[Openid-specs-mobile-profile] About Level of Assurance

GONZALO FERNANDEZ RODRIGUEZ gonzalo.fernandezrodriguez at telefonica.com
Thu Oct 30 10:49:52 UTC 2014


Hi all,

I would like to share with the WG a concern that I have related with the
requested Level of Assurance in OIDC. There are certain particularities in
the Mobile Connect architecture that I don't know if could be resolved in
this WG, but at least it is good to be aware of them.

As defined in the Mobile Connect architecture, when an authentication
request is received and before to authenticate the user, an authenticator
selector will analyze the request and based on the context and some
configured policies it will select the properly authenticator, that is an
authentication method. There are some Service Providers that consider not
secured equivalent all of the authenticators associated to the same LoA
(e.g: Banks don't think USSD pin based is secure enough, however they
think SIM applet authenticator is, and both are LoA3).

My concern is about how to select the properly authenticator, as far as I
understand the protocol only allows you to select the LoA preferences
using the "acr_values" parameter but is not possible to specify an
specific authenticator, so it should be configured in the policies
database. But if we do that, there would have somehow to this
configuration will be the same for all the MNO providers.

Any idea? Does anyone think this is something to deal with in the Mobile
Profile WG or it is beyond the WG's scope?

BTW: I have never seen an OIDC request indicating acr_values, someone can
post one?

Thanks in advance,
Gonza.


________________________________

Este mensaje y sus adjuntos se dirigen exclusivamente a su destinatario, puede contener información privilegiada o confidencial y es para uso exclusivo de la persona o entidad de destino. Si no es usted. el destinatario indicado, queda notificado de que la lectura, utilización, divulgación y/o copia sin autorización puede estar prohibida en virtud de la legislación vigente. Si ha recibido este mensaje por error, le rogamos que nos lo comunique inmediatamente por esta misma vía y proceda a su destrucción.

The information contained in this transmission is privileged and confidential information intended only for the use of the individual or entity named above. If the reader of this message is not the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited. If you have received this transmission in error, do not read it. Please immediately reply to the sender that you have received this communication in error and then delete it.

Esta mensagem e seus anexos se dirigem exclusivamente ao seu destinatário, pode conter informação privilegiada ou confidencial e é para uso exclusivo da pessoa ou entidade de destino. Se não é vossa senhoria o destinatário indicado, fica notificado de que a leitura, utilização, divulgação e/ou cópia sem autorização pode estar proibida em virtude da legislação vigente. Se recebeu esta mensagem por erro, rogamos-lhe que nos o comunique imediatamente por esta mesma via e proceda a sua destruição


More information about the Openid-specs-mobile-profile mailing list