O'Reilly logo

Programming Social Applications by Jonathan LeBlanc

Stay ahead with the world's most comprehensive technology and business learning platform.

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, tutorials, and more.

Start Free Trial

No credit card required

Provider Authentication Policy Extension

The Provider Authentication Policy Extension defines a series of previously agreed-upon authentication policies that the OpenID provider applies when authenticating an end user through a relaying party (i.e., the site or service that is requesting the user authentication through something like a “Sign in with Yahoo” request). The PAPE mechanism also enables the OpenID provider to inform the relaying party of which authentication policies were used during the authentication process, which in turn enables the relaying party to determine how secure the authentication was. We will look at the methods for setting and obtaining this information in our upcoming OpenID example.

The PAPE policies that we will explore include:

  • Phishing-resistant authentication

  • Multifactor authentication

  • Physical multifactor authentication

Note

These three authentication policies are being discussed only as starting points to cover the most common use cases—additional policies may be applied as needed.

In addition, PAPE provides a mechanism by which the relaying party may request that the OpenID provider inform it of the levels of authentication assurance (known as NIST assurance levels) that were used.

The three most common PAPE policies include numerous technologies that can be employed during the authentication process. Table 11-15 breaks these methods down by each policy in which they apply.

Table 11-15. Authentication methods available within each PAPE policy

Method

Phishing-resistant ...

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, interactive tutorials, and more.

Start Free Trial

No credit card required