The Provider Authentication Policy Extension defines a series of previously agreed-upon authentication policies that the OpenID provider applies when authenticating an end user through a relaying party (i.e., the site or service that is requesting the user authentication through something like a “Sign in with Yahoo” request). The PAPE mechanism also enables the OpenID provider to inform the relaying party of which authentication policies were used during the authentication process, which in turn enables the relaying party to determine how secure the authentication was. We will look at the methods for setting and obtaining this information in our upcoming OpenID example.
The PAPE policies that we will explore include:
Physical multifactor authentication
These three authentication policies are being discussed only as starting points to cover the most common use cases—additional policies may be applied as needed.
In addition, PAPE provides a mechanism by which the relaying party may request that the OpenID provider inform it of the levels of authentication assurance (known as NIST assurance levels) that were used.
The three most common PAPE policies include numerous technologies that can be employed during the authentication process. Table 11-15 breaks these methods down by each policy in which they apply.
Table 11-15. Authentication methods available within each PAPE policy