Page tree

Versions Compared


  • This line was added.
  • This line was removed.
  • Formatting was changed.


There are several international standards for identity assurance, like NIST (US), STORK (Europe) and ISO29115. SURFconext Strong Authentication is SURFsecureID is based on ISO29115. The four levels of identity assurance commonly used are:


To express the strength of authentication and the identity of the user an assurance framework as described in ISO/IEC 29115 is used (similar to NIST Special Publication 800-63-1). The SURFconext Strong Authentication gateway SURFsecureID gateway supports three levels of assurance:


Both control measures are required to fulfill the requirements for LoA2 and LoA3 and are already in place in SURFconext Strong AuthenticationSURFsecureID

Level of assurance vs attributes

SURFconext Strong Authentication solely SURFsecureID solely focuses on authentication LoA. No LoA is assigned to the attributes of the user's identity.

Several attributes provided by the IdP (e.g. first and last name, e-mail address) will be validated during registration and identification. In theory a LoA could be assigned to these attributes, which in attribute-based access control scenario’s could make authorization more reliable. There are however some arguments against doing this:

  • Mixing attributes with different LoA’s is complex
  • There is no suitable way to express differing LoA’s for attributes in SAML assertions
  • The registration process will be more complex

Because of these arguments SURFconext Strong Authentication arguments SURFsecureID solely focuses on authentication LoA.