draft-ietf-oauth-amr-values-08.txt   rfc8176.txt 
OAuth Working Group M. Jones Internet Engineering Task Force (IETF) M. Jones
Internet-Draft Microsoft Request for Comments: 8176 Microsoft
Intended status: Standards Track P. Hunt Category: Standards Track P. Hunt
Expires: September 14, 2017 Oracle ISSN: 2070-1721 Oracle
A. Nadalin A. Nadalin
Microsoft Microsoft
March 13, 2017 June 2017
Authentication Method Reference Values Authentication Method Reference Values
draft-ietf-oauth-amr-values-08
Abstract Abstract
The "amr" (Authentication Methods References) claim is defined and The "amr" (Authentication Methods References) claim is defined and
registered in the IANA "JSON Web Token Claims" registry but no registered in the IANA "JSON Web Token Claims" registry, but no
standard Authentication Method Reference values are currently standard Authentication Method Reference values are currently
defined. This specification establishes a registry for defined. This specification establishes a registry for
Authentication Method Reference values and defines an initial set of Authentication Method Reference values and defines an initial set of
Authentication Method Reference values. Authentication Method Reference values.
Status of This Memo Status of This Memo
This Internet-Draft is submitted in full conformance with the This is an Internet Standards Track document.
provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months This document is a product of the Internet Engineering Task Force
and may be updated, replaced, or obsoleted by other documents at any (IETF). It represents the consensus of the IETF community. It has
time. It is inappropriate to use Internet-Drafts as reference received public review and has been approved for publication by the
material or to cite them other than as "work in progress." Internet Engineering Steering Group (IESG). Further information on
Internet Standards is available in Section 2 of RFC 7841.
This Internet-Draft will expire on September 14, 2017. Information about the current status of this document, any errata,
and how to provide feedback on it may be obtained at
http://www.rfc-editor.org/info/rfc8176.
Copyright Notice Copyright Notice
Copyright (c) 2017 IETF Trust and the persons identified as the Copyright (c) 2017 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of (http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License. described in the Simplified BSD License.
Table of Contents Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3
1.1. Requirements Notation and Conventions . . . . . . . . . . 4 1.1. Requirements Notation and Conventions . . . . . . . . . . 4
1.2. Terminology . . . . . . . . . . . . . . . . . . . . . . . 4 1.2. Terminology . . . . . . . . . . . . . . . . . . . . . . . 4
2. Authentication Method Reference Values . . . . . . . . . . . 4 2. Authentication Method Reference Values . . . . . . . . . . . 5
3. Relationship to "acr" (Authentication Context Class 3. Relationship to "acr" (Authentication Context Class
Reference) . . . . . . . . . . . . . . . . . . . . . . . . . 6 Reference) . . . . . . . . . . . . . . . . . . . . . . . . . 7
4. Privacy Considerations . . . . . . . . . . . . . . . . . . . 6 4. Privacy Considerations . . . . . . . . . . . . . . . . . . . 7
5. Security Considerations . . . . . . . . . . . . . . . . . . . 7 5. Security Considerations . . . . . . . . . . . . . . . . . . . 7
6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 7 6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 8
6.1. Authentication Method Reference Values Registry . . . . . 7 6.1. Authentication Method Reference Values Registry . . . . . 8
6.1.1. Registration Template . . . . . . . . . . . . . . . . 8 6.1.1. Registration Template . . . . . . . . . . . . . . . . 9
6.1.2. Initial Registry Contents . . . . . . . . . . . . . . 9 6.1.2. Initial Registry Contents . . . . . . . . . . . . . . 9
7. References . . . . . . . . . . . . . . . . . . . . . . . . . 11 7. References . . . . . . . . . . . . . . . . . . . . . . . . . 12
7.1. Normative References . . . . . . . . . . . . . . . . . . 11 7.1. Normative References . . . . . . . . . . . . . . . . . . 12
7.2. Informative References . . . . . . . . . . . . . . . . . 12 7.2. Informative References . . . . . . . . . . . . . . . . . 13
Appendix A. Examples . . . . . . . . . . . . . . . . . . . . . . 13 Appendix A. Examples . . . . . . . . . . . . . . . . . . . . . . 15
Appendix B. Acknowledgements . . . . . . . . . . . . . . . . . . 14 Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . . 15
Appendix C. Document History . . . . . . . . . . . . . . . . . . 14
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 15 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 15
1. Introduction 1. Introduction
The "amr" (Authentication Methods References) claim is defined and The "amr" (Authentication Methods References) claim is defined and
registered in the IANA "JSON Web Token Claims" registry registered in the IANA "JSON Web Token Claims" registry
[IANA.JWT.Claims] but no standard Authentication Method Reference [IANA.JWT.Claims], but no standard Authentication Method Reference
values are currently defined. This specification establishes a values are currently defined. This specification establishes a
registry for Authentication Method Reference values and defines an registry for Authentication Method Reference values and defines an
initial set of Authentication Method Reference values. initial set of Authentication Method Reference values.
