[DG-Concordia] AuthnContext & PAPE & ICAM
RL 'Bob' Morgan
rlmorgan at washington.edu
Mon Dec 14 20:08:02 EST 2009
> The other thing to remember is that the user can't be allowed
> administrative access to the account if they are authenticated at the
> lower LoA without compromising the Higher LoA. That is something I
> would look for as an assessor for a multi LoA IdP.
It is important to distinguish "multiple LoAs for the IdP as a whole, one
LoA per user" from "multiple LoAs per user". The former, it seems to me,
is going to be the case in any organization of any significant size.
Multiple LoAs per user is definitely trickier and less obviously needed,
though still relatively common (e.g. at my university many people have
two-factor devices they use for more sensitive apps in addition the plain
old username/password they use for all other apps).
I don't know that I agree with your concern above in general, though. Our
users have some kinds of "administrative access" to their accounts (update
mailing address, eg, or change password) via LoA2 (-equivalent) login.
This doesn't affect the quality of their two-factor (LoA3-equiv) login, as
far as I can see.
- RL "Bob"
More information about the DG-Concordia
mailing list