IETF logoThe Authentication Method Reference Values specification is now RFC 8176. The abstract describes the specification as:

The amr (Authentication Methods References) claim is defined and registered in the IANA “JSON Web Token Claims” registry, but no standard Authentication Method Reference values are currently defined. This specification establishes a registry for Authentication Method Reference values and defines an initial set of Authentication Method Reference values.

The specification defines and registers some Authentication Method Reference values such as the following, which are already in use by some Google and Microsoft products and OpenID specifications:

  • face” — Facial recognition
  • fpt” — Fingerprint
  • hwk” — Proof-of-possession of a hardware-secured key
  • otp” — One-time password
  • pin” — Personal Identification Number
  • pwd” — Password
  • swk” — Proof-of-possession of a software-secured key
  • sms” — Confirmation using SMS
  • user” — User presence test
  • wia” — Windows Integrated Authentication

See https://www.iana.org/assignments/authentication-method-reference-values/ for the full list of registered values.

Thanks to Caleb Baker, Phil Hunt, Tony Nadalin, and William Denniss, all of whom substantially contributed to the specification. Thanks also to the OAuth working group members, chairs, area directors, and other IETF members who helped refine the specification.