diff --git a/_pages/oidc.md b/_pages/oidc.md index ed424701..1890bff6 100644 --- a/_pages/oidc.md +++ b/_pages/oidc.md @@ -119,10 +119,10 @@ https://idp.int.identitysandbox.gov/openid_connect/authorize? - **`http://idmanagement.gov/ns/assurance/aal/2`** This is the same as the default behavior except users must reauthenticate with a separate second factor (i.e. not a session secret) once every 12 hours. - - **`http://idmanagement.gov/ns/assurance/aal/3`** - This specifies that a user has been authenticated with a crytographically secure method, such as WebAuthn or using a PIV/CAC. - - **`http://idmanagement.gov/ns/assurance/aal/3?hspd12=true`** - This specifies that a user has been authenticated with an HSPD12 credential (requires PIV/CAC) + - **`http://idmanagement.gov/ns/assurance/aal/2?phishing_resistant=true`** + This specifies that a user has been authenticated with a crytographically secure method, such as WebAuthn or using a PIV/CAC. Users must _always_ authenticate with a second factor. + - **`http://idmanagement.gov/ns/assurance/aal/2?hspd12=true`** + This specifies that a user has been authenticated with an HSPD12 credential (requires PIV/CAC). Users must _always_ authenticate with a second factor. #### LOA Values These are not recommended, and only for legacy compatibility. diff --git a/_pages/saml.md b/_pages/saml.md index fd89665b..6346a0fa 100644 --- a/_pages/saml.md +++ b/_pages/saml.md @@ -314,9 +314,9 @@ To specify more restrictive behavior, add an additional `