Authentication
The authentication chain comprises multiple building blocks. The blocks include username and password, social login, one-time password (OTP), push notification, time-based OTP (TOTP), and so on. You can use these different building blocks, arrange them in a sequence, and create an authentication journey that is relevant to a specific user group or brand.
There is one restriction when using multi-factor authentication (MFA). The first factor cannot be OTP using SMS, where the user starts by entering a phone number and then gets an OTP to input.
Authentication building blocks
The authentication module consists of multiple authentication factors or building blocks. Each authentication factor or building block provides a specific capability. The following as some of the building blocks:
- username and password
- magic link sent by email
- QR code
- social login
- external identity login
- OTP by SMS
- OTP by voice call
- OTP by email
- push notification
- TOTP authenticator
Additional capabilities, like token enrichment, are also supported.
Authentication assurance level
The authentication assurance level (AAL) is a specification in the OpenID protocol. It essentially reflects the degree of trust or assurance in the authentication that was performed. So, for example, specific applications require two-factor authentication, whereas other applications are OK with just one factor.
AAL is a measure of the assurance in the authentication performed by the user. In other words, it is a measure of the confidence in and the strength of an authentication mechanism and its issuing process.
A higher AAL reflects reduces the risk of a fraudulent identity gaining access. It can be used as a barometer to provide selective and progressive access to sensitive and non-sensitive applications.
The OneWelcome Identity Platform provides support for AAL. The target application can pass the AAL as an input to the OneWelcome Identity Platform.
You can set the AAL for each authentication method. For example, you can designate a combination of usernames and passwords as level one, and designate a combination of usernames, passwords, and SMS messages as level two.
NIST recommendations are outlined in NIST-863B, which specifies various authentication levels. It is advisable to adhere to these recommendations whenever possible. If you designate a specific authentication method as AAL2, it's crucial to maintain consistency across the entire ecosystem. This means that if you define AAL2 for one brand, the same definition should apply to other brands as well. Inconsistencies could arise if AAL2 is defined differently for different cases, and can lead to confusion.
Step-up authentication
If the target applications requires a higher AAL, you can use step-up authentication to enhanced the AAL.
Target applications can specify the required AAL level for user access. For example, if an application accepts AAL1, users can employ any AAL1 authentication factor like username-password or magic link. If the user needs AAL2 for another application, they are directed to the OneWelcome Identity Platform. Here, the system assesses the session and initiates step-up authentication. Moreover, the identity token issued to users embeds the AAL, providing applications with the necessary information about the authentication level performed in acquiring the token.
