[Openid-specs-mobile-profile] ACR values

John Bradley ve7jtb at ve7jtb.com
Sun Nov 22 20:01:56 UTC 2015

That is close to what I am thinking.

The question is are there other base line security requirements around being able to assert TwoFactorTamperResistant.   

If the account can be reset with a email link that can register a new HW token is that still the same level.

I think that we would at-least need to say that the account recovery/administration is also protected with at-least this level.

That is the tricky part, because the best token won’t help if the account recovery process is weak.

That was one of the original reason for identity proofing subjects in NIST SP800-63 with increasing strength at each level.  
Without knowing who the person is, it is hard to prevent account takeover.

I know we don’t want to say anything about proofed attributes,  but there needs to be some correlation to the confidence that the same person,
even if pseudonymous is in control of the account.

Perhaps it is best to stick with this plus a pointer to another doc (Perhaps GSMA) that lays out the baseline business practices that need to be followed..

We probably need some examples of those levels.

For possession that would be a Fido U2F key or software client with press to confirm only.
The term two factor is going to be confusing to people because we are mostly talking about a key in hardware or software that needs to be in the users possession (on the phone) and some sort of knowledge (pin) or biometric unlock.   

That counts as two factor but looks like one authentication to people.

John B.
> On Nov 22, 2015, at 4:42 PM, Torsten Lodderstedt <torsten at lodderstedt.net> wrote:
> Hi all,
> based on the discussions in the last WG call, I think we are running circles again when it comes to ACR values.
> What I got:
> - usage of LOA values from ISO 29115 seems to confuse people (because they seem to be not as specfic as we thought and cover identification as well)
> - new EU regulations use other terms and the number of authentication levels differ
> What do you think about the following proposal:
> In the end, we want to give the RP a way to request authentication levels, which are specific to Mobile Connect/MODRNA. Why don't we define ACR value names, which exactly correspond to what we intend to use? From my perspective, Mobile Connect requires the following levels:
> - urn:openid:modrna:acr:credential:PasswordLess (meaning: posession or inherence is ok)
> - urn:openid:modrna:acr:credential:TwoFactor (any two factors, software-based solutions are ok)
> - urn:openid:modrna:acr:credential:TwoFactorTamperResistant (any two factors, hardware token required)
> Those values are intentionally MODRNA specific and could be mapped (if needed) to any other model.
> What do you think?
> best regards,
> Torsten.
> _______________________________________________
> Openid-specs-mobile-profile mailing list
> Openid-specs-mobile-profile at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-specs-mobile-profile

More information about the Openid-specs-mobile-profile mailing list