For context, the "amr" (Authentication Methods References) claim is For context, the "amr" (Authentication Methods References) claim is
defined by Section 2 of the OpenID Connect Core 1.0 specification defined by Section 2 of the OpenID Connect Core 1.0 specification
[OpenID.Core] as follows: [OpenID.Core] as follows:
amr amr
OPTIONAL. Authentication Methods References. JSON array of OPTIONAL. Authentication Methods References. JSON array of
strings that are identifiers for authentication methods used in strings that are identifiers for authentication methods used in
the authentication. For instance, values might indicate that both the authentication. For instance, values might indicate that both
password and OTP authentication methods were used. The definition password and OTP authentication methods were used. The definition
of particular values to be used in the "amr" Claim is beyond the of particular values to be used in the "amr" Claim is beyond the
scope of this specification. Parties using this claim will need scope of this specification. Parties using this claim will need
to agree upon the meanings of the values used, which may be to agree upon the meanings of the values used, which may be
context-specific. The "amr" value is an array of case sensitive context-specific. The "amr" value is an array of case sensitive
strings. strings.
Each "amr" value typically provides an identifier for a family of Typically, each "amr" value provides an identifier for a family of
closely-related authentication methods. For example, the "otp" closely related authentication methods. For example, the "otp"
identifier intentionally covers both time-based and HMAC-based OTPs. identifier intentionally covers OTPs (One-Time Passwords) based on
Many relying parties will be content to know that an OTP has been both time and HMAC (Hashed Message Authentication Code). Many
used in addition to a password; the distinction between which kind of relying parties will be content to know that an OTP has been used in
OTP was used is not useful to them. Thus, there's a single addition to a password; the distinction between which kind of OTP was
identifier that can be satisfied in two or more nearly equivalent used is not useful to them. Thus, there's a single identifier that
ways. can be satisfied in two or more nearly equivalent ways.
Similarly, there's a whole range of nuances between different Similarly, there's a whole range of nuances between different
fingerprint matching algorithms. They differ in false positive and fingerprint-matching algorithms. They differ in false-positive and
false negative rates over different population samples and also false-negative rates over different population samples and also
differ based on the kind and model of fingerprint sensor used. Like differ based on the kind and model of fingerprint sensor used. Like
the OTP case, many relying parties will be content to know that a the OTP case, many relying parties will be content to know that a
fingerprint match mas made, without delving into and differentiating fingerprint match was made, without delving into and differentiating
based on every aspect of the implementation of fingerprint capture based on every aspect of the implementation of fingerprint capture
and match. The "fpt" identifier accomplishes this. and match. The "fpt" identifier accomplishes this.
Ultimately, the relying party is depending upon the identity provider Ultimately, the relying party is depending upon the identity provider
to do reasonable things. If it does not trust the identity provider to do reasonable things. If it does not trust the identity provider
to do so, it has no business using it. The "amr" value lets the to do so, it has no business using it. The "amr" value lets the
identity provider signal to the relying party additional information identity provider signal to the relying party additional information
about what it did, for the cases in which that information is useful about what it did, for the cases in which that information is useful
to the relying party. to the relying party.
The "amr" values defined by this specification are not intended to be The "amr" values defined by this specification are not intended to be
an exhaustive set covering all use cases. Additional values can and an exhaustive set covering all use cases. Additional values can and
will be added to the registry by other specifications. Rather, the will be added to the registry by other specifications. Rather, the
values defined herein are an intentionally small set that are already values defined herein are an intentionally small set and are already
actually being used in practice. actually being used in practice.
The values defined by this specification only make distinctions that The values defined by this specification only make distinctions that
are known to be useful to relying parties. Slicing things more are known to be useful to relying parties. Slicing things more
finely than would be used in practice would actually hurt interop, finely than would be used in practice would actually hurt
rather than helping it, because it would force relying parties to interoperability, rather than helping it, because it would force
recognize that several or many different values actually mean the relying parties to recognize that several or many different values
same thing to them. actually mean the same thing to them.
For context, while the claim values registered pertain to For context, while the claim values registered pertain to
authentication, note that OAuth 2.0 [RFC6749] is designed for authentication, note that OAuth 2.0 [RFC6749] is designed for
resource authorization and cannot be used for authentication without resource authorization and cannot be used for authentication without
employing appropriate extensions, such as those defined by OpenID employing appropriate extensions, such as those defined by OpenID
Connect Core 1.0 [OpenID.Core]. The existence of the "amr" claim and Connect Core 1.0 [OpenID.Core]. The existence of the "amr" claim and
values for it should not be taken as encouragement to try to use values for it should not be taken as encouragement to try to use
OAuth 2.0 for authentication without employing extensions enabling OAuth 2.0 for authentication without employing extensions that enable
secure authentication to be performed. secure authentication to be performed.
When used with OpenID Connect, if the identity provider supplies an When used with OpenID Connect, if the identity provider supplies an
"amr" claim in the ID Token resulting from a successful "amr" claim in the ID Token resulting from a successful
authentication, the relying party can inspect the values returned and authentication, the relying party can inspect the values returned and
thereby learn details about how the authentication was performed. thereby learn details about how the authentication was performed.
For instance, the relying party might learn that only a password was For instance, the relying party might learn that only a password was
used or it might learn that iris recognition was used in combination used or it might learn that iris recognition was used in combination
with a hardware-secured key. Whether "amr" values are provided and with a hardware-secured key. Whether "amr" values are provided and
which values are understood by what parties are both beyond the scope which values are understood by what parties are both beyond the scope
of this specification. The OpenID Connect MODRNA Authentication of this specification. The OpenID Connect MODRNA Authentication
Profile 1.0 [OpenID.MODRNA] is one example of an application context Profile 1.0 [OpenID.MODRNA] is one example of an application context
that uses "amr" values defined by this specification. that uses "amr" values defined by this specification.
