Question
Must a Data Holder (DH) support LoA2 claims for One Time Password (OTP) Authentication and subsequently should LoA3 claims be rejected?
Answer
For read access operations, Data Holders shall support LoA2.
Some implementations of OTP using a secure authenticator may result in an LoA3. DHs should publish their supported LoAs using acr_values_supported
which advertises what acr
values an Accredited Data Recipient (ADR) can request. At present an ADR should only be requesting an LoA2.
If the DH does not support LOA3 or cannot achieve LOA3: the request should be rejected.
Comments
0 comments
Please sign in to leave a comment.