Gluu is working on a free open source app called Cred Mgr:
github.com/GluuFederation/cred-mgr

As the name suggests, this app is a user-facing application that let's
the person reset existing credentials and register new credentials. To
avoid degrading the security of credentials, we want to make sure that a
person can only reset a credential if they present one with equal or
greater stength, or "level"

Cred-mgr knows the level, because we are returning it as the first value
in the amr array in the id_token. We are also publishing a mapping of
amr values to acr values in the OP discovery page. For example:

"auth_level_mapping": {
"50": ["http://example.com/saml"],
"10": ["http://example.com/u2f", "http://example.com/duo"],
"1": ["http://example.com/pw"]
},

If we could agree on this appraoch, then it could be interoperable
across domains. I don't see any other solutions being proposed, so no
one can figure out how to properly handle multi-factor credential reset
in a standard way.

- Mike


-------------------------------------
Michael Schwartz
Gluu
Founder / CEO
***@gluu.org
http://support.gluu.org