Microsoft

mbj@microsoft.com http://self-issued.info/

Oracle

phil.hunt@yahoo.com

Microsoft

tonynad@microsoft.com

Security Area OAuth Working Group Authentication Method Reference Authentication Method "amr" Claim The amr (Authentication Methods References) claim is defined and registered in the IANA "JSON Web Token Claims" registry but no standard Authentication Method Reference values are currently defined. This specification establishes a registry for Authentication Method Reference values and defines an initial set of Authentication Method Reference values.

The amr (Authentication Methods References) claim is defined and registered in the IANA "JSON Web Token Claims" registry but no standard Authentication Method Reference values are currently defined. This specification establishes a registry for Authentication Method Reference values and defines an initial set of Authentication Method Reference values. For context, the amr (Authentication Methods References) claim is defined by Section 2 of the OpenID Connect Core 1.0 specification as follows: OPTIONAL. Authentication Methods References. JSON array of strings that are identifiers for authentication methods used in the authentication. For instance, values might indicate that both password and OTP authentication methods were used. The definition of particular values to be used in the amr Claim is beyond the scope of this specification. Parties using this claim will need to agree upon the meanings of the values used, which may be context-specific. The amr value is an array of case sensitive strings. The amr values defined by this specification is not intended to be an exhaustive set covering all use cases. Additional values can and will be added to the registry by other specifications. Rather, the values defined herein are an intentionally small set that are already actually being used in practice. For context, while the claim values registered pertain to authentication, note that OAuth 2.0 is designed for resource authorization and cannot be used for authentication without employing appropriate extensions, such as those defined by OpenID Connect Core 1.0 . The existence of the amr claim and values for it should not be taken as encouragement to try to use OAuth 2.0 for authentication without employing extensions enabling secure authentication to be performed. When used with OpenID Connect, if the identity provider supplies an amr claim in the ID Token resulting from a successful authentication, the relying party can inspect the values returned and thereby learn details about how the authentication was performed. For instance, the relying party might learn that only a password was used or it might learn that iris recognition was used in combination with a hardware-secured key. Whether amr values are provided and which values are understood by what parties are both beyond the scope of this specification. The OpenID Connect MODRNA Authentication Profile 1.0 is one example of an application context that uses amr values defined by this specification.

The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in RFC 2119 .

This specification uses the terms defined by JSON Web Token (JWT) and OpenID Connect Core 1.0 .

The following is a list of Authentication Method Reference values defined by this specification: Facial recognition Fingerprint biometric Use of geolocation information Proof-of-possession (PoP) of a hardware-secured key. See Appendix C of for a discussion on PoP. Iris scan biometric Knowledge-based authentication Multiple-channel authentication. The authentication involves communication over more than one distinct communication channel. For instance, a multiple-channel authentication might involve both entering information into a workstation's browser and providing information on a telephone call to a pre-registered number. Multiple-factor authentication . When this is present, specific authentication methods used may also be included. One-time password. One-time password specifications that this authentication method applies to include and . Personal Identification Number or pattern (not restricted to containing only numbers) that a user enters to unlock a key on the device. This mechanism should have a way to deter an attacker from obtaining the PIN by trying repeated guesses. Password-based authentication Risk-based authentication Retina scan biometric Smart card Confirmation using SMS message to the user at a registered number Proof-of-possession (PoP) of a software-secured key. See Appendix C of for a discussion on PoP. Confirmation by telephone call to the user at a registered number User presence test Voice biometric Windows integrated authentication, as described in

The acr (Authentication Context Class Reference) claim and acr_values request parameter are related to the amr (Authentication Methods References) claim, but with important differences. An Authentication Context Class specifies a set of business rules that authentications are being requested to satisfy. These rules can often be satisfied by using a number of different specific authentication methods, either singly or in combination. Interactions using acr_values request that the specified Authentication Context Classes be used and that the result should contain an acr claim saying which Authentication Context Class was satisfied. The acr claim in the reply states that the business rules for the class were satisfied -- not how they were satisfied. In contrast, interactions using the amr claim make statements about the particular authentication methods that were used. This tends to be more brittle than using acr, since the authentication methods that may be appropriate for a given authentication will vary over time, both because of the evolution of attacks on existing methods and the deployment of new authentication methods.

