The table below shows the differences for a service between the two authentication options:
| Feature | Standard authentication | SFO authenticaton |
|---|---|---|
| Authentication of first factor | Always | Never, should be done by the service itself |
| Authentication of second factor | Yes, based on policy between IdP and SP | Always |
| User registration | Using SURFsecureID selfservice registration and vetting by an RA | |
| Standard SURFconext features | Attributes, Authorization, persistent identifiers | None |