The InCommon MFA Support Entity Attribute, identified by the URI http://xxxxxx, is used by Identity Providers to assert compliance with the criteria of the InCommon MFA Profile and the InCommon Base Level Profile. The entity attribute is self-certified; federations may associate it with any IdP whose operator claims that compliance.
The MFA Support Entity Attribute is intended to be used for the following purposes:
- As a filter for constructing an SP's discovery interface, when the SP will not accept authentication that does not meet the criteria of the InCommon MFA Profile.
- As evidence to increase an SP operator's confidence in MFA authentication performed by the IdP.
- To provide information that can be used by an SP to tailor its authentication flow to the capabilities of the IdP.
Scott Cantor (osu.edu)
This is an extremely pedantic point, but there's always been language in the Entity Category draft that discourages use of "categories" as an assurance label. I realize this isn't assurance, but of course most people tend to put it in that bucket. It really doesn't matter, it's an EntityAttribute either way, but if we end up defining it, we'll want to call it something else.