Hello, I reviewed draft-ietf-oauth-amr-values and have a few comments. First, thanks for your work on this draft!
Several of the authentication methods mentioned are typically used (or recommended for use) as a second or third factor. I see in section 3 that multiple methods can be contained in the claim. I'd like to see an example of single and multiple authentication methods being represented. Was it a WG decision to leave out examples? In the Privacy considerations section, I think it should be made clear that the actual credentials are not part of this specification to avoid additional privacy concerns for biometric data. Section 5, shouldn't a pointer be here to the attacks on OAuth 2.0 as well? Thank you. -- Best regards, Kathleen
_______________________________________________ OAuth mailing list [email protected] https://www.ietf.org/mailman/listinfo/oauth
