Versions Compared

Old Version 7

changes.mady.by.user Unknown User (urn:collab:person:surfnet.nl:eefje)

Saved on

compared with

New Version 8

changes.mady.by.user Unknown User (urn:collab:person:surfnet.nl:eefje)

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

 

Table of Contents

Identity assurance

...

Institutions and Service Providers that offer online services need to verify a users identity to make sure only the right users are accessing the right information. That is why identity assurance is needed.

The classic paradigm for authentication systems identifies three factors as the cornerstones of authentication:

  • Something you know (for example, a password or a PIN);
  • Something you have (for example, a mobile phone or a token);
  • Something you are (for example, a fingerprint or other biometric data).

Multi-factor authentication refers to the use of more than one of the factors listed above. Generally, the use of multiple factors results in a higher level of assurance (LoA) about the user.

How identity assurance works

...

Once the identity provider has verified the user's identity, the registered token of the user will be activated. The user can then use his token as a secure secure means of signing in.

Assurance level standards

NIST (US), STORK (Europe) and ISO29115 are all international standards for identity assurance. SURFconext Strong Authetnication is based on the concepts as defined in ISO29115. The four levels of identity assurance for electronic transactions requiring authentication commonly used are:

LoA 1Little or no confidence in the asserted identity
LoA 2Some confidence in the asserted identity
LoA 3High confidence in the asserted identity
LoA 4Very high confidence in the asserted identity

 

The different specifications elaborate on the meaning of these labels by specifying requirements for:

  • the registration phase
  • the authentication token management phase
  • and the online authentication phase

The eventual assurance level is then determined through a combination of these aspects. The individual aspect with the lowest score will ultimately determine the applicable assurance level, on the principle that ‘the chain is only as strong as the weakest link’.

Image Added

Level of assurance requirements: risk based

Not all services need to know who their users are. For most services it is sufficient to know a user belongs to a certain institution, or 

Other services will need to be more confident that the user is indeed who he says he is; for example, if a user will be able to see privacy sensitive information, or can edit data like grades in student information systems or financial systemThe required assurance level for a certain service can be estimated based on a number of criteria. These criteria all concern the importance of the data and the potential damages if these were to be obtained or modified by unauthorised users.

Each service will need to assess risks to be able to decide what the level of assurance is needed. SURF has published guidelines on how to make such a risk assessment. These guidelines are published here.

...