| AuthenticatedTelephony | Principal has authenticated via the means of the line number, a user suffix, and a password element. |
| InternetProtocol | Principal has authenticated through the use of a provided IP address. |
| InternetProtocolPassword | Principal has authenticated through the use of a provided IP address, in addition to a username/password. |
| Kerberos | Principal has authenticated using a password to a local authentication authority, in order to acquire a Kerberos ticket. That Kerberos ticket is then used for subsequent network authentication. |
| MobileOneFactorContract | Reflects mobile contract customer registration procedures and a single factor authentication. For example, a digital signing device with tamper resistant memory for key storage, such as the mobile MSISDN, but no required PIN or biometric for real-time user authentication. |
| MobileOneFactorUnregistered | Reflects no mobile customer registration procedures and an authentication of the mobile device without requiring explicit end-user interaction. This context class authenticates only the device and never the user; it is useful when services other than the mobile operator want to add a secure device authentication to their authentication process. |
| MobileTwoFactorContract | Reflects mobile contract customer registration procedures and a two-factor based authentication. For example, a digital signing device with tamper resistant memory for key storage, such as a GSM SIM, that requires explicit proof of user identity and intent, such as a PIN or biometric. |
| MobileTwoFactorUnregistered | Reflects no mobile customer registration procedures and a two-factor based authentication, such as secure device and user PIN. This context class is useful when a service other than the mobile operator wants to link their customer ID to a mobile supplied two-factor authentication service by capturing mobile phone data at enrollment. |
| NomadTelephony | Principal is "roaming" (perhaps using a phone card) and has authenticated via the means of the line number, a user suffix, and a password element. |
| Password | Principal has authenticated to an authentication authority through the presentation of a password over an unprotected HTTP session. |
| PasswordProtectedTransport | Principal has authenticated to an authentication authority through the presentation of a password over a protected session. |
| PersonalizedTelephony | Principal has authenticated via the provision of a fixed-line telephone number and a user suffix, transported via a telephony protocol such as ADSL. |
| PGP | Principal has authenticated by means of a digital signature where the key was validated as part of a PGP Public Key Infrastructure. |
| PreviousSession | Applicable when a principal had authenticated to an authentication authority at some point in the past using any authentication context supported by that authentication authority. Consequently, a subsequent authentication event that the authentication authority will assert to the relying party may be significantly separated in time from the principal's current resource access request. The context for the previously authenticated session is explicitly not included in this context class because the user has not authenticated during this session, and so the mechanism that the user employed to authenticate in a previous session should not be used as part of a decision on whether to now allow access to a resource. |
| SecureRemotePassword | Principal has authenticated by means of Secure Remote Password as specified in RFC 2945. |
| Smartcard | Principal has authenticated to an authentication authority using a smartcard. |
| SmartcardPKI | Principal has authenticated to an authentication authority through a two-factor authentication mechanism using a smartcard with enclosed private key and a PIN. |
| SoftwarePKI | Principal has authenticated to an authentication authority using an X.509 certificate stored in software. |
| SPKI | Principal has authenticated by means of a digital signature where the key was validated via an SPKI Infrastructure. |
| Telephony | Principal has authenticated via the provision of a fixed-line telephone number, transported via a telephony protocol such as ADSL. |
| TimeSyncToken | Principal has authenticated through a time synchronization token. |
| TLSClient | Principal has authenticated by means of a client certificate, secured with the SSL/TLS transport. |
| Unspecified | Principal has authenticated via unspecified means. |
| X509 | Principal authenticated by means of a digital signature where the key was validated as part of an X.509 Public Key Infrastructure. |
| XMLDSig | Principal has authenticated by means of a digital signature according to the processing rules specified in the XML Digital Signature specification. |