organization |
Can be provided by organizations or else is derived from the dateOfBirth | |
loa1: self-declared by user and not verified loa2: provided by an organization |
||
loa1: (not supported) loa2: self-declared by user and verified by edu-ID (by sending an SMS containing a one-time verification code) |
In the personal part of an edu-ID account this value is always verified if it is present. | |
loa1: self-declared by user and not verified loa2: provided by an organization |
In the personal part of an edu-ID account this attribute always contains zero or one postal address. | |
loa1: self-declared by user and not verified loa2: self-declared by user and verified by edu-ID (by sending a letter containing a one-time verification code) |
In the personal part of an edu-ID account this attribute always contains zero or one postal address. | |
loa1: (not supported) loa2: imported from orcid.org with 3-legged OAuth 2 authorization process. This proves that the user is in posession of the authentication credentials for a specific ORCID-ID on orcid.org. |
In the personal part of an edu-ID account this value is always verified. | |
loa1: self-declared by user and not verified loa2: self-declared by user and matches with value in one of the user's affiliations |
||
swissEduPersonMatriculationNumber |
loa1: self-declared by user and not verified loa2: self-declared by user and matches with value in one of the user's affiliations |
|
homePhone |
loa1: self-declared by user and not verified loa2: self-declared by user and matches with value in one of the user's affiliations |
*) Verification provided by an organization:
Authentication quality
SWITCH edu-ID provides two levels of authentication quality:
- Standard security requirements: uses single-factor authentication with e-Mail address as user name and a password. The edu-ID password policy is mostly based on the NIST SP 800-63B recommendations.
- Advanced security requirements: Two-step login (two factor authenticaton), which can optionally be required by a service provider or the owner of the edu-ID account.