Define an IPSIE SL1 specific acr value and register it #86
Description
This issue is linked with issue #67
Based on the workgroup discussion on 6-10-2025 we discussed defining an IPSIE SL1 specific acr value to make it easier to clearly define the security requirements for this level. Note that section 3.3.1 specifies the IDP MUST return an acr claim in the id_token but doesn't require the RP to request any specific acr_values value.
The first step is to clearly define the required "security minimum" for IPSIE SL1.
My summary of what I heard on the workgroup call is... something akin to NIST AAL2 but not referenced in that way. Also, an authentication that includes the user solving two unique authentication challenges (or stated a different way: the IDP must authenticate the user with two unique authentication methods). This does not require phishing resistance authentication methods, but does require a least "2 steps".
As for the IPSIE SL1 acr_value we can use ipsie_sl1 :)