Overview
The Authentication Context Class Reference (acr) from OpenID Connect represents the Level of Assurance (LoA) of an authentication event. Hopae aligns with IETF/IANA standards (RFC 6711; IANA OIDC ACR Registry) and adds a developer‑friendly numeric hopae_loa and human‑readable hopae_loa_label.
- Namespace:
urn:hopae:<acr_value> - Values:
loa1→loa5 - Returned fields:
acr(string),hopae_loa(int),hopae_loa_label(string)
Why it exists
- Defined in OIDC Core §2; registered values in RFC 6711 and IANA registry
- Lets Relying Parties request a minimum assurance (e.g., “at least
loa3”) - Common in regulated flows for step‑up authentication and policy controls
Hopae LoA levels
| ACR Value | Alias | hopae_loa | Description | Typical Methods | eIDAS | NIST |
|---|---|---|---|---|---|---|
urn:hopae:loa1 | low | 1 | No verified ID link; very weak | Email link, SMS OTP (no KYC) | Low | IAL1/AAL1 |
urn:hopae:loa2 | medium | 2 | Limited KYC; telecom/soft ID | PASS (KR), Aadhaar OTP (IN) | – | IAL1–2 |
urn:hopae:loa3 | substantial | 3 | Trusted eID; strong single factor | BankID Substantial, SingPass | Substantial | IAL2/AAL2 |
urn:hopae:loa4 | high | 4 | Multi‑factor + crypto binding | BankID High, Smart‑ID High, FIDO2+biometric | High | IAL3/AAL3 |
urn:hopae:loa5 | qualified | 5 | Qualified signature / max trust | QES smartcard + PIN + biometric | High+/QES | IAL3+ |
Use
hopae_loa (int) for comparisonsAPI response examples
ID Token
UserInfo
References
- RFC 6711 – An IETF Registry for Level of Assurance (LoA) Profiles
- IANA OIDC ACR Values Registry
- OpenID Connect Core 1.0 (acr, amr, auth_time)
- eIDAS 2.0; NIST 800‑63 (Digital Identity Guidelines)
TL;DR for developers
acr: URI (e.g.,urn:hopae:loa3)hopae_loa: integer (1–5) for simple checkshopae_loa_label: human‑friendly text (e.g.,substantial)