The list of amr claim values returned in an ID Token reveals information about the way that the end-user authenticated to the identity provider. In some cases, this information may have privacy implications. While this specification defines identifiers for particular kinds of credentials, it does not define how these credentials are stored or protected. For instance, ensuring the security and privacy of biometric credentials that are referenced by some of the defined Authentication Method Reference values is beyond the scope of this specification.

The security considerations in OpenID Connect Core 1.0 and OAuth 2.0 and the OAuth 2.0 Threat Model apply to applications using this specification. As described in , taking a dependence upon particular authentication methods may result in brittle systems, since the authentication methods that may be appropriate for a given authentication will vary over time.

This specification establishes the IANA "Authentication Method Reference Values" registry for amr claim array element values. The registry records the Authentication Method Reference value and a reference to the specification that defines it. This specification registers the Authentication Method Reference values defined in . Values are registered on an Expert Review basis after a three-week review period on the jwt-reg-review@ietf.org mailing list, on the advice of one or more Designated Experts. To increase potential interoperability, the experts are requested to encourage registrants to provide the location of a publicly-accessible specification defining the values being registered, so that their intended usage can be more easily understood. Registration requests sent to the mailing list for review should use an appropriate subject (e.g., "Request to register Authentication Method Reference value: otp"). Within the review period, the Designated Experts will either approve or deny the registration request, communicating this decision to the review list and IANA. Denials should include an explanation and, if applicable, suggestions as to how to make the request successful. Registration requests that are undetermined for a period longer than 21 days can be brought to the IESG's attention (using the iesg@ietf.org mailing list) for resolution. Criteria that should be applied by the Designated Experts includes determining whether the proposed registration duplicates existing functionality, whether it is likely to be of general applicability or whether it is useful only for a single application, whether the value is actually being used, and whether the registration description is clear. IANA must only accept registry updates from the Designated Experts and should direct all requests for registration to the review mailing list. It is suggested that the same Designated Experts evaluate these registration requests as those who evaluate registration requests for the IANA "JSON Web Token Claims" registry .

The name requested (e.g., "otp"). Because a core goal of this specification is for the resulting representations to be compact, it is RECOMMENDED that the name be short -- that is, not to exceed 8 characters without a compelling reason to do so. This name is case sensitive. Names may not match other registered names in a case-insensitive manner unless the Designated Experts state that there is a compelling reason to allow an exception. Brief description of the Authentication Method Reference (e.g., "One-time password"). For Standards Track RFCs, state "IESG". For others, give the name of the responsible party. Other details (e.g., postal address, email address, home page URI) may also be included. Reference to the document or documents that specify the parameter, preferably including URIs that can be used to retrieve copies of the documents. An indication of the relevant sections may also be included but is not required.

Authentication Method Reference Name: face Authentication Method Reference Description: Facial recognition Change Controller: IESG Specification Document(s): of [[ this specification ]] Authentication Method Reference Name: fpt Authentication Method Reference Description: Fingerprint biometric Change Controller: IESG Specification Document(s): of [[ this specification ]] Authentication Method Reference Name: geo Authentication Method Reference Description: Geolocation Change Controller: IESG Specification Document(s): of [[ this specification ]] Authentication Method Reference Name: hwk Authentication Method Reference Description: Proof-of-possession of a hardware-secured key Change Controller: IESG Specification Document(s): of [[ this specification ]] Authentication Method Reference Name: iris Authentication Method Reference Description: Iris scan biometric Change Controller: IESG Specification Document(s): of [[ this specification ]] Authentication Method Reference Name: kba Authentication Method Reference Description: Knowledge-based authentication Change Controller: IESG Specification Document(s): of [[ this specification ]] Authentication Method Reference Name: mca Authentication Method Reference Description: Multiple-channel authentication Change Controller: IESG Specification Document(s): of [[ this specification ]] Authentication Method Reference Name: mfa Authentication Method Reference Description: Multiple-factor authentication Change Controller: IESG Specification Document(s): of [[ this specification ]] Authentication Method Reference Name: otp Authentication Method Reference Description: One-time password Change Controller: IESG Specification Document(s): of [[ this specification ]] Authentication Method Reference Name: pin Authentication Method Reference Description: Personal Identification Number or pattern Change Controller: IESG Specification Document(s): of [[ this specification ]] Authentication Method Reference Name: pwd Authentication Method Reference Description: Password-based authentication Change Controller: IESG Specification Document(s): of [[ this specification ]] Authentication Method Reference Name: rba Authentication Method Reference Description: Risk-based authentication Change Controller: IESG Specification Document(s): of [[ this specification ]] Authentication Method Reference Name: retina Authentication Method Reference Description: Retina scan biometric Change Controller: IESG Specification Document(s): of [[ this specification ]] Authentication Method Reference Name: sc Authentication Method Reference Description: Smart card Change Controller: IESG Specification Document(s): of [[ this specification ]] Authentication Method Reference Name: sms Authentication Method Reference Description: Confirmation using SMS Change Controller: IESG Specification Document(s): of [[ this specification ]] Authentication Method Reference Name: swk Authentication Method Reference Description: Proof-of-possession of a software-secured key Change Controller: IESG Specification Document(s): of [[ this specification ]] Authentication Method Reference Name: tel Authentication Method Reference Description: Confirmation by telephone call Change Controller: IESG Specification Document(s): of [[ this specification ]] Authentication Method Reference Name: user Authentication Method Reference Description: User presence test Change Controller: IESG Specification Document(s): of [[ this specification ]] Authentication Method Reference Name: vbm Authentication Method Reference Description: Voice biometric Change Controller: IESG Specification Document(s): of [[ this specification ]] Authentication Method Reference Name: wia Authentication Method Reference Description: Windows integrated authentication Change Controller: IESG Specification Document(s): of [[ this specification ]]

Nomura Research Institute, Ltd. Ping Identity Microsoft Google Salesforce Microsoft

mbj@microsoft.com http://self-issued.info/

Ping Identity

ve7jtb@ve7jtb.com http://www.thread-safe.com/

Nomura Research Institute

n-sakimura@nri.co.jp http://nat.sakimura.org/

IANA National Institute of Standards and Technology (NIST) International Organization for Standardization Microsoft Deutsche Telekom AG Ping Identity

In some cases, the amr claim value returned may contain a single Authentication Method Reference value. For example, the following amr claim value indicates that the authentication performed used an iris scan biometric:

In other cases, the amr claim value returned may contain multiple Authentication Method Reference values. For example, the following amr claim value indicates that the authentication performed used a password and knowledge-based authentication:

Caleb Baker participated in specifying the original set of amr values. John Bradley, Brian Campbell, William Denniss, James Manger, Nat Sakimura, and Mike Schwartz provided reviews of the specification.

[[ to be removed by the RFC editor before publication as an RFC ]] -04 Added examples with single and multiple values. Clarified that the actual credentials referenced are not part of this specification to avoid additional privacy concerns for biometric data. Clarified that the OAuth 2.0 Threat Model applies to applications using this specification. -03 Addressed shepherd comments. -02 Addressed working group last call comments. -01 Distinguished between retina and iris biometrics. Expanded the introduction to provide additional context to readers. Referenced the OpenID Connect MODRNA Authentication Profile 1.0 specification, which uses amr values defined by this specification. -00 Created the initial working group draft from draft-jones-oauth-amr-values-05 with no normative changes.