The other thing to remember is that the user can't be allowed administrative access to the account if they are authenticated at the lower LoA without compromising the Higher LoA.   That is something I would look for as an assessor for a multi LoA IdP.

It is important to distinguish "multiple LoAs for the IdP as a whole, one LoA per user" from "multiple LoAs per user".  The former, it seems to me, is going to be the case in any organization of any significant size. Multiple LoAs per user is definitely trickier and less obviously needed, though still relatively common (e.g. at my university many people have two-factor devices they use for more sensitive apps in addition the plain old username/password they use for all other apps).

I don't know that I agree with your concern above in general, though.  Our users have some kinds of "administrative access" to their accounts (update mailing address, eg, or change password) via LoA2 (-equivalent) login. This doesn't affect the quality of their two-factor (LoA3-equiv) login, as far as I can see.

 - RL "Bob"

_______________________________________________
DG-Concordia mailing list
DG-Concordia@kantarainitiative.org
http://kantarainitiative.org/mailman/listinfo/dg-concordia