[Openid-specs-mobile-profile] ACR values

Torsten Lodderstedt torsten at lodderstedt.net
Sun Nov 22 19:42:01 UTC 2015


Hi all,

based on the discussions in the last WG call, I think we are running 
circles again when it comes to ACR values.

What I got:
- usage of LOA values from ISO 29115 seems to confuse people (because 
they seem to be not as specfic as we thought and cover identification as 
well)
- new EU regulations use other terms and the number of authentication 
levels differ

What do you think about the following proposal:

In the end, we want to give the RP a way to request authentication 
levels, which are specific to Mobile Connect/MODRNA. Why don't we define 
ACR value names, which exactly correspond to what we intend to use? From 
my perspective, Mobile Connect requires the following levels:
- urn:openid:modrna:acr:credential:PasswordLess (meaning: posession or 
inherence is ok)
- urn:openid:modrna:acr:credential:TwoFactor (any two factors, 
software-based solutions are ok)
- urn:openid:modrna:acr:credential:TwoFactorTamperResistant (any two 
factors, hardware token required)

Those values are intentionally MODRNA specific and could be mapped (if 
needed) to any other model.

What do you think?

best regards,
Torsten.


More information about the Openid-specs-mobile-profile mailing list