Introduction:
I am currently implementing acr_values
, acr
& amr
principles on a Open ID Provider server.
The claim amr
(described in the OpenID RFC 1.0) has no standard clearly defined in this same RFC, but I would like to base the system on the RFC 8176 mentioned by IANA.
One of the server authentication method is about sending a confirmation code via email.
About the authentication method:
The server uses a cryptographically secure pseudo-random number generator and store a hash of it using argon2. It is sent to an email, then hash are compared on another request. There is a short expiration time for each code. This method is indeed not considered by the server as a secure method to prove an identity, but is still selectable when no access to any resource is required.
The question is:
What Authentication Method Reference Name would you use in this case ?
Most descriptions are quite strict so I only see mca
as a possibility today. It is not an otp
to me since it is not implementing https://tools.ietf.org/html/rfc4226.
Thanks for sharing.