Configuring Support for acr Claims and Values
The ActivID AS server supports acr claims in ID Token, as well as acr_values, as a parameter in the authentication request, so that users are presented with the correct screens at authentication (for example, password followed by an MFA option).
The acr claims/values correspond to a Level of Assurance (LoA) Level of Assurance (LoA) is the level of confidence in the claimed identity of a user during authentication See also ACR setting in the authentication policies as defined in the NIST's special publication 800-63-3 (that is, values of 1, 2 or 3 for Authentication Assurance Level (AAL)) and the more detailed 800-63B.
The OpenID Connect specification promotes the use of the former over the latter providing several samples with either the acr_values or claims parameter.
The default LoA value depends the authentication type. As a summary:
Authentication Policy Type | LoA Value |
---|---|
UP |
1 |
MD |
1 |
OTP |
1 |
PKI |
2 |
PUSH |
2 |
OOB |
1 |
You can update these values as required. For example, if you are using hardware devices or tiered-authentication, you can increase the LoA value:
- As the NIST's general guideline for multi-factor authentication (with independent factors) is level 2, most tiered-authentication policies would also be 2.
- In addition, FIPS 140-2 validated hardware device (on top of MFA) is level 3 so PKI would be set to 2, but if you are enforcing the use of PIV smart cards, it would increase to 3.
When adding a new authentication policy, this field is empty and you can enter a value corresponding to your organization’s requirements (such as urn:openbanking:psd2:ca and urn:openbanking:psd2:sca) as defined in the Open Banking implementation guide.
Topics in this section: