Core - 2 - ID Token acr claim incorrectly specifies the level 0 of assurance

Issue #970 resolved
Former user created an issue

The specs[0.0] say that authentication using a long-lived browser cookie is one example where the use of "level 0" is appropriate. This is wrong because a long lived browser cookie is actually level 1 based on ISO29115. It also specifies that level 0 doesn't meet the ISO level 1[0] but you can't go lower than Level 1. For example, at LoA1, a MAC address may satisfy a device authentication requirement. There is little confidence that another device will not be able to claim the same MAC address. Therefore a long lived cookie is same or even stronger than a MAC address which can be claimed easier. I don't see any good reason to invent a new level(level 0) with the same specs as level 1. The specifications also miss a reference/url to the actual ISO29115 specification so I've included here a copy I've found[1].


[0] The value "0" indicates the End-User authentication did not meet the requirements of ISO/IEC 29115 level 1


Comments (6)

  1. Michael Jones

    The direct conflict comes from this sentence "Authentication using a long-lived browser cookie, for instance, is one example where the use of "level 0" is appropriate."

    John will propose alternate wording stating that for historic reasons, 0 is used to indicate that there is no confidence that the same person is actually there.

  2. Log in to comment