Versions Compared

Old Version 22

changes.mady.by.user Raoul Teeuwen

Saved on

compared with

New Version Current

changes.mady.by.user Peter Clijsters

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

When users access online services, they want to be confident that their data and services are secure and their privacy is protected. Institutions and Service Providers that offer online services also need to verify a user's identity to make sure only the right users are accessing the right information. These are distinct That is why identity assurance is needed.

...

Strong authentication refers to the use of more than one of these factors. Generally this results in a higher level of assurance (LoA) about the user. 

SURFsecureID levels of assurance

SURFsecureID expresses the strength of authentication and identity of the user in 4 levels of assurance. This is based on the assurance framework as described in ISO/IEC 29115 (similar to NIST Special Publication 800-63-1), but with a LoA 1.5 added.

Level of assuranceAuthentication AssuranceIdentity assuranceCharacteristics
LoA 1Username/passwordNo extra validation of the user's identityFor access to basic resources with little or no risk
LoA 1.5Username/password + second factor No extra validation of the user's identityProtects the user and resources from compromised passwords 
LoA 2Username/password + tiqr, SMS or AzureMFAThe identity of the user is validatedFor high level of confidence in the asserted identity. Often used for access to high risk resources
LoA 3Username/password + YubiKey or FIDO2The identity of the user is validatedSame as LoA2, but with more secure authentication methods.


A service or institution needs to choose which level of assurance is appropriate for protection. There are several ways a LoA can be requested for a specific service or part of a service.

Second Factor Only (SFO) authentication

With Second Factor Only (SFO) Authentication "Level" is used to indicate the authentication strength: LoA does not apply. There are three levels:

  • Level 1.5: any SURFsecureID second factor, no extra validation of the user's identity
  • Level 2: SMS, Tiqr or Azure MFA authentication AND the identity of the user is validated
  • Level 3: YubiKey or FIDO2 token authentication AND the identity of the user is validated

Assurance level

...

explained

There are several international standards for identity assurance, like NIST (US), eIDAS (Europe, previously STORK) and ISO29115. SURFsecureID is based on ISO29115. The four levels of identity assurance commonly used are:

...

These risks must be assessed to be able to decide what level of assurance is needed for your service (see also SURFnet guidelines).

Using levels of assurance to express strength of authentication

To express the strength of authentication and the identity of the user an assurance framework as described in ISO/IEC 29115 is used (similar to NIST Special Publication 800-63-1). The SURFsecureID gateway supports three levels of assurance:

  • LoA 1: Password authentication through SURFconext at the users home IdP
  • LoA 2: LoA 1 + SMS or Tiqr authentication
  • LoA 3: LoA 1 + YubiKey (hardware token) authentication

Second Factor Only (SFO) authentication

With Second Factor Only (SFO) Authentication "Level" is used to indicate the authentication strength: LoA does not apply. There are two levels:

...

Level of assurance vs robustness of infrastructure

...