Attribute Quality

Attribute quality statements were introduced with the SWITCH edu-ID service. They are expressed in the meta-attribute swissEduIDAssuranceLevel. To our knowldedge, the SWITCH edu-ID IdP is the only one in the SWITCH aai federation that supports swissEduIDAssuranceLevel.

Quality statements are made on attribute level. Basically, the SWITCH edu-ID data model represents for each attribute its verification status and a timestamp of the last verification. Multi-valued attributes have only a single verification status and timestamp.

The edu-ID attribute quality model is inspired by the eCH-171 specification. The following verification level are supported by edu-ID:

verification level description swissEduIDAssuranceLevel value label in the my edu-ID web application
1 - low Self-declared attributes by the user, on an online form of the Swiss edu-ID web site. https://eduid.ch/def/loa1 unverified
2 - medium Requires an automated validation process. The user triggers a validation process that is programmatically executed on the Swiss edu-ID IdP. https://eduid.ch/def/loa2 verified
3 - high Requires an in-person validation process, either physically at a service desk or online in a video session. An attribute is verified by a person based on a non-governmental document, certificate or identification card or better. (not implemented yet)  



Additional information about how and when an attribute was added, changed or verified is provided by tooltips.

Attribute Possible Verification Levels Comment

givenName

loa1: self-declared by user and not verified

loa2: provided by an organization

 

surname

loa1: self-declared by user and not verified

loa2: provided by an organization

 

mail

loa1: (not supported)

loa2:

  • self-declared by user and verified by edu-ID (by sending an email containing a one-time verification code)
  • provided by an organization

In the personal part of an edu-ID account this attribute always contains exactly one email address, and it is always verified.

swissEduIDAssociatedMail

loa1: (not supported)

loa2:

  • self-declared by user and verified by edu-ID (by sending an email containing a one-time verification code)
  • provided by an organization
 

dateOfBirth

loa1: self-declared by user and not verified

loa2: (not supported)

 

telephoneNumber

loa1: self-declared by user and not verified

loa2: provided by an organization

 

mobile

loa1: (not supported)

loa2: self-declared by user and verified by edu-ID (by sending an SMS containing a one-time verification code)

In the personal part of an edu-ID account this value is always verified if it is present.

postalAddress

loa1: self-declared by user and not verified

loa2: provided by an organization

In the personal part of an edu-ID account this attribute always contains zero or one postal address.

homePostalAddress

loa1: self-declared by user and not verified

loa2: self-declared by user and verified by edu-ID (by sending a letter containing a one-time verification code)

In the personal part of an edu-ID account this attribute always contains zero or one postal address.

eduPersonOrcid

loa1: (not supported)

loa2: imported from orcid.org with 3-legged OAuth 2 authorization process. This proves that the user is in posession of the authentication credentials for a specific ORCID-ID on orcid.org.

In the personal part of an edu-ID account this value is always verified. 

 *) Verification provided by an organization:

Authentication quality

SWITCH edu-ID provides two levels of authentication quality:

  • Standard security requirements: uses single-factor authentication with e-Mail address as user name and a password. The edu-ID password policy is mostly based on the NIST SP 800-63B recommendations.
  • Advanced security requirements: Two-step login (two factor authenticaton), which can optionally be required by a service provider or the owner of the edu-ID account.