...
There are several international standards for identity assurance, like NIST (US), STORK eIDAS (Europe, previously STORK) and ISO29115. SURFsecureID is SURFsecureID is based on ISO29115. The four levels of identity assurance commonly used are:
| LoA 1 | Little or no confidence in the asserted identity |
| LoA 2 | Some confidence in the asserted identity |
| LoA 3 | High confidence in the asserted identity |
| LoA 4 | Very high confidence in the asserted identity |
The different specifications elaborate on the meaning of these labels by specifying requirements for:
...
- LoA 1: Password authentication through SURFconext at the users home IdP
- LoA 2: LoA 1 + SMS, Tiqr or Tiqr Azure MFA authentication
- LoA 3: LoA 1 + YubiKey (hardware or FIDO2 token ) authentication
Second Factor Only (SFO) authentication
With Second Factor Only (SFO) Authentication "Level" is used to indicate the authentication strength: LoA does not apply. There are two levels:
- Level 2: SMS, Tiqr or Tiqr Azure MFA authentication
- Level 3: YubiKey (hardware or FIDO2 token ) authentication
Level of assurance vs robustness of infrastructure
...
Several attributes provided by the IdP (e.g. first and last name, e-mail address) will be validated during registration and identification. In theory a LoA could be assigned to these attributes, which in attribute-based access control scenario’s could make authorization more reliable. There are however some arguments against doing this:
- Mixing attributes with different LoA’s is complex
- There is no suitable way to express differing LoA’s for attributes in SAML assertions
- The registration process will be more complex
Because of these arguments SURFsecureID solely focuses on authentication LoA.
...