Require Confirmed Devices

Service providers can require the user to authenticate using a device that was previously confirmed for this user. For example, this can be used for step-up authentication for a user that was already authenticated by the service provider (even if it wasn't via BindID).

Devices are confirmed by a service provider by sending a session-feedback request after performing a direct authentication for the user. This is typically done when the authenticated user is first seen by the service provider in order to identify the user in their system and set a user alias. Once confirmed, the device used is bound to the Client Application for this user, which will be reflected in the ID token by the ts.bindid.app_bound_cred ACR value. For more, see Send Session Feedback.

You can require confirmed devices using the bound_to parameter of the /authorize_ciba request. These calls will specify a user identifier, either as a user alias (if one was set for this user) or as the subject of the ID token (i.e., sub claim). If the authenticating device had not been previously confirmed for this user, the authentication will fail.