AMR values

AMR and values

Open ID Connect supports AMR values for continuous authentication flows

Following questions will answered in the blog:

What is the AMR value in OpenID Connect?

What are the values supported

AMR stands for Authentication Methods References.

AMR is claim as part of JWT claims.

It is registered IANA "JSON Web Token Claims"

As per AMR is optional claim.

Example for a amr in jwt claim

amr: [ PWD,OPT]

amr: [POP]

 amr value is an array of case sensitive strings. 

 AMR Values and description

AMR is OAuth AMR values. 

AMR Description
PWD Password-based authentication
ne-time password, could be SMS OTP
wia Windows integrated authentication includes kerberos or ntlm
retina Biometric authentication based on retina
pop proof of possession, parent category for software and hardware keys
swk software key like certiifcte/td>
hwk hardware key like swipe card
sms Confirmation using SMS
tel Confirmation by telephone call
face facial bio metric authentication
fpt finger based bio metric authentication
geo geolocation information for authentication
kba Knowledge-based authentication
PIN pattern or pin number type of authentication
rba Risk based authentication

ads.txt, pub-2982252415955321, DIRECT, f08c47fec0942fa0

Authentication & Session Management practices for browser based flows.

Following are some guidelines that allow authentication process to be secure

For User Authentication

  • Credentials must not be stored in browsers or insensitive locations.
  • Application logs must not record sensitive data like password
  • Perform Two Factor Authentication
  • Login Request must happen using POST request over HTTPS.
  • Password reset must ask old password.
  • Password must mandate minimum character set and special characters.

Once the user logs in, session needs management.
For Session Management

 Prefer Host based cookies over domain based cookies.

  • Mandate Secure, HTTPS and SameSite Flags for Cookies.
  • Do not log Cookie information in logs.
  • Session Must have idle and MaxTime outs
  • Must support logout feature.
  • Must validate User on every cookie request
  • Allow Server level termination of session to allow blocking a already login user.
  • Option to cap on current sessions.
  • Cookie created needs needs hold client IP or any user  machine specific infomration to avoid replay attack.