2AU1.00.07
07
A Single LoA value is carried in the acr claim which is described in section 2 of [OIDC].
• An LoA of 2 is represented by the URI: urn:cds.au:cdr:2
• The authenticators used to attain this level MUST achieve Single Factor Authentication as defined in Authentication Schedule.
• The authenticators used to attain this level MAY conform with the Authentication Level 'AL1' rules specified under the Digital ID Accreditation Data Standards [DigitalID-Accreditation] Authentication Levels (Chapter 2) requirements.
• An LoA of 3 is represented by the URI: urn:cds.au:cdr:3
• The authenticators used to attain this level MUST achieve Multi-Factor Authentication as defined in Authentication Schedule.
• The authenticators used to attain this level MAY conform with the Authentication Level 'AL2' rules specified under the Digital ID Accreditation Data Standards [DigitalID-Accreditation] Authentication Levels (Chapter 2) requirements.
• An LoA of 4 is represented by the URI: urn:cds.au:cdr:4
• The authenticators used to attain this level MUST conform with the Authentication Level 'AL3' rules specified under the Digital ID Accreditation Data Standards [DigitalID-Accreditation] Authentication Levels (Chapter 2) requirements.
READ operations SHALL only be allowed where at least an LoA of 2 has been achieved during the establishment of consent.
WRITE operations SHALL only be allowed where:
• At least an LoA of 3 has been achieved during the establishment of consent, or
• At least an LoA of 2 has been achieved during the establishment of consent and a subsequent challenge/response has resulted in an LoA of 3 being achieved within the lifespan of the current Access Token.
Authenticate: Redirect to App
22 September 2025