1.1. Requirements Notation and Conventions 1.1. Requirements Notation and Conventions
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and
"OPTIONAL" in this document are to be interpreted as described in RFC "OPTIONAL" in this document are to be interpreted as described in
2119 [RFC2119]. BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all
capitals, as shown here.
1.2. Terminology 1.2. Terminology
This specification uses the terms defined by JSON Web Token (JWT) This specification uses the terms defined by JSON Web Token (JWT)
[JWT] and OpenID Connect Core 1.0 [OpenID.Core]. [RFC7519] and OpenID Connect Core 1.0 [OpenID.Core].
2. Authentication Method Reference Values 2. Authentication Method Reference Values
The following is a list of Authentication Method Reference values The following is a list of Authentication Method Reference values
defined by this specification: defined by this specification:
face face
Biometric authentication [RFC4949] using facial recognition Biometric authentication [RFC4949] using facial recognition.
fpt fpt
Biometric authentication [RFC4949] using a fingerprint Biometric authentication [RFC4949] using a fingerprint.
geo geo
Use of geolocation information for authentication, such as that Use of geolocation information for authentication, such as that
provided by [W3C.REC-geolocation-API-20161108] provided by [W3C.REC-geolocation-API-20161108].
hwk hwk
Proof-of-possession (PoP) of a hardware-secured key. See Proof-of-Possession (PoP) of a hardware-secured key. See
Appendix C of [RFC4211] for a discussion on PoP. Appendix C of [RFC4211] for a discussion on PoP.
iris iris
Biometric authentication [RFC4949] using an iris scan Biometric authentication [RFC4949] using an iris scan.
kba kba
Knowledge-based authentication [NIST.800-63-2] [ISO29115] Knowledge-based authentication [NIST.800-63-2] [ISO29115].
mca mca
Multiple-channel authentication [MCA]. The authentication Multiple-channel authentication [MCA]. The authentication
involves communication over more than one distinct communication involves communication over more than one distinct communication
channel. For instance, a multiple-channel authentication might channel. For instance, a multiple-channel authentication might
involve both entering information into a workstation's browser and involve both entering information into a workstation's browser and
providing information on a telephone call to a pre-registered providing information on a telephone call to a pre-registered
number. number.
mfa mfa
Multiple-factor authentication [NIST.800-63-2] [ISO29115]. When Multiple-factor authentication [NIST.800-63-2] [ISO29115]. When
this is present, specific authentication methods used may also be this is present, specific authentication methods used may also be
included. included.
otp otp
One-time password [RFC4949]. One-time password specifications One-time password [RFC4949]. One-time password specifications
that this authentication method applies to include [RFC4226] and that this authentication method applies to include [RFC4226] and
[RFC6238]. [RFC6238].
pin pin
Personal Identification Number (PIN) [RFC4949] or pattern (not Personal Identification Number (PIN) [RFC4949] or pattern (not
restricted to containing only numbers) that a user enters to restricted to containing only numbers) that a user enters to
unlock a key on the device. This mechanism should have a way to unlock a key on the device. This mechanism should have a way to
deter an attacker from obtaining the PIN by trying repeated deter an attacker from obtaining the PIN by trying repeated
guesses. guesses.
pwd pwd
Password-based authentication [RFC4949] Password-based authentication [RFC4949].
rba rba
Risk-based authentication [JECM] Risk-based authentication [JECM].
retina retina
Biometric authentication [RFC4949] using a retina scan Biometric authentication [RFC4949] using a retina scan.
sc sc
Smart card [RFC4949] Smart card [RFC4949].
sms sms
Confirmation using SMS [SMS] text message to the user at a Confirmation using SMS [SMS] text message to the user at a
registered number registered number.
swk swk
Proof-of-possession (PoP) of a software-secured key. See Proof-of-Possession (PoP) of a software-secured key. See
Appendix C of [RFC4211] for a discussion on PoP. Appendix C of [RFC4211] for a discussion on PoP.
tel tel
Confirmation by telephone call to the user at a registered number. Confirmation by telephone call to the user at a registered number.
This authentication technique is sometimes also referred to as This authentication technique is sometimes also referred to as
"call back" [RFC4949]. "call back" [RFC4949].
user user
User presence test. Evidence that the end-user is present and User presence test. Evidence that the end user is present and
interacting with the device. This is sometimes also referred to interacting with the device. This is sometimes also referred to
as "test of user presence" [W3C.WD-webauthn-20170216]. as "test of user presence" [W3C.WD-webauthn-20170216].
vbm vbm
Biometric authentication [RFC4949] using a voiceprint Biometric authentication [RFC4949] using a voiceprint.
wia wia
Windows integrated authentication [MSDN] Windows integrated authentication [MSDN].
3. Relationship to "acr" (Authentication Context Class Reference) 3. Relationship to "acr" (Authentication Context Class Reference)
The "acr" (Authentication Context Class Reference) claim and The "acr" (Authentication Context Class Reference) claim and
"acr_values" request parameter are related to the "amr" "acr_values" request parameter are related to the "amr"
(Authentication Methods References) claim, but with important (Authentication Methods References) claim, but with important
differences. An Authentication Context Class specifies a set of differences. An Authentication Context Class specifies a set of
business rules that authentications are being requested to satisfy. business rules that authentications are being requested to satisfy.
