00. Redirect to App - general

2AU1.00.07

07

A Single LoA value is carried in the acr claim which is described in section 2 of [OIDC]. • An LoA of 2 is represented by the URI: urn:cds.au:cdr:2 • The authenticators used to attain this level MUST achieve Single Factor Authentication as defined in Authentication Schedule. • The authenticators used to attain this level MAY conform with the Authentication Level 'AL1' rules specified under the Digital ID Accreditation Data Standards [DigitalID-Accreditation] Authentication Levels (Chapter 2) requirements. • An LoA of 3 is represented by the URI: urn:cds.au:cdr:3 • The authenticators used to attain this level MUST achieve Multi-Factor Authentication as defined in Authentication Schedule. • The authenticators used to attain this level MAY conform with the Authentication Level 'AL2' rules specified under the Digital ID Accreditation Data Standards [DigitalID-Accreditation] Authentication Levels (Chapter 2) requirements. • An LoA of 4 is represented by the URI: urn:cds.au:cdr:4 • The authenticators used to attain this level MUST conform with the Authentication Level 'AL3' rules specified under the Digital ID Accreditation Data Standards [DigitalID-Accreditation] Authentication Levels (Chapter 2) requirements. READ operations SHALL only be allowed where at least an LoA of 2 has been achieved during the establishment of consent. WRITE operations SHALL only be allowed where: • At least an LoA of 3 has been achieved during the establishment of consent, or • At least an LoA of 2 has been achieved during the establishment of consent and a subsequent challenge/response has resulted in an LoA of 3 being achieved within the lifespan of the current Access Token.

Security Profile, Levels of Assurance (LoAs), Single Ordinal

Authenticate: Redirect to App

22 September 2025