Actually, this could be pretty simple to implement:
Replace openid.aqe.preferred_auth_mode with the following:
openid.aqe.auth_factor1
Optional: The method of authentication the RP
would like the OP to perform, or in the case of a multi-factor
authentication, the first method that the RP would like the OP to
perform. The mode should match one of the advertised values in the
XRDS. If this is not specified, then any authentication method is
acceptable.
Value: Comma-delimited list of "none",
"password", "pin", "fingerbio", "handbio", "hardotp", "irisbio",
"otherbio", "smartcard", "softotp", "voicebio"
Note: The OP should attempt to authenticate
the user with the most secure mode requested. For example, if the OP
has determined that their voicebio method is stronger than their
password method and the RP requests either "voicebio or password", the
OP should strive to authenticate the user by "voicebio" when possible.
If the two modes are considered equally strong, then it is the choice
of the OP regarding which one or ones to authenticate against. OPs
should note that authenticating a user by a non-preferred method may
result in an RP denying access.
openid.aqe.auth_factor2
Optional: In the case of a multi-factor
authentication, the second method that the RP would like the OP to
perform. The mode should match one of the advertised values in the
XRDS. If this is not specified, then any authentication method is
acceptable. If this is not specified, it is assumed that the RP is
requesting only a single factor for authentication. The OP will not use
the same method for this factor as was used in any previous factors.
For example, if the first factor is a password, the second factor
cannot also be a password.
Value: Comma-delimited list of "none",
"password", "pin", "fingerbio", "handbio", "hardotp", "irisbio",
"otherbio", "smartcard", "softotp", "voicebio"
Note: The OP should attempt to authenticate
the user with the most secure mode requested. For example, if the OP
has determined that their voicebio method is stronger than their
password method and the RP requests either "voicebio or password", the
OP should strive to authenticate the user by "voicebio" when possible.
If the two modes are considered equally strong, then it is the choice
of the OP regarding which one or ones to authenticate against. OPs
should note that authenticating a user by a non-preferred method may
result in an RP denying access.
openid.aqe.auth_factor3
... you can figure how it would continue.
There are very few use cases that would use more than two factors.
So, in this case, if you want the user to
authenticate with two factors, first with a password and second with a
securID or voice biometric print...
openid.aqe.auth_factor1 = "password"
openid.aqe.auth_factor2 = "hardotp",
"voicebio"
conversely, if you want two factors, which
could be any combination of password, hardotp or voicebio in any
combination:
openid.aqe.auth_factor1 = "hardotp",
"voicebio", "password"
openid.aqe.auth_factor2 = "hardotp",
"voicebio", "password"
the response from the OP, assuming that it followed the request
from the RP would look like
openid.aqe.auth_factor1 = "password"
openid.aqe.auth_factor2 = "hardotp"
I would think that this is clear enough that we could make the
small change to the spec to allow for this type of methodology.
Thoughts?
- Avery
