Must a Data Holder (DH) support LoA2 claims for One Time Password (OTP) Authentication and subsequently should LoA3 claims be rejected?
For read access operations, Data Holders shall support LoA2.
Some implementations of OTP using a secure authenticator may result in an LoA3. DHs should publish their supported LoAs using
acr_values_supported which advertises what
acr values an Accredited Data Recipient (ADR) can request. At present an ADR should only be requesting an LoA2.
If the DH does not support LOA3 or cannot achieve LOA3: the request should be rejected.
See: Level of Assurance