The table below shows the differences for a service between the two authentication options. Note that both options can be used by an institution protecting it's services. For each service the most appropriate integration option can be chosen.
| Feature | Standard authentication | SFO authenticaton |
|---|---|---|
| Authentication of first factor | Always | Never, should be done by the service itself |
| Authentication of second factor | Yes, based on policy between IdP and SP | Always |
| User registration | Using the SURFsecureID selfservice registration and optional vetting process | |
| Standard SURFconext features | Attributes, Authorization, persistent identifiers | None |