[Openid-specs-mobile-profile] ACR values

Mike Jones Michael.Jones at microsoft.com
Sun Nov 22 19:50:01 UTC 2015

I'd suggest these names instead:
- urn:openid:acr:credential:password_less (meaning: possession or inherence is ok)
- urn:openid:acr:credential:2factor (any two factors, software-based solutions are ok)
- urn:openid:acr:credential:2factor_tamper_resistant (any two factors, hardware token required)

I think that the names should not be MODRNA-specific.  And URNs are normally spelled with all lowercase characters.  Like OpenID Connect claim names, when there are multiple words in a name, separate them with underscores.

Also, is there a reason to have the "credential:" part in the URNs?  I'd suggest dropping that part as well, for brevity.  The size of the ID Token still matters (especially in mobile!).

				-- Mike

-----Original Message-----
From: Openid-specs-mobile-profile [mailto:openid-specs-mobile-profile-bounces at lists.openid.net] On Behalf Of Torsten Lodderstedt
Sent: Sunday, November 22, 2015 11:42 AM
To: openid-specs-mobile-profile at lists.openid.net
Subject: [Openid-specs-mobile-profile] ACR values

Hi all,

based on the discussions in the last WG call, I think we are running circles again when it comes to ACR values.

What I got:
- usage of LOA values from ISO 29115 seems to confuse people (because they seem to be not as specfic as we thought and cover identification as
- new EU regulations use other terms and the number of authentication levels differ

What do you think about the following proposal:

In the end, we want to give the RP a way to request authentication levels, which are specific to Mobile Connect/MODRNA. Why don't we define ACR value names, which exactly correspond to what we intend to use? From my perspective, Mobile Connect requires the following levels:
- urn:openid:modrna:acr:credential:PasswordLess (meaning: posession or inherence is ok)
- urn:openid:modrna:acr:credential:TwoFactor (any two factors, software-based solutions are ok)
- urn:openid:modrna:acr:credential:TwoFactorTamperResistant (any two factors, hardware token required)

Those values are intentionally MODRNA specific and could be mapped (if
needed) to any other model.

What do you think?

best regards,
Openid-specs-mobile-profile mailing list Openid-specs-mobile-profile at lists.openid.net

More information about the Openid-specs-mobile-profile mailing list