Authentication method (2FA) now included with id_token

[Pedro Costa]

We’re excited to announce that the id_token obtained via the OpenID Connect workflow now includes data about the authentication method set up and used by ORCID users.

The payload from the id_token now contains a new data field called “amr” in which the value is “mfa” for users who have enabled two-factor authentication on their ORCID account, and “pwd” for users who haven’t.

This improvement is only available to Member API clients (the amr field is not returned with Public clients). This allows ORCID integrators to know if a user has enabled software token-based two-factor authentication which can be used in determining access levels to higher security systems.