The "amr" (Authentication Methods References) claim is defined in IETF RFC 8176 as an array of
strings that are identifiers for authentication methods used in the authentication.
In the event payload, you can see the amr value in the payload of the authentication event types in the authentication_context object. It indicates the authentication methods used during the authentication.
In the hook response, use the amr value in contraints to require additional authentication methods. Learn more in #apply-authentication-constraints
| AMR value | Meaning | Supported in constraints |
|---|---|---|
pwd | Password-based authentication. | true |
otp | One-time password (OTP) authentication. | true |
sms | SMS-based authentication. | true |
mfa | Multi-factor authentication; Added when multiple authenticators are used in a single flow, OR one authenticator with one recovery code. | true |
x_biometric | Biometric authentication. | false |
x_passkey | Indicates passkey authentication. | false |
x_primary_password | Indicates primary password authentication. | true |
x_primary_oob_otp_email | Indicates primary one-time password (OTP) authentication via email. | true |
x_primary_oob_otp_sms | Indicates primary one-time password (OTP) authentication via SMS. | true |
x_primary_passkey | Indicates passkey authentication. | false |
x_secondary_password | Indicates secondary password authentication. | true |
x_secondary_oob_otp_email | Indicates secondary one-time password (OTP) authentication via email. | true |
x_secondary_oob_otp_sms | Indicates secondary one-time password (OTP) authentication via SMS. | true |
x_secondary_totp | Indicates secondary Time-based One-time Password (TOTP) authentication. | true |
x_recovery_code | Indicates authentication with a recovery code. | false |
x_device_token | Indicates authentication with a device token. | false |