Support Level Of Assurance(LoA) per MFA method

Introduction

Safewhere Identify supports many MFA methods. Even though they are currently assigned the same level of assurance, in reality they can have different levels. Out of those methods, OTP via SMS and Email is the weakest form while using biometrics or a hardware key is the strongest one. In light of NSIS 2.0 and OIOSAML 3.0, there is a need to issue different assurance level based on what second factor method is used. For example, the TOTP Authenticator option can have the Substantial assurance level, and the WebAuthn’s biometric option can have the High level. Because what the levels are and what method can have what level vary from standard to standard, scripting is most flexible option. For the previous example, when a request asks for the Substantial level, your script can allow users to use both the TOTP and the WebAuthn methods. Meanwhile, when a request that asks for the High level, your script can allow only the WebAuthn method.

Example

To use this feature, you will need to write two scripts:

  1. The first script is to select candidate OTP methods based on the requested LOA for an OTP authentication connection. You add this script to an OTP connection.
  2. After a user has selected one of the candidate OTP methods to finish the second factor, the second script sets the assurance level of that method to the correct system variable.

An example of the first script:

OtpMethodsByRequestedAuthenticationContextClass otpMethod = new OtpMethodsByRequestedAuthenticationContextClass();

// Retrieve the request's LoA from SSO context 
Uri requestedAuthnContextClass = requestedAuthenticationContextModel.RequestedAuthenticationContextClass.FirstOrDefault();
otpMethod.RequestedAuthenticationContextClass = requestedAuthnContextClass != null ? requestedAuthnContextClass.ToString() : string.Empty;
SystemLogger.Instance.WriteDebug("Requested authentication context class is: " + otpMethod.RequestedAuthenticationContextClass);

// We will choose a set of MFA methods based on the request's LOA  
switch (otpMethod.RequestedAuthenticationContextClass)
{
    case "high":
        otpMethod.Methods = new List<OtpType> { OtpType.WebAuthn }; 
        break;
    case "substantial":
        otpMethod.Methods = new List<OtpType> { OtpType.WebAuthn, OtpType.Authenticator }; 
        break;
    default:
        otpMethod.Methods = new List<OtpType> { OtpType.Email, OtpType.Sms, OtpType.OS2faktor, OtpType.Authenticator, OtpType.Device, OtpType.WebAuthn };
        break;
};

return otpMethod;

Put the custom script above to the Select candidate OTP methods script setting:

support-level-of-assurance-per-mfa-method-select-candidate-otp-methods.png

An example of the second script:

string loaOfInUsedMFAMethod = claimsPrincipal.GetLoAOfTheInUseMFAMethod();
SystemLogger.Instance.WriteDebug("LOA of the in used MFA method:" + loaOfInUsedMFAMethod);
claimsPrincipal.SetSecondFactorAuthenticationContextMethodClass(loaOfInUsedMFAMethod);

Put the custom script above to the Second factor authentication context method class script setting found on the first factor's connection:

support-level-of-assurance-per-mfa-method-2nd-factor-loa.png