These rules can often be satisfied by using a number of different These rules can often be satisfied by using a number of different
specific authentication methods, either singly or in combination. specific authentication methods, either singly or in combination.
skipping to change at page 6, line 46 skipping to change at page 7, line 30
In contrast, interactions using the "amr" claim make statements about In contrast, interactions using the "amr" claim make statements about
the particular authentication methods that were used. This tends to the particular authentication methods that were used. This tends to
be more brittle than using "acr", since the authentication methods be more brittle than using "acr", since the authentication methods
that may be appropriate for a given authentication will vary over that may be appropriate for a given authentication will vary over
time, both because of the evolution of attacks on existing methods time, both because of the evolution of attacks on existing methods
and the deployment of new authentication methods. and the deployment of new authentication methods.
4. Privacy Considerations 4. Privacy Considerations
The list of "amr" claim values returned in an ID Token reveals The list of "amr" claim values returned in an ID Token reveals
information about the way that the end-user authenticated to the information about the way that the end user authenticated to the
identity provider. In some cases, this information may have privacy identity provider. In some cases, this information may have privacy
implications. implications.
While this specification defines identifiers for particular kinds of While this specification defines identifiers for particular kinds of
credentials, it does not define how these credentials are stored or credentials, it does not define how these credentials are stored or
protected. For instance, ensuring the security and privacy of protected. For instance, ensuring the security and privacy of
biometric credentials that are referenced by some of the defined biometric credentials that are referenced by some of the defined
Authentication Method Reference values is beyond the scope of this Authentication Method Reference values is beyond the scope of this
specification. specification.
5. Security Considerations 5. Security Considerations
The security considerations in OpenID Connect Core 1.0 [OpenID.Core] The security considerations in OpenID Connect Core 1.0 [OpenID.Core],
and OAuth 2.0 [RFC6749] and the OAuth 2.0 Threat Model [RFC6819] OAuth 2.0 [RFC6749], and the entire OAuth 2.0 Threat Model [RFC6819]
apply to applications using this specification. apply to applications using this specification.
As described in Section 3, taking a dependence upon particular As described in Section 3, taking a dependence upon particular
authentication methods may result in brittle systems since the authentication methods may result in brittle systems since the
authentication methods that may be appropriate for a given authentication methods that may be appropriate for a given
authentication will vary over time. authentication will vary over time.
6. IANA Considerations 6. IANA Considerations
6.1. Authentication Method Reference Values Registry 6.1. Authentication Method Reference Values Registry
This specification establishes the IANA "Authentication Method This specification establishes the IANA "Authentication Method
Reference Values" registry for "amr" claim array element values. The Reference Values" registry for "amr" claim array element values. The
registry records the Authentication Method Reference value and a registry records the Authentication Method Reference value and a
reference to the specification that defines it. This specification reference to the specification that defines it. This specification
registers the Authentication Method Reference values defined in registers the Authentication Method Reference values defined in
Section 2. Section 2.
Values are registered on an Expert Review [RFC5226] basis after a Values are registered on an Expert Review [RFC5226] basis after a
three-week review period on the jwt-reg-review@ietf.org mailing list, three-week review period on the <jwt-reg-review@ietf.org> mailing
on the advice of one or more Designated Experts. To increase list, on the advice of one or more Designated Experts. To increase
potential interoperability, the experts are requested to encourage potential interoperability, the Designated Experts are requested to
registrants to provide the location of a publicly-accessible encourage registrants to provide the location of a publicly
specification defining the values being registered, so that their accessible specification defining the values being registered, so
intended usage can be more easily understood. that their intended usage can be more easily understood.
Registration requests sent to the mailing list for review should use Registration requests sent to the mailing list for review should use
an appropriate subject (e.g., "Request to register Authentication an appropriate subject (e.g., "Request to register Authentication
Method Reference value: otp"). Method Reference value: otp").
Within the review period, the Designated Experts will either approve Within the review period, the Designated Experts will either approve
or deny the registration request, communicating this decision to the or deny the registration request, communicating this decision to the
review list and IANA. Denials should include an explanation and, if review list and IANA. Denials should include an explanation and, if
applicable, suggestions as to how to make the request successful. applicable, suggestions as to how to make the request successful.
Registration requests that are undetermined for a period longer than Registration requests that are undetermined for a period longer than
21 days can be brought to the IESG's attention (using the 21 days can be brought to the IESG's attention (using the
iesg@ietf.org mailing list) for resolution. <iesg@ietf.org> mailing list) for resolution.
IANA must only accept registry updates from the Designated Experts IANA must only accept registry updates from the Designated Experts
and should direct all requests for registration to the review mailing and should direct all requests for registration to the review mailing
list. list.
It is suggested that the same Designated Experts evaluate these It is suggested that the same Designated Experts evaluate these
registration requests as those who evaluate registration requests for registration requests as those who evaluate registration requests for
the IANA "JSON Web Token Claims" registry [IANA.JWT.Claims]. the IANA "JSON Web Token Claims" registry [IANA.JWT.Claims].
Criteria that should be applied by the Designated Experts includes Criteria that should be applied by the Designated Experts include
determining whether the proposed registration duplicates existing determining whether the proposed registration duplicates existing
functionality, whether it is likely to be of general applicability or functionality; whether it is likely to be of general applicability or
whether it is useful only for a single application, whether the value whether it is useful only for a single application; whether the value
is actually being used, and whether the registration description is is actually being used; and whether the registration description is
clear. clear.
