The SURFsecureID gateway supports three levels of assurance (LoA):

LoA 1: Only password authentication
LoA 2: LoA 1 + SMS or Tiqr authentication
LoA 3: LoA 1 + YubiKey (hardware token) authentication

Each LoA is assigned to a identifier:

	Pilot (test)	Production
LoA 1	`http://pilot.surfconext.nl/assurance/loa1`	http://surfconext.nl/assurance/loa1
LoA 2	`http://pilot.surfconext.nl/assurance/loa2`	http://surfconext.nl/assurance/loa2
LoA 3	`http://pilot.surfconext.nl/assurance/loa3`	http://surfconext.nl/assurance/loa3

These identifiers are used to communicate the strength of authentication between the SURFsecureID gateway and the Service Provider. The actual method of authentication (e.g. SMS + password) at the institutional IdP is not communicated.

The SURFsecureID gateway will report the LoA at which authentication was performed to the SP in a AuthnContextClassRef element in a AuthenticationContext in the SAML Assertion.
A SP may request authentication at a specific LoA by specifying the identifier in a AuthnContextClassRef element in a RequestedAuthnContext in a SAML AuthnRequest. See SAML message examples for an example AuthnRequest that requests authentication at a specific LoA.

Second Factor Only (SFO) authentication

With Second Factor Only (SFO) Authentication "level" is used to indicate the authentication strength:

Level 2: SMS or Tiqr authentication
Level 3: YubiKey (hardware token) authentication

The following identifiers are used:

	Pilot (test)	Production
Level 2	http://pilot.surfconext.nl/assurance/sfo-level2	http://surfconext.nl/assurance/sfo-level2
Level 3	http://pilot.surfconext.nl/assurance/sfo-level3	http://surfconext.nl/assurance/sfo-level3