Levels of assurance (LOAs)

A level of (identity) assurance is the certainty with which a claim to a particular identity during authentication can be trusted to actually be the claimant's “true” identity. Higher levels of assurance reduce the risk of a fraudulent identity and increase the security of transactions, but also can increase the cost and inconvenience to ID holders and relying parties, which could lead to exclusion. It is therefore imperative that practitioners consider the varying requirements of different use cases with respect to LOA. For example, biometric-based authentication is likely to be inappropriate for use across all use cases because some transactions (e.g., scheduling a medical appointment through a website) carry less risk.

Assurance levels depend on the strength of the Identity proofing process and the types of credentials and authentication mechanisms used during a transaction. For identity proofing, the level of assurance depends on the method of identification (e.g., in-person vs. remote), the attributes collected, and the degree of certainty with which those attributes are verified (e.g., through cross-checks and deduplication). For authentication, the level of assurance depends on the type of credential(s), the number of authentication factors used (i.e., one vs. multiple), and the cryptographic strength of the transaction.

Both eIDAS (EU 2015) and ISO/IEC 29115 have developed standards to classify levels of assurance based on these processes and technologies.1 In addition, recent guidelines from the U.S. National Institute of Standards and Technology (NIST) (NIST 800-63-3) have adapted this framework to separate out assurance levels for identity proofing (“identity assurance level" or IAL) and for authentication (“authenticator assurance level” or AAL), as shown in Box 39. In addition, the NIST framework distinguishes levels of assurance for the assertion of identity in a federated environment (“federated assurance level” or FAL). While many systems will have the same level for each, practitioners can also select IAL, AAL, and FALs as distinct options, depending on the system requirements.

Box 39. NIST levels of assurance for digital ID

Identity proofing LOAs:

  • IAL1: Attributes, if any, are self-asserted or should be treated as self-asserted; there is no proofing process.

  • IAL2: Either remote or in-person identity proofing is required using, at a minimum, the procedures given in SP 800-63A.

  • IAL3: In-person or supervised-remote identity proofing is required. Identifying attributes must be verified through examination of physical documentation as described in SP 800-63A.

Authentication LOAs:

  • AAL1: Provides some assurance that the claimant controls an authenticator registered to the user. AAL1 requires single-factor authentication using a wide range of available authentication technologies. Successful authentication requires that the claimant prove possession and control of the authenticator through a secure authentication protocol.

  • AAL2: Provides high confidence that the claimant controls authenticator(s) registered to the user. In order to authenticate at AAL2, claimants must prove possession and control of two distinct authentication factors through secure authentication protocol(s). Approved cryptographic techniques are required.

  • AAL3: Provides very high confidence that the claimant controls authenticator(s) registered to the user. Authentication at AAL3 is based on proof of possession of a key through a cryptographic protocol. AAL3 is like AAL2 but also requires a “hard” cryptographic authenticator that provides verifier impersonation resistance.

Federation LOAs:

  • FAL1: Permits the relying party to receive a bearer assertion from an identity provider. The identity provider must sign the assertion using approved cryptography.

  • FAL2: Adds the requirement that the assertion be encrypted using approved cryptography such that the relying party is the only party that can decrypt it.

  • FAL3: Requires the user to present proof of possession of a cryptographic key reference to in the assertion and the assertion artifact itself. The assertion must be signed using approved cryptography and encrypted to the relying party using approved cryptography.

Source: NIST SP 800-63-3

The LOAs selected depend on the use case; some sectors and types of transactions will require higher levels of assurance than others. For example, changing an address may rely on a lower level of assurance than changing a password. Financial and health services often require a higher level of assurance than others due to the sensitivity of the data that is collected and maintained in those systems. Ideally, the ID system’s authentication architecture will be able to provide multiple levels of assurance appropriate to different use cases (see Table 35 for examples).

Table 35. Example levels of assurance

  Low (level1) Substantial (level2) High (level3)
Identity assurance level (IAL) Self-asserted identity (e.g., email account creation on web), no collection, validation or verification of evidence. Remote or in-person identity proofing (e.g., provide credential document for physical or backend verification with authoritative source), address verification required, biometric collection optional In-person (or supervised remote) identity proofing, collection of biometrics and address verification mandatory.
Authentication assurance level (AAL) At least 1 authentication factor—something you have, know, or are (e.g., password or PIN) At least 2 authentication factors (e.g., a token with a password or PIN) At least two different categories of authentication factors and protection against duplication and tampering by attackers with high attack potential (e.g., embed cryptographic key material in tamper-resistant hardware token + PIN, biometrics with liveness detection + PIN/smart card)
Federation Assurance Level (FAL) Permits the relying party to receive a bearer assertion from an identity provider. The identity provider must sign the assertion using approved cryptography FAL1 + encryption of assertion using approved cryptography FAL2 + user to present proof of possession of a cryptographic key reference in the assertion
Level of risk taken by relying party mitigated low minimal

The selection of LOAs—and the identity proofing processes, types of credentials, and authentication mechanisms that enable them—should be based on a number of factors. including:

  • The likelihood of a failure, breach, or unauthorized release of sensitive information

  • The risk to individuals, institutions, programs, public interest if a failure or breach occurs—i.e., based on the level of sensitivity of the service/information and the expected level of harm

  • The convenience and inclusivity of the identity proofing and authentication processes, as higher LOAs could increase the likelihood of exclusion errors.

LOAs are particularly important for federation and mutual recognition across borders, where an ID system must meet a particular level of assurance in order to qualify for recognition for a given purpose.

[1] The eIDAS framework is intended to be a reference for mapping EU ID systems for mutual recognition, rather than an implementation standard. Note also that ISO/IEC 29115 is in the process of being updated and the standards may shift.