6.1.1. Registration Template 6.1.1. Registration Template
Authentication Method Reference Name: Authentication Method Reference Name:
The name requested (e.g., "otp") for the authentication method or The name requested (e.g., "otp") for the authentication method or
family of closely-related authentication methods. Because a core family of closely related authentication methods. Because a core
goal of this specification is for the resulting representations to goal of this specification is for the resulting representations to
be compact, it is RECOMMENDED that the name be short -- that is, be compact, it is RECOMMENDED that the name be short -- that is,
not to exceed 8 characters without a compelling reason to do so. not to exceed 8 characters without a compelling reason to do so.
To facilitate interoperability, the name must use only printable To facilitate interoperability, the name must use only printable
ASCII characters excluding double quote ('"') and backslash ('\') ASCII characters excluding double quote ('"') and backslash ('\')
(the Unicode characters with code points U+0021, U+0023 through (the Unicode characters with code points U+0021, U+0023 through
U+005B, and U+005D through U+007E). This name is case sensitive. U+005B, and U+005D through U+007E). This name is case sensitive.
Names may not match other registered names in a case-insensitive Names may not match other registered names in a case-insensitive
manner unless the Designated Experts state that there is a manner unless the Designated Experts state that there is a
compelling reason to allow an exception. compelling reason to allow an exception.
skipping to change at page 9, line 10 skipping to change at page 9, line 41
Reference to the document or documents that specify the parameter, Reference to the document or documents that specify the parameter,
preferably including URIs that can be used to retrieve copies of preferably including URIs that can be used to retrieve copies of
the documents. An indication of the relevant sections may also be the documents. An indication of the relevant sections may also be
included but is not required. included but is not required.
6.1.2. Initial Registry Contents 6.1.2. Initial Registry Contents
o Authentication Method Reference Name: "face" o Authentication Method Reference Name: "face"
o Authentication Method Reference Description: Facial recognition o Authentication Method Reference Description: Facial recognition
o Change Controller: IESG o Change Controller: IESG
o Specification Document(s): Section 2 of [[ this specification ]] o Specification Document(s): Section 2 of [RFC8176]
o Authentication Method Reference Name: "fpt" o Authentication Method Reference Name: "fpt"
o Authentication Method Reference Description: Fingerprint biometric o Authentication Method Reference Description: Fingerprint biometric
o Change Controller: IESG o Change Controller: IESG
o Specification Document(s): Section 2 of [[ this specification ]] o Specification Document(s): Section 2 of [RFC8176]
o Authentication Method Reference Name: "geo" o Authentication Method Reference Name: "geo"
o Authentication Method Reference Description: Geolocation o Authentication Method Reference Description: Geolocation
o Change Controller: IESG o Change Controller: IESG
o Specification Document(s): Section 2 of [[ this specification ]] o Specification Document(s): Section 2 of [RFC8176]
o Authentication Method Reference Name: "hwk" o Authentication Method Reference Name: "hwk"
o Authentication Method Reference Description: Proof-of-possession o Authentication Method Reference Description: Proof-of-possession
of a hardware-secured key of a hardware-secured key
o Change Controller: IESG o Change Controller: IESG
o Specification Document(s): Section 2 of [[ this specification ]] o Specification Document(s): Section 2 of [RFC8176]
o Authentication Method Reference Name: "iris" o Authentication Method Reference Name: "iris"
o Authentication Method Reference Description: Iris scan biometric o Authentication Method Reference Description: Iris scan biometric
o Change Controller: IESG o Change Controller: IESG
o Specification Document(s): Section 2 of [[ this specification ]] o Specification Document(s): Section 2 of [RFC8176]
o Authentication Method Reference Name: "kba" o Authentication Method Reference Name: "kba"
o Authentication Method Reference Description: Knowledge-based o Authentication Method Reference Description: Knowledge-based
authentication authentication
o Change Controller: IESG o Change Controller: IESG
o Specification Document(s): Section 2 of [[ this specification ]] o Specification Document(s): Section 2 of [RFC8176]
o Authentication Method Reference Name: "mca" o Authentication Method Reference Name: "mca"
o Authentication Method Reference Description: Multiple-channel o Authentication Method Reference Description: Multiple-channel
authentication authentication
o Change Controller: IESG o Change Controller: IESG
o Specification Document(s): Section 2 of [[ this specification ]] o Specification Document(s): Section 2 of [RFC8176]
o Authentication Method Reference Name: "mfa" o Authentication Method Reference Name: "mfa"
o Authentication Method Reference Description: Multiple-factor o Authentication Method Reference Description: Multiple-factor
authentication authentication
o Change Controller: IESG o Change Controller: IESG
o Specification Document(s): Section 2 of [[ this specification ]] o Specification Document(s): Section 2 of [RFC8176]
o Authentication Method Reference Name: "otp" o Authentication Method Reference Name: "otp"
o Authentication Method Reference Description: One-time password o Authentication Method Reference Description: One-time password
o Change Controller: IESG o Change Controller: IESG
o Specification Document(s): Section 2 of [[ this specification ]] o Specification Document(s): Section 2 of [RFC8176]
