The OpenID Connect Extended Authentication Profile (EAP) ACR Values 1.0 specification has started its 60-day review to become an OpenID Final Specification. Recent steps leading up to this were:
- I added Context Class definitions to the Authentication Context Class Reference Values (“
acr” values) defined by the specification, which enabled me to finally register them in the IANA “Level of Assurance (LoA) Profiles” registry. Doing so required me to create two XML Schema Description (XSD) files – something I never thought I’d have to do! Thanks to Leif Johansson for explaining to me how to do that. - A two-week Working Group Last Call (WGLC) for the specification was held in the OpenID Enhanced Authentication Profile (EAP) working group.
- I added Security Considerations suggested by Andrii Deinega and Brian Campbell during the WGLC.
The specification is glue that ties together OpenID Connect, W3C Web Authentication, and FIDO Authenticators, enabling them to be seamlessly used together.
The two ACR values defined by the specification are:
phr:
Phishing-Resistant. An authentication mechanism where a party potentially under the control of the Relying Party cannot gain sufficient information to be able to successfully authenticate to the End User’s OpenID Provider as if that party were the End User. (Note that the potentially malicious Relying Party controls where the User-Agent is redirected to and thus may not send it to the End User’s actual OpenID Provider). NOTE: These semantics are the same as those specified in [OpenID.PAPE].phrh:
Phishing-Resistant Hardware-Protected. An authentication mechanism meeting the requirements for phishing-resistant authentication above in which additionally information needed to be able to successfully authenticate to the End User’s OpenID Provider as if that party were the End User is held in a hardware-protected device or component.
The Phishing-Resistant definition dates back 2008!
For the record, the two XSD files that I wrote to get us here are:
Leave a Reply
You must be logged in to post a comment.