ACR and AMR

Overview

This document explains the concepts of ACR (Authentication Context Class Reference) and AMR (Authentication Methods References) in the context of OpenID Connect (OIDC), and how they are used to strengthen authentication mechanisms using first and second factors.

ACR and AMR: Key Concepts in Authentication

When building secure login flows, it's not enough to know whether a user logged in, you also need to understand how strongly they were authenticated. That’s where ACR and AMR come into play.

These two values are essential components of OpenID Connect(OIDC) based authentication. They help systems evaluate and enforce multi-factor authentication (MFA) policies by indicating both the level and method of authentication used. Let's explore them in detail.

ACR – Authentication Context Class Reference

ACR tells how strong the user’s authentication was. Think of it as a security level indicator. It lets the Identity Provider (IDP) signal whether the user logged in with just a password or used additional steps like device verification or OTP.

In OpenID Connect (OIDC) requests, ACR is an optional parameter. This option allows service providers to submit extra information to the identity provider in order for the identity provider to impose additional assurance in the user authentication flow, i.e., it specifies the business rules that must be followed during authentication. ACR is also known as the Level of Assurance in some situations (LoA).

AMR - Authentication Methods References

AMR provides details about the authentication methods that are used to verify a user's identity. It captures information about the session activities that occurred during authentication. In simple terms, AMR is a claim in OpenID Connect that lists the methods used during the user's login such as password (pwd), one-time password (otp), or biometric.

While ACR shows the level, AMR shows the methods used during authentication.

First Factor

First Factor represents the initial step in the authentication process, typically using something the user knows such as a username and password. It acts as the primary method to verify the user’s identity before triggering any additional authentication steps. IDP stores the first factor as a hidden attribute (e.g., hidden_first_factors{AST CLIENT ID}) against the user.

Second Factor

Second Factor in Keycloak provides an additional layer of authentication after the user successfully completes the First Factor (e.g., username and password). Keycloak stores the second factor against the device using the Maverick Level of Assurance (MLoA) value. When a client is registered, the IDP updates the client with second-factor information which can be set to "NONE", "OUT-OF-BAND", or "WEAK-OUT-OF-BAND"

This process is part of Multi-Factor Authentication (MFA), which enhances account security by requiring multiple methods of identity verification.

note

ACR and AMR values are calculated by checking the user's First Factor and the Second Factor stored against the device.

Viewing Claims in KOBIL IAM System

To view claim data in the KOBIL IAM system, follow these steps:

Navigate to Realm settings.
Select the KOBIL tab.
Click on Claims.

This section displays claim-related information such as KOBIL ACR, AMR, First Factor and Second actor.

KOBIL ACR

The acr value of the access token that passed 1FA is as follows. KOBIL ACR

Overview​

ACR and AMR: Key Concepts in Authentication​

ACR – Authentication Context Class Reference​

AMR - Authentication Methods References​

First Factor​

Second Factor​

Viewing Claims in KOBIL IAM System​