o Authentication Method Reference Name: "pin" o Authentication Method Reference Name: "pin"
o Authentication Method Reference Description: Personal o Authentication Method Reference Description: Personal
Identification Number or pattern Identification Number or pattern
o Change Controller: IESG o Change Controller: IESG
o Specification Document(s): Section 2 of [[ this specification ]] o Specification Document(s): Section 2 of [RFC8176]
o Authentication Method Reference Name: "pwd" o Authentication Method Reference Name: "pwd"
o Authentication Method Reference Description: Password-based o Authentication Method Reference Description: Password-based
authentication authentication
o Change Controller: IESG o Change Controller: IESG
o Specification Document(s): Section 2 of [[ this specification ]] o Specification Document(s): Section 2 of [RFC8176]
o Authentication Method Reference Name: "rba" o Authentication Method Reference Name: "rba"
o Authentication Method Reference Description: Risk-based o Authentication Method Reference Description: Risk-based
authentication authentication
o Change Controller: IESG o Change Controller: IESG
o Specification Document(s): Section 2 of [[ this specification ]] o Specification Document(s): Section 2 of [RFC8176]
o Authentication Method Reference Name: "retina" o Authentication Method Reference Name: "retina"
o Authentication Method Reference Description: Retina scan biometric o Authentication Method Reference Description: Retina scan biometric
o Change Controller: IESG o Change Controller: IESG
o Specification Document(s): Section 2 of [[ this specification ]] o Specification Document(s): Section 2 of [RFC8176]
o Authentication Method Reference Name: "sc" o Authentication Method Reference Name: "sc"
o Authentication Method Reference Description: Smart card o Authentication Method Reference Description: Smart card
o Change Controller: IESG o Change Controller: IESG
o Specification Document(s): Section 2 of [[ this specification ]] o Specification Document(s): Section 2 of [RFC8176]
o Authentication Method Reference Name: "sms" o Authentication Method Reference Name: "sms"
o Authentication Method Reference Description: Confirmation using o Authentication Method Reference Description: Confirmation using
SMS SMS
o Change Controller: IESG o Change Controller: IESG
o Specification Document(s): Section 2 of [[ this specification ]] o Specification Document(s): Section 2 of [RFC8176]
o Authentication Method Reference Name: "swk" o Authentication Method Reference Name: "swk"
o Authentication Method Reference Description: Proof-of-possession o Authentication Method Reference Description: Proof-of-possession
of a software-secured key of a software-secured key
o Change Controller: IESG o Change Controller: IESG
o Specification Document(s): Section 2 of [[ this specification ]] o Specification Document(s): Section 2 of [RFC8176]
o Authentication Method Reference Name: "tel" o Authentication Method Reference Name: "tel"
o Authentication Method Reference Description: Confirmation by o Authentication Method Reference Description: Confirmation by
telephone call telephone call
o Change Controller: IESG o Change Controller: IESG
o Specification Document(s): Section 2 of [[ this specification ]] o Specification Document(s): Section 2 of [RFC8176]
o Authentication Method Reference Name: "user" o Authentication Method Reference Name: "user"
o Authentication Method Reference Description: User presence test o Authentication Method Reference Description: User presence test
o Change Controller: IESG o Change Controller: IESG
o Specification Document(s): Section 2 of [[ this specification ]] o Specification Document(s): Section 2 of [RFC8176]
o Authentication Method Reference Name: "vbm" o Authentication Method Reference Name: "vbm"
o Authentication Method Reference Description: Voice biometric o Authentication Method Reference Description: Voice biometric
o Change Controller: IESG o Change Controller: IESG
o Specification Document(s): Section 2 of [[ this specification ]] o Specification Document(s): Section 2 of [RFC8176]
o Authentication Method Reference Name: "wia" o Authentication Method Reference Name: "wia"
o Authentication Method Reference Description: Windows integrated o Authentication Method Reference Description: Windows integrated
authentication authentication
o Change Controller: IESG o Change Controller: IESG
o Specification Document(s): Section 2 of [[ this specification ]] o Specification Document(s): Section 2 of [RFC8176]
7. References 7. References
7.1. Normative References 7.1. Normative References
[IANA.JWT.Claims] [IANA.JWT.Claims]
IANA, "JSON Web Token Claims", IANA, "JSON Web Token Claims",
<http://www.iana.org/assignments/jwt>. <http://www.iana.org/assignments/jwt>.
[JWT] Jones, M., Bradley, J., and N. Sakimura, "JSON Web Token
(JWT)", RFC 7519, May 2015,
<http://www.rfc-editor.org/info/rfc7519>.
[OpenID.Core] [OpenID.Core]
Sakimura, N., Bradley, J., Jones, M., de Medeiros, B., and Sakimura, N., Bradley, J., Jones, M., de Medeiros, B., and
C. Mortimore, "OpenID Connect Core 1.0", November 2014, C. Mortimore, "OpenID Connect Core 1.0", November 2014,
<http://openid.net/specs/openid-connect-core-1_0.html>. <http://openid.net/specs/openid-connect-core-1_0.html>.
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, Requirement Levels", BCP 14, RFC 2119,
DOI 10.17487/RFC2119, March 1997, DOI 10.17487/RFC2119, March 1997,
<http://www.rfc-editor.org/info/rfc2119>. <http://www.rfc-editor.org/info/rfc2119>.
[RFC5226] Narten, T. and H. Alvestrand, "Guidelines for Writing an [RFC5226] Narten, T. and H. Alvestrand, "Guidelines for Writing an
IANA Considerations Section in RFCs", BCP 26, RFC 5226, IANA Considerations Section in RFCs", BCP 26, RFC 5226,
DOI 10.17487/RFC5226, May 2008, DOI 10.17487/RFC5226, May 2008,
<http://www.rfc-editor.org/info/rfc5226>. <http://www.rfc-editor.org/info/rfc5226>.
