AAL1 requires single-factor authentication using a wide range of available authentication technologies. Identifying attributes must be verified through examination of physical documentation as described in SP 800-63A.ĪAL1: Provides some assurance that the claimant controls an authenticator registered to the user. IA元: In-person or supervised-remote identity proofing is required. IAL2: Either remote or in-person identity proofing is required using, at a minimum, the procedures given in SP 800-63A. IAL1: Attributes, if any, are self-asserted or should be treated as self-asserted there is no proofing process. While many systems will have the same level for each, practitioners can also select IAL, AAL, and FALs as distinct options, depending on the system requirements.īox 39.
In addition, the NIST framework distinguishes levels of assurance for the assertion of identity in a federated environment (“federated assurance level” or FAL). National Institute of Standards and Technology (NIST) ( NIST 800-63-3) have adapted this framework to separate out assurance levels for identity proofing (“identity assurance level" or IAL) and for authentication (“authenticator assurance level” or AAL), as shown in Box 39. 1 In addition, recent guidelines from the U.S. multiple), and the cryptographic strength of the transaction.īoth eIDAS ( EU 2015) and ISO/IEC 29115 have developed standards to classify levels of assurance based on these processes and technologies. For authentication, the level of assurance depends on the type of credential(s), the number of authentication factors used (i.e., one vs. remote), the attributes collected, and the degree of certainty with which those attributes are verified (e.g., through cross-checks and deduplication).
For identity proofing, the level of assurance depends on the method of identification (e.g., in-person vs. For example, biometric-based authentication is likely to be inappropriate for use across all use cases because some transactions (e.g., scheduling a medical appointment through a website) carry less risk.Īssurance levels depend on the strength of the Identity proofing process and the types of credentials and authentication mechanisms used during a transaction. It is therefore imperative that practitioners consider the varying requirements of different use cases with respect to LOA. Higher levels of assurance reduce the risk of a fraudulent identity and increase the security of transactions, but also can increase the cost and inconvenience to ID holders and relying parties, which could lead to exclusion. A level of (identity) assurance is the certainty with which a claim to a particular identity during authentication can be trusted to actually be the claimant's “true” identity.