The SURFsecureID gateway supports three levels of assurance (LoA):
- LoA 1: Only password authentication
- LoA 2: LoA 1 + SMS or Tiqr authentication
- LoA 3: LoA 1 + YubiKey (hardware token) authentication
Each LoA is assigned to a identifier and is different for type of environment used:
| Test | Pilot | Production | |
|---|---|---|---|
| LoA 1 | http://test.surfconext.nl/assurance/loa1 | | http://surfconext.nl/assurance/loa1 |
| LoA 2 | http://test.surfconext.nl/assurance/loa2 | http://pilot.surfconext.nl/assurance/loa2 | http://surfconext.nl/assurance/loa2 |
| LoA 3 | http://test.surfconext.nl/assurance/loa3 | http://pilot.surfconext.nl/assurance/loa3 | http://surfconext.nl/assurance/loa3 |
These identifiers are used to communicate the strength of authentication between the SURFsecureID gateway and the Service Provider. The actual method of authentication (e.g. SMS + password) at the institutional IdP is not communicated.
- The SURFsecureID gateway will report the LoA at which authentication was performed to the SP in a
AuthnContextClassRefelement in aAuthenticationContextin the SAMLAssertion. - A SP may request authentication at a specific LoA by specifying the identifier in a
AuthnContextClassRefelement in aRequestedAuthnContextin a SAMLAuthnRequest. See SAML message examples for an exampleAuthnRequestthat requests authentication at a specific LoA.
Second Factor Only (SFO) authentication
With Second Factor Only (SFO) Authentication "level" is used to indicate the authentication strength:
- Level 2: SMS or Tiqr authentication
- Level 3: YubiKey (hardware token) authentication
The following identifiers are used:
| Test | Pilot | Production | |
|---|---|---|---|
| Level 2 | http://test.surfconext.nl/assurance/sfo-level2 | http://pilot.surfconext.nl/assurance/sfo-level2 | http://surfconext.nl/assurance/sfo-level2 |
| Level 3 | http://test.surfconext.nl/assurance/sfo-level3 | http://pilot.surfconext.nl/assurance/sfo-level3 | http://surfconext.nl/assurance/sfo-level3 |