Page History

...

When using the standard authentication with SURFsecureID, three four levels of assurance (LoA) are supported:

• LoA 1: Only password authentication at the institution's IDP
• LoA 1.5: LoA 1 + any SURFsecureID second factor, no extra validation of the user's identity 
• LoA 2: LoA 1 + SMS, Tiqr or Tiqr authenticationAzureMFA authentication AND the identity of the user is validated
• LoA 3: LoA 1 + YubiKey or FIDO2 (hardware token) authentication AND the identity of the user is validated

Each LoA is assigned to an identifier and is different for each type of environment used:

...

http://test.surfconext.nl/assurance/loa1

http://pilot.surfconext.nl/assurance/loa1

http://test.surfconext.nl/assurance/loa1

.5

http://test.surfconext.nl/assurance/loa2loa1.5

http://

test.surfconext.nl/assurance/loa2

http://surfconext.nl/assurance/loa2

http://test.surfconext.nl/assurance/loa3

.surfconext.nl/assurance/loa3

http://surfconext.nl/assurance/loa3

These identifiers are used to communicate the strength of authentication between the SURFsecureID gateway and the Service Provider. The actual method of authentication (e.g. SMS + password) at the institutional IdP is not communicated.

...

With Second Factor Only (SFO) Authentication "level" is used to indicate the authentication strength:

• Level 2: SMS or Tiqr authentication1.5: any SURFsecureID second factor, no extra validation of the user's identity 
• Level 2: SMS, Tiqr or AzureMFA authentication AND the identity of the user is validated
• Level 3: YubiKey or FIDO2 (hardware token) authentication AND the identity of the user is validated

The following identifiers are used:

...

http://test.surfconext.nl/assurance/sfo-level2level1.5

http://

surfconext.nl/assurance/sfo-level1.5

http://test.surfconext.nl/assurance/sfo-level2

http://

surfconext.nl/assurance/sfo-level2

http://

test.surfconext.nl/assurance/sfo-level3

http://surfconext.nl/assurance/sfo-level3

...