Institutions can decide for themselves whether they want to log in to the edubadges issuer portal using two-factor authentication (2FA or MFA). Institutions can request this themselves (via the institution's SURFconext contact person) at support@surfconext.nl. Nothing needs to be configured or adjusted on the edubadges side for this.

They then request to adjust the link between their institution's IDP and the Edubadges [Issuer portal] service (this has clientID="www.edubadges.nl") so that MFA is used via SURFsecureID from now on.

After this link has been adjusted, they will receive an email like this from support@surfconext.nl:

Hereby the confirmation that the registration of the Relying Party - Edubadges [Issuer portal] (with clientID="www.edubadges.nl") has been adjusted on the production environment of SURFconext so that a token with a minimum LoA 2 [1] is required for users of <institution> when logging in to the relevant service...

The requested adjustment is effective immediately..

Note 1: See https://wiki.surfnet.nl/display/SsID/Levels+of+Assurance for an explanation of the different Levels of Assurance settings used by SURFconext.

There are basically 2 options for the institution:

• MFA on your own IDP possible → MFA voor diensten achter SURFconext
• Purchase and call SURFsecureID service → SURFsecureID gebruiken met SURFconext