ACR and AMR
Overview
This document explains the concepts of ACR (Authentication Context Class Reference) and AMR (Authentication Methods References) in the context of OpenID Connect (OIDC), and how they are used to strengthen authentication mechanisms using first and second factors.
ACR and AMR: Key Concepts in Authentication
When building secure login flows, it's not enough to know whether a user logged in, you also need to understand how strongly they were authenticated. That’s where ACR and AMR come into play.
These two values are essential components of OpenID Connect(OIDC) based authentication. They help systems evaluate and enforce multi-factor authentication (MFA) policies by indicating both the level and method of authentication used. Let's explore them in detail.
ACR – Authentication Context Class Reference
ACR tells how strong the user’s authentication was. Think of it as a security level indicator. It lets the Identity Provider (IDP) signal whether the user logged in with just a password or used additional steps like device verification or OTP. This value is of type string. However, Kobil IDP uses numeric values to indicate the level of authentication completed by the user.
In OpenID Connect (OIDC) requests, ACR is an optional parameter. This option allows service providers to submit extra information to the identity provider in order for the identity provider to impose additional assurance in the user authentication flow, i.e., it specifies the business rules that must be followed during authentication. ACR is also known as the Level of Assurance in some situations (LoA).
AMR - Authentication Methods References
AMR (Authentication Methods References) is a claim in OpenID Connect that lists the methods used to verify a user's identity during login such as password (pwd), or biometric. It captures information about the session activities that occurred during authentication.
While ACR shows the level, AMR shows the methods used during authentication.
First Factor
First Factor represents the initial step in the authentication process, typically using something the user knows such as a username and password. It acts as the primary method to verify the user’s identity before triggering any additional authentication steps. IDP stores the first factor as a hidden attribute against the user.
Second Factor
Second Factor in IDP provides an additional layer of authentication after the user successfully completes the First Factor. IDP stores the second factor against the device using the Maverick Level of Assurance (MLoA) value.
Maverick Level of Assurance (MLoA), allows you to set the appropriate level of security for user authentication, ensuring compliance with organizational policies and security requirements.
The below table lists the Maverick Level of Assurance (MLoA) values. These values are stored against the device based on the type of authentication performed. When the user is registered through the device, the corresponding MLoA values are stored in the AST services based on the flow done by the user.
| Value | Scenarios |
|---|---|
| NONE | No authentication. |
| WEAK-OUT-OF-BAND | Set when the user verifies identity through password, or when email-based verification is used. Example: OTP verification through email, OTP verification via SMS |
| OUT-OF-BAND | set when the user verifies identity through a high-trust multi-factor authentication (considered strong assurance). Example: Biometric verification |
This process is part of Multi-Factor Authentication (MFA), which enhances account security by requiring multiple methods of identity verification.
- ACR and AMR values are calculated by checking the user's First Factor and the Second Factor stored against the device.
Viewing Claims in KOBIL IAM System
To view claim data in the KOBIL IAM system, follow these steps:
- Navigate to Realm settings.
- Select the KOBIL tab.
- Click on Claims.
This section displays claim-related information such as KOBIL ACR, AMR, First Factor and Second Factor.
Sample Use Case
Below is an example of how ACR and AMR are determined based on the authentication flow,
Example: Password + OTP via Email
If a user completes password verification followed by email verification using OTP, the flow results in the following claims:
- First Factor: Password
- Second Factor: WEAK-OUT-OF-BAND
- ACR:
2 - AMR:
mfa, mvk, pwd
The acr value of the access token that passed 1FA is as follows.
