Summary
Care Identity Authentication ID is currently designed to authenticate most End-Users to Authenticator Assurance Level 3 (AAL3) as defined in the NIST Digital Identity Guidelines for Authentication and Lifecycle Management. This standard sets out three levels, 1 being the weakest, and 3 being the strongest.
ACR is an abbreviation for Authentication Context Class Reference. An Authentication Context Class specifies a set of business rules that authentications are being requested to satisfy. These rules can often be satisfied by using a number of different specific authentication methods, either singly or in combination. Authentication Requests using the acr_values parameter request that the specified Authentication Context Classes be used and that the resulting ID Token should contain an acr claim saying which Authentication Context Class was satisfied. The acr claim states that the business rules for the class were satisfied, it is not intended to indicate how they were satisfied.
AMR is an abbreviation for Authentication Methods Reference. An Authentication Methods Reference identifies an authentication method used in performing an authentication.
This section describes the ACR and AMR values supported by Care Identity Authentication, further information on how these may be used to manage an application session is given in the Session Management section.
Authentication Methods
At the time of writing the Care Identity Authentication offers a variety of authentications at different levels.
AAL3
An AAL3 authentication provides very high confidence that the claimant controls authenticator(s) bound to the End-User's account. This is based on proof of possession of a key through a cryptographic protocol and requires a hardware-based authenticator and an authenticator that provides verifier impersonation resistance; the same device may fulfil both these requirements e.g. a smartcard with a passcode.
Mechanism |
Description |
iOS CIS2 Application |
The iOS CIS2 Application provides an authentication solution for users of iPads. The application allows an End-User's identity to be registered on the iPad, which generates a private key in the iPad's secure enclave that can only be released by an End-User biometric factor e.g. one of their fingerprints. Authentication occurs by the Care Identity Authentication requiring the CIS2 Application to sign a random challenge with the End-User's private key which can only be achieved by presentation of the End-User's biometric factor.
Only one End-User identity can be registered on an iPad.
|
Windows Hello for Business |
This solution provides a mechanism by which an End-User's identity can be registered on a Windows 10/11 device that supports Windows Hello for Business (WHfB). It utilises the FIDO2 capabilities of WHfB to create a private key in the device's Trusted Processing Module (TPM) which can only be released by the End-User (using either a PIN or a biometric). Authentication occurs by the Care Identity Authentication performing FIDO2 authentication requiring the End-User's to release their private key using either their PIN or a biometric.
This solution is restricted to WHfB devices that have a physical TPM and that are under the sole control of a single End-User.
|
Smartcards using CIS1 Identity Agent |
This solution provides a mechanism for users of smartcards that leverages the existing Identity Agent (IA) solution without the Replying Party web application having to interact directly with the IA or CIS authentication APIs.
This solution is restricted to devices on the HSCN network and requires the installation of the new NHS Credential Management Application in addition to the IA.
|
Smartcards using CIS2 Identity Agent |
This solution provides a way of using the existing smartcards with a CIS2 Authentication native solution, that does not require HSCN. This requires v3 or above of the IA/CM
|
Security Keys |
These small security keys contain a hardware security module that can be used to store credentials using the FIDO2 process. They can be used on a range of devices (computer, laptop, tablet, mobile) via USB/Lightning/NFC and are unlocked using either fingerprint or passcode |
AAL2
An AAL2 level authenticator provides Multi-Factor Authentication, but is not hardware bound (to the single device), or cryptographically secure. Clients should consider carefully with their end-users if this lower level of authentication is appropriate to their use case.
MS Authenticator TOTP |
This basic username, password and 2nd factor code allows users on almost any device to access applications at a lower security level. For a user, RAs register an email address from an approved domain, set a password and create a code generator on MS Authenticator. When authenticating, the user enters the username, password and then the current code. |
Testing
On development environments Care Identity Authentication offers the following additional Authenticator Assurance Level 1 (AAL1) mechanism in the "oidc" realm.
Mechanism |
Description |
Username/Password |
This is a standard username and password authentication mechanism where the username is the 12 digit identifier uniquely identifying the End-User within Care Identity Authentication e.g. 999999999999.
This is only offered in the username/password development environments listed in the OpenID Provider Configuration Document URI section.
|
ACR Values
The ACR values appear in two parts of the authorization code flow, and in the context of Care Identity Authentication services these are:
- request, optionally, what type of authentication you want to take place (e.g. smartcard)
- in the returned ID Token the ACR claims indicates the acr value that was used
The OpenID Connect specification only contains the one defined ACR value of "0". The value "0" indicates the End-User authentication did not meet the requirements of a level 1 authentication e.g. for example an authentication using a long-lived browser cookie. Authentications with level 0 SHOULD NOT be used to authorize access to any resource of any monetary value and by extension SHOULD NOT be used to access clinical systems.
The specification states that use of other values are to be defined between the parties using the claim.
Additional ACR Values that can be requested
The Care Identity's Authentication support for ACR Values is in development and is currently constrained by the capabilities of the underlying product. As a result Care Identity Authentication only offers partial support for the following additional ACR values:
ACR Value |
Description |
AAL3_IOS |
Setting the acr_values parameter to AAL3_IOS in the Authentication Request will result in Care Identity Authentication attempting to authenticate the user using the iOS CIS2 Application. |
AAL3_FIDO2 |
Setting the acr_values parameter to AAL3_FIDO2 in the Authentication Request will result in Care Identity Authentication attempting to authenticate the user using FIDO2 via Windows Hello for Business OR Security Key |
AAL3_N3_SMARTCARD |
Setting the acr_values parameter to AAL3_N3_SMARTCARD in the Authentication Request will result in Care Identity Authentication attempting to authenticate the user using a smartcard via the legacy CIS1 Identity Agent. |
AAL3_CIS2_SMARTCARD |
Setting the acr_values parameter to AAL3_CIS2_SMARTCARD in the Authentication Request will result in Care Identity Authentication attempting to authenticate the user using a smartcard via the new CIS2 Identity Agent. |
AAL3_SMARTCARD |
Setting the acr_values parameter to AAL3_SMARTCARD in the Authentication Request will result in Care Identity Authentication attempting to authenticate the user using a smartcard using either of the above smartcard options |
AAL2_TOTP |
Setting the acr_values parameter to AAL2_TOTP in the Authentication Request will result in Care Identity Authentication attempting to authenticate the user using the MS Authenticator TOTP flow, only. |
Use of these ACR Values is subject to the following caveats:
- Use of an ACR Value inappropriate for the End-User's device may cause the authentication to fail.
- If the End-User is using more than one Relying Party web application and they use different ACR Values then the End-User may experience multiple authentication events.
Should a Relying Party identify a need to use a specific authentication mechanism they should contact [email protected] to discuss whether the use of an additional ACR Value can be supported in their use case.
Last edited: 22 April 2024 10:53 am