WRT: ----- At 12:44 PM -0500 on 12/15/09, Paul Madsen wrote:
is there a class of users who would always log-in at a higher LOA?
Within the IdP enterprise, I'd guess not (i.e. even those users that require higher LOA credentials would also have a lower LOA mate) but perhaps not for federated actions at an SP?
Paul
Interesting thread. I would offer a few observations. Most people want convenience. They will authenticate at the highest level they can and simply use that for everything. An example of an exception might be when travelling and using an Internet cafe where they can't use their PIV card so must revert to a password. A corollary of this is that RPs/SPs should be prepared to accept "higher" LOAs even if they only require "lower" ones. Consider also different "assurance profiles" where, e.g. Silver is a superset of Bronze so an RP/SP should be prepared to accept Silver even if Bronze is what it asks for. We've talked about different ways this could be handled and whether it is the IdPs responsibility to assert the overlap (e.g. this assertion is both Silver and Bronze) or whether the RP/SP should figure that out (e.g. Silver is as good as GSA LOA-2). The jury is still out on that one... Users that are astute may want to avoid operating at a higher privilege level than necessary so may choose to authenticate at LOA-2 for most of the time and then "step up" to LOA-3, e.g. with a second factor, when necessary. Can they subsequently revoke that step up? They should be able to without having to log out completely ... Other users may wish to have different personae for use with different aspects of their work or different communities. In this case, they may need to switch between "identities" within the same IdP which, of course, could have different LOAs. This could be a logout/login or maybe there could be a "I am now ..." FWIW. David