Question

Must a Data Holder (DH) support LoA2 claims for One Time Password (OTP) Authentication and subsequently should LoA3 claims be rejected?

Answer

For read access operations, Data Holders shall support LoA2.

Some implementations of OTP using a secure authenticator may result in an LoA3. DHs should publish their supported LoAs using acr_values_supported which advertises what acr values an Accredited Data Recipient (ADR) can request. At present an ADR should only be requesting an LoA2.

If the DH does not support LOA3 or cannot achieve LOA3: the request should be rejected.

See: Level of Assurance