[RFC6749] Hardt, D., Ed., "The OAuth 2.0 Authorization Framework", [RFC6749] Hardt, D., Ed., "The OAuth 2.0 Authorization Framework",
RFC 6749, DOI 10.17487/RFC6749, October 2012, RFC 6749, DOI 10.17487/RFC6749, October 2012,
<http://www.rfc-editor.org/info/rfc6749>. <http://www.rfc-editor.org/info/rfc6749>.
[RFC7519] Jones, M., Bradley, J., and N. Sakimura, "JSON Web Token
(JWT)", RFC 7519, DOI 10.17487/RFC7519, May 2015,
<http://www.rfc-editor.org/info/rfc7519>.
[RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC
2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174,
May 2017, <http://www.rfc-editor.org/info/rfc8174>.
7.2. Informative References 7.2. Informative References
[ISO29115] [ISO29115] International Organization for Standardization,
International Organization for Standardization, "ISO/IEC "ISO/IEC 29115:2013 Information technology - Security
29115:2013 -- Information technology - Security techniques techniques - Entity authentication assurance framework",
- Entity authentication assurance framework", ISO/ ISO/IEC 29115:2013, April 2013,
IEC 29115:2013, April 2013, <https://www.iso.org/standard/45138.html>.
<http://www.iso.org/iso/iso_catalogue/catalogue_tc/
catalogue_detail.htm?csnumber=45138>.
[JECM] Williamson, G., "Enhanced Authentication In Online [JECM] Williamson, G., "Enhanced Authentication In Online
Banking", Journal of Economic Crime Management 4.2: 18-19, Banking", Journal of Economic Crime Management 4.2: 18-19,
2006, 2006,
<http://utica.edu/academic/institutes/ecii/publications/ <http://utica.edu/academic/institutes/ecii/publications/
articles/51D6D996-90F2-F468-AC09C4E8071575AE.pdf>. articles/51D6D996-90F2-F468-AC09C4E8071575AE.pdf>.
[MCA] ldapwiki.com, "Multiple-channel Authentication", August [MCA] ldapwiki.com, "Multiple-channel Authentication", August
2016, <https://www.ldapwiki.com/wiki/Multiple- 2016, <https://www.ldapwiki.com/wiki/
channel%20Authentication>. Multiple-channel%20Authentication>.
[MSDN] Microsoft, "Integrated Windows Authentication with [MSDN] Microsoft, "Integrated Windows Authentication with
Negotiate", September 2011, Negotiate", September 2011,
<http://blogs.msdn.com/b/benjaminperkins/ <http://blogs.msdn.com/b/benjaminperkins/
archive/2011/09/14/iis-integrated-windows-authentication- archive/2011/09/14/iis-integrated-windows-authentication-
with-negotiate.aspx>. with-negotiate.aspx>.
[NIST.800-63-2] [NIST.800-63-2]
National Institute of Standards and Technology (NIST), National Institute of Standards and Technology (NIST),
"Electronic Authentication Guideline", NIST Special "Electronic Authentication Guideline", NIST Special
Publication 800-63-2, August 2013, Publication 800-63-2, DOI 10.6028/NIST.SP.800-63-2, August
<http://nvlpubs.nist.gov/nistpubs/SpecialPublications/ 2013, <http://nvlpubs.nist.gov/
NIST.SP.800-63-2.pdf>. nistpubs/SpecialPublications/NIST.SP.800-63-2.pdf>.
[OpenID.MODRNA] [OpenID.MODRNA]
Connotte, J. and J. Bradley, "OpenID Connect MODRNA Connotte, J. and J. Bradley, "OpenID Connect MODRNA
Authentication Profile 1.0", March 2017, Authentication Profile 1.0", March 2017,
<http://openid.net/specs/ <http://openid.net/specs/
openid-connect-modrna-authentication-1_0.html>. openid-connect-modrna-authentication-1_0.html>.
[RFC4211] Schaad, J., "Internet X.509 Public Key Infrastructure [RFC4211] Schaad, J., "Internet X.509 Public Key Infrastructure
Certificate Request Message Format (CRMF)", RFC 4211, Certificate Request Message Format (CRMF)", RFC 4211,
DOI 10.17487/RFC4211, September 2005, DOI 10.17487/RFC4211, September 2005,
skipping to change at page 13, line 19 skipping to change at page 14, line 19
[RFC6238] M'Raihi, D., Machani, S., Pei, M., and J. Rydell, "TOTP: [RFC6238] M'Raihi, D., Machani, S., Pei, M., and J. Rydell, "TOTP:
Time-Based One-Time Password Algorithm", RFC 6238, Time-Based One-Time Password Algorithm", RFC 6238,
DOI 10.17487/RFC6238, May 2011, DOI 10.17487/RFC6238, May 2011,
<http://www.rfc-editor.org/info/rfc6238>. <http://www.rfc-editor.org/info/rfc6238>.
[RFC6819] Lodderstedt, T., Ed., McGloin, M., and P. Hunt, "OAuth 2.0 [RFC6819] Lodderstedt, T., Ed., McGloin, M., and P. Hunt, "OAuth 2.0
Threat Model and Security Considerations", RFC 6819, Threat Model and Security Considerations", RFC 6819,
DOI 10.17487/RFC6819, January 2013, DOI 10.17487/RFC6819, January 2013,
<http://www.rfc-editor.org/info/rfc6819>. <http://www.rfc-editor.org/info/rfc6819>.
