Standard authentication method references

Identity tokens issued by OpenID Connect providers may include a claim (assertion) to inform clients of the particular method(s) used to authenticate the end-user user. This claim, named amr (Authentication Method Reference), is included alongside other standard claims in the ID token.

Example ID token, including an amr claim:

{
   "iss"       : "https://openid.wonderland.net",
   "sub"       : "alice",
   "aud"       : "s6BhdRkqt3",
   "nonce"     : "n-0S6_WzA2Mj",
   "exp"       : 1311281970,
   "iat"       : 1311280970,
   "acr"       : "urn:com.c2id:acr:hisec",
   "amr"       : [ "pwd" ]
 }

The core OpenID Connect spec leaves it up to implementors to designate particular keywords for the authentication methods. This however is bad for interop, and the OAuth work group recently published a new draft proposing a set of standard amr values for the most commonly used authentication methods. Connect2id server integrators are encouraged to use these values when the amr claim is required, but bear in mind that the spec is still in draft state and may change until it’s declared final by the IETF.

• pwd Password authentication, either by the user or the service if a client secret is used.

• pop Proof of possession of a key.

• otp One time password.

• fpt Fingerprint biometric.

• eye Retina scan biometric.

• vbm Voice biometric.

• tel Confirmation by telephone call.

• sms Confirmation by SMS reply.

• kba Knowledge based authentication.

• wia Windows integrated authentication.

• mfa Multiple factor authentication. When this is present, the other authentication methods used will also be included.