Attribute Quality

The edu-ID attribute quality model is inspired by the eCH-0171 specification. The following verification levels are supported by edu-ID:

verification level description swissEduIDAssuranceLevel value label in my edu-ID
1 - low Self-declared attributes by the user, on an online form of the SWITCH edu-ID web site. https://eduid.ch/def/loa1 unverified
2 - medium Requires an automated validation process. The user triggers a validation process that is programmatically executed on the SWITCH edu-ID IdP. https://eduid.ch/def/loa2 verified
3 - high Requires an in-person validation process, either physically at a service desk or online in a video session. An attribute is verified by a person based on a non-governmental document, certificate or identification card or better. (not implemented yet)  

 

Quality of Affiliation Attributes

The quality of affiliation attributes, who are entirely under control of participating universities, is not formally defined. However, the Federation Patrner Agreement requires that only current organization members can have an affiliation, and that the affiliation attributes are validated by the organization. Most universities perform an in-person ID check in their onboarding process.

Although not formally guaranteed, current affiliations and their attributes can safely assumed to have loa2 level.

Quality of Personal Attributes

Attribute quality statements in the personal part of an edu-ID identity are expressed in the meta-attribute swissEduIDAssuranceLevel.

Quality statements are made on attribute level. Basically, the SWITCH edu-ID data model represents for each attribute its verification status and a timestamp of the last verification. Multi-valued attributes have only a single verification status and timestamp.

Attribute Possible Verification Levels Comment

givenName

loa1: self-declared by user and not verified

loa2: provided by an organization

 

surname

loa1: self-declared by user and not verified

loa2: provided by an organization

 

mail

loa1: (not supported)

loa2:

  • self-declared by user and verified by edu-ID (by sending an email containing a one-time verification code)
  • provided by an organization

In the personal part of an edu-ID account this attribute always contains exactly one email address, and it is always verified.

swissEduIDAssociatedMail

loa1: (not supported)

loa2:

  • self-declared by user and verified by edu-ID (by sending an email containing a one-time verification code)
  • provided by an organization
 

dateOfBirth

loa1: self-declared by user and not verified

loa2: (not supported)

 

telephoneNumber

loa1: self-declared by user and not verified

loa2: provided by an organization

 

mobile

loa1: (not supported)

loa2: self-declared by user and verified by edu-ID (by sending an SMS containing a one-time verification code)

In the personal part of an edu-ID account this value is always verified if it is present.

postalAddress

loa1: self-declared by user and not verified

loa2: provided by an organization

In the personal part of an edu-ID account this attribute always contains zero or one postal address.

homePostalAddress

loa1: self-declared by user and not verified

loa2: self-declared by user and verified by edu-ID (by sending a letter containing a one-time verification code)

In the personal part of an edu-ID account this attribute always contains zero or one postal address.

eduPersonOrcid

loa1: (not supported)

loa2: imported from orcid.org with 3-legged OAuth 2 authorization process. This proves that the user is in posession of the authentication credentials for a specific ORCID-ID on orcid.org.

In the personal part of an edu-ID account this value is always verified. 

 *) Verification provided by an organization:

Authentication quality

SWITCH edu-ID provides two levels of authentication quality:

  • Standard security requirements: uses single-factor authentication with e-Mail address as user name and a password. The edu-ID password policy is mostly based on the NIST SP 800-63B recommendations.
  • Advanced security requirements: Two-step login (two factor authenticaton), which can optionally be required by a service provider or the owner of the edu-ID account.