[SMS] 3rd Generation Partnership Project, "Technical realization [SMS] 3GPP, "Technical realization of the Short Message Service
of the Short Message Service (SMS)", 3GPP Technical (SMS)", 3GPP Technical Specification (TS) 03.40
Specification (TS) 03.40 V7.5.0 (2001-12), January 2002, Version 7.5.0 (2001-12), January 2002,
<https://portal.3gpp.org/desktopmodules/Specifications/ <https://portal.3gpp.org/desktopmodules/Specifications/
SpecificationDetails.aspx?specificationId=141>. SpecificationDetails.aspx?specificationId=141>.
[W3C.REC-geolocation-API-20161108] [W3C.REC-geolocation-API-20161108]
Popescu, A., "Geolocation API Specification 2nd Edition", Popescu, A., "Geolocation API Specification 2nd Edition",
World Wide Web Consortium Recommendation REC-geolocation- World Wide Web Consortium Recommendation REC-geolocation-
API-20161108, November 2016, <https://www.w3.org/TR/2016/ API-20161108, November 2016, <https://www.w3.org/TR/2016/
REC-geolocation-API-20161108>. REC-geolocation-API-20161108>.
[W3C.WD-webauthn-20170216] [W3C.WD-webauthn-20170216]
Bharadwaj, V., Le Van Gong, H., Balfanz, D., Czeskis, A., Bharadwaj, V., Le Van Gong, H., Balfanz, D., Czeskis, A.,
Birgisson, A., Hodges, J., Jones, M., Lindemann, R., and Birgisson, A., Hodges, J., Jones, M., Lindemann, R., and
J. Jones, "Web Authentication: An API for accessing Scoped J. Jones, "Web Authentication: An API for accessing Scoped
Credentials", World Wide Web Consortium Working Draft WD- Credentials", World Wide Web Consortium Working Draft
webauthn-20170216, February 2017, WD-webauthn-20170216, February 2017,
<http://www.w3.org/TR/2017/WD-webauthn-20170216/>. <http://www.w3.org/TR/2017/WD-webauthn-20170216/>.
Appendix A. Examples Appendix A. Examples
In some cases, the "amr" claim value returned may contain a single In some cases, the "amr" claim value returned may contain a single
Authentication Method Reference value. For example, the following Authentication Method Reference value. For example, the following
"amr" claim value indicates that the authentication performed used an "amr" claim value indicates that the authentication performed used an
iris scan biometric: iris scan biometric:
"amr": ["iris"] "amr": ["iris"]
In other cases, the "amr" claim value returned may contain multiple In other cases, the "amr" claim value returned may contain multiple
Authentication Method Reference values. For example, the following Authentication Method Reference values. For example, the following
"amr" claim value indicates that the authentication performed used a "amr" claim value indicates that the authentication performed used a
password and knowledge-based authentication: password and knowledge-based authentication:
"amr": ["pwd", "kba"] "amr": ["pwd", "kba"]
Appendix B. Acknowledgements Acknowledgements
Caleb Baker participated in specifying the original set of "amr" Caleb Baker participated in specifying the original set of "amr"
values. Jari Arkko, John Bradley, Ben Campbell, Brian Campbell, values. Jari Arkko, John Bradley, Ben Campbell, Brian Campbell,
William Denniss, Linda Dunbar, Stephen Farrell, Paul Kyzivat, Elaine William Denniss, Linda Dunbar, Stephen Farrell, Paul Kyzivat, Elaine
Newton, James Manger, Catherine Meadows, Alexey Melnikov, Kathleen Newton, James Manger, Catherine Meadows, Alexey Melnikov, Kathleen
Moriarty, Nat Sakimura, and Mike Schwartz provided reviews of the Moriarty, Nat Sakimura, and Mike Schwartz provided reviews of the
specification. specification.
Appendix C. Document History
[[ to be removed by the RFC editor before publication as an RFC ]]
-08
o Added text in the IANA Registration Template saying that names can
be for families of closely-related authentication methods, as
suggested by Stephen Farrell.
-07
o Clarified that the values are intended to provide identifiers for
families of closely-related authentication methods.
o Updated the MODRNA Authentication Profile reference.
-06
o Addressed IESG comments. Identifiers are now restricted to using
only printable JSON-friendly ASCII characters. Additional
references to documentation relevant to specific AMR values were
added.
-05
o Specified characters allowed in "amr" values, reusing the IANA
Considerations language on this topic from RFC 7638.
-04
o Added examples with single and multiple values.
o Clarified that the actual credentials referenced are not part of
this specification to avoid additional privacy concerns for
biometric data.
o Clarified that the OAuth 2.0 Threat Model [RFC6819] applies to
applications using this specification.
-03
o Addressed shepherd comments.
-02
o Addressed working group last call comments.
-01
o Distinguished between retina and iris biometrics.
o Expanded the introduction to provide additional context to
readers.
o Referenced the OpenID Connect MODRNA Authentication Profile 1.0
specification, which uses "amr" values defined by this
specification.
-00
o Created the initial working group draft from draft-jones-oauth-
amr-values-05 with no normative changes.
Authors' Addresses Authors' Addresses
Michael B. Jones Michael B. Jones
Microsoft Microsoft
Email: mbj@microsoft.com Email: mbj@microsoft.com
URI: http://self-issued.info/ URI: http://self-issued.info/
Phil Hunt Phil Hunt
Oracle Oracle
 End of changes. 73 change blocks. 
188 lines changed or deleted 125 lines changed or added

This html diff was produced by rfcdiff 1.45. The latest version is available from http://tools.ietf.org/tools/rfcdiff/