When users access online services, they want to be confident that their data and services are secure and their privacy is protected. Institutions and Service Providers that offer online services also need to verify a user's identity to make sure only the right users are accessing the right information. These are distinct That is why identity assurance is needed.
...
Strong authentication refers to the use of more than one of these factors. Generally this results in a higher level of assurance (LoA) about the user.
Level of assurance | Authentication Assurance |
---|
...
Identity assurance | Characteristics | ||
---|---|---|---|
LoA 1 | Username/password | No extra validation of the user's identity | For access to basic resources with little or no risk |
LoA 1.5 | Username/password + second factor | No extra validation of the user's identity | Protects the user and resources from compromised passwords |
LoA 2 | Username/password + tiqr, SMS or AzureMFA | The identity of the user is validated | For high level of confidence in the asserted identity. Often used for access to high risk resources |
LoA 3 | Username/password + YubiKey or FIDO2 | The identity of the user is validated | Same as LoA2, but with more secure authentication methods. |
A service or institution needs to choose which level of assurance is appropriate for protection. There are several ways a LoA can be requested for a specific service or part of a service.
Second Factor Only (SFO) authentication
With Second Factor Only (SFO) Authentication "Level" is used to indicate the authentication strength: LoA does not apply. There are three levels:
- Level 1.5: any SURFsecureID second factor, no extra validation of the user's identity
- Level 2: SMS, Tiqr or Azure MFA authentication AND the identity of the user is validated
- Level 3: YubiKey or FIDO2 token authentication AND the identity of the user is validated
Assurance level explained
There are several international standards for identity assurance, like NIST (US), eIDAS (Europe, previously STORK) and ISO29115. SURFsecureID is SURFsecureID is based on ISO29115. The four levels of identity assurance commonly used are:
...
These risks must be assessed to be able to decide what level of assurance is needed for your service (see also SURFnet guidelines).
- LoA 1: Password authentication through SURFconext at the users home IdP
- LoA 2: LoA 1 + SMS or Tiqr authentication
- LoA 3: LoA 1 + YubiKey (hardware token) authentication
...
)
...
With Second Factor Only (SFO) Authentication "Level" is used to indicate the authentication strength: LoA does not apply. There are two levels:
...
Level of assurance vs robustness of infrastructure
...