Levels of assurance (LOAs)
A level of (identity) assurance is the certainty with which a claim to a particular identity during authentication can be trusted to actually be the claimant's “true” identity. Higher levels of assurance reduce the risk of a fraudulent identity and increase the security of transactions, but also can increase the cost and inconvenience to ID holders and relying parties, which could lead to exclusion. It is therefore imperative that practitioners consider the varying requirements of different use cases with respect to LOA. For example, biometric-based authentication is likely to be inappropriate for use across all use cases because some transactions (e.g., scheduling a medical appointment through a website) carry less risk.
Assurance levels depend on the strength of the Identity proofing process and the types of credentials and authentication mechanisms used during a transaction. For identity proofing, the level of assurance depends on the method of identification (e.g., in-person vs. remote), the attributes collected, and the degree of certainty with which those attributes are verified (e.g., through cross-checks and deduplication). For authentication, the level of assurance depends on the type of credential(s), the number of authentication factors used (i.e., one vs. multiple), and the cryptographic strength of the transaction.
Both eIDAS (EU 2015) and ISO/IEC 29115 have developed standards to classify levels of assurance based on these processes and technologies.1 In addition, recent guidelines from the U.S. National Institute of Standards and Technology (NIST) (NIST 800-63-3) have adapted this framework to separate out assurance levels for identity proofing (“identity assurance level" or IAL) and for authentication (“authenticator assurance level” or AAL), as shown in Box 39. In addition, the NIST framework distinguishes levels of assurance for the assertion of identity in a federated environment (“federated assurance level” or FAL). While many systems will have the same level for each, practitioners can also select IAL, AAL, and FALs as distinct options, depending on the system requirements.
Box 39. NIST levels of assurance for digital ID
Identity proofing LOAs:
Source: NIST SP 800-63-3
The LOAs selected depend on the use case; some sectors and types of transactions will require higher levels of assurance than others. For example, changing an address may rely on a lower level of assurance than changing a password. Financial and health services often require a higher level of assurance than others due to the sensitivity of the data that is collected and maintained in those systems. Ideally, the ID system’s authentication architecture will be able to provide multiple levels of assurance appropriate to different use cases (see Table 35 for examples).
Table 35. Example levels of assurance
|Low (level1)||Substantial (level2)||High (level3)|
|Identity assurance level (IAL)||Self-asserted identity (e.g., email account creation on web), no collection, validation or verification of evidence.||Remote or in-person identity proofing (e.g., provide credential document for physical or backend verification with authoritative source), address verification required, biometric collection optional||In-person (or supervised remote) identity proofing, collection of biometrics and address verification mandatory.|
|Authentication assurance level (AAL)||At least 1 authentication factor—something you have, know, or are (e.g., password or PIN)||At least 2 authentication factors (e.g., a token with a password or PIN)||At least two different categories of authentication factors and protection against duplication and tampering by attackers with high attack potential (e.g., embed cryptographic key material in tamper-resistant hardware token + PIN, biometrics with liveness detection + PIN/smart card)|
|Federation Assurance Level (FAL)||Permits the relying party to receive a bearer assertion from an identity provider. The identity provider must sign the assertion using approved cryptography||FAL1 + encryption of assertion using approved cryptography||FAL2 + user to present proof of possession of a cryptographic key reference in the assertion|
|Level of risk taken by relying party||mitigated||low||minimal|
The selection of LOAs—and the identity proofing processes, types of credentials, and authentication mechanisms that enable them—should be based on a number of factors. including:
The likelihood of a failure, breach, or unauthorized release of sensitive information
The risk to individuals, institutions, programs, public interest if a failure or breach occurs—i.e., based on the level of sensitivity of the service/information and the expected level of harm
The convenience and inclusivity of the identity proofing and authentication processes, as higher LOAs could increase the likelihood of exclusion errors.
LOAs are particularly important for federation and mutual recognition across borders, where an ID system must meet a particular level of assurance in order to qualify for recognition for a given purpose.
 The eIDAS framework is intended to be a reference for mapping EU ID systems for mutual recognition, rather than an implementation standard. Note also that ISO/IEC 29115 is in the process of being updated and the standards may shift.