<meta charset="UTF-8">
<meta name="robots" content="noindex,nofollow" />
<link rel="shortcut icon" type="image/x-icon" href="/wiki/images/favicon.ico" />
<link rel="icon" type="image/x-icon" href="/wiki/images/favicon.ico" />

<pre>
!!! Overview
[{$pagename}] are the [Authentication Context Class] and [Authentication Context Class Reference] values we have been able to find that are defined.

!! [OpenID Connect MODRNA Authentication Profile 1.0]
The [OpenID Connect MODRNA Authentication Profile 1.0] defines the [acr_values] as shown below.

! http://schemas.openid.net/policies/modrna/phishing-resistant

Short-Name: [mod-pr] This mitigates phishing of credentials. 

The user is authenticated via possession of a [Mobile Device] (phone) containing a [secret-key]. The user is required to provide no additional authentication information to use the key. The user is interactively prompted to confirm the [authentication]. The storage mechanism for the secret key and other relevant authentication information is returned via the [amr]. The user is not re-prompted for credentials if the value of prompt is not login and max_age is more than the elapsed time since the user last authenticated at the requested [acr].

! http://schemas.openid.net/policies/modrna/multi-factor
Short-Name: [mod-mf]
 
This mitigates [phishing] and proves the device is recently in the possession of the authorized [End-User] via [PIN] or device unlock. 
The user is authenticated via possession of a [Mobile Device] (phone) containing a [secret-key]. The [End-User] is required to provide additional [authentication] information via a [biometric], [PIN] code or other appropriate factors such as bluetooth pairing with a watch. Given suitable [Mobile Device] management unlocking the device is also sufficient along with user confirmation of desire to authenticate. The storage mechanism for the [secret-key] and other relevant [authentication] information is returned via the [amr] value. The user is __NOT__ re-prompted for [credentials] if the value of [prompt|Prompt Parameter] is not login and [max_age] is more than the elapsed time since the user last authenticated at the requested [acr].

[Identity Provider (IDP)] [MUST] recognize and process __short registered forms __of the authentication context strings. They may recognize and process long forms for custom authentication contexts.

Clients [MUST] send the short registered forms of the authentication context strings, if the authentication context is registered.

The [OpenID Connect Provider] [MUST] support receiving [{$pagename}] as a space separated list in order of preference per [OpenID.Core] section 3.1.2.1.

The [OpenID Connect Provider] [MUST] support receiving [acr] as a claim request in a signed request per [OpenID.Core] 5.5.1. This method prevents the request from being modified by the user, and allows the requested [acr] valued to be considered [Essential Claims] causing the [Identity Provider (IDP)] to respond with an authentication error if no requested [acr] value can be fulfilled.

Depending on the authentication capabilities of the users device, the [OpenID Connect Provider] [MUST] attempt to match the highest requested [acr] value that the AD is capable of. 

If the [acr] claim is not marked as [Essential Claim] in the request object, the [OpenID Connect Provider] may return another [acr] value that the device is capable of rather than an error if it cannot match any of the requested [acr_values].


!! More Information
There might be more information for this subject on one of the following:
[{ReferringPagesPlugin before='*' after='\n' }]
</pre>