OpenID Assertion Quality Extension - Draft
George Fletcher
gffletch at aol.com
Thu Nov 30 18:16:30 UTC 2006
+1 simple and straight forward
Just curious about uses cases where the required authentication level
changes over time. For instance, a use case where to view my stock
portfolio just requires "password", but doing a trade requires
"voicebio". Is the expectation that authentication events can be
treated as "standalone"? or that it's the RP's responsibility to manage
the combinations based on the identifier?
One final question... Is it valuable to provide a way to request two or
more authentication methods be employed in the authentication event?
For example, administrators of a site must use both "password" and
"hardotp". Everyone else just needs "password".
Thanks,
George
More information about the specs
mailing list