Levels of Authentication Assurance: an Investigation

The ES-LoA project, funded by the UK Joint Information Systems Committee (JISC) under its e- Infrastructure Security Programme, investigates current and future needs among UK research and education community for a more fine-grained authorisation scheme that would allow service providers to take into account of the levels of confidence in identifying a remote entity requesting for service access. Such a fine-grained authorisation scheme is attractive to service providers offering resources with varying levels of sensitivity and/or wishing to tailor their security protections based upon risk levels. Service providers may wish to restrict access to more sensitive resources only to those who have gone through a more stringent authentication process, or given the same remote entity, require the use of a stronger authentication token should the access request come from a more risky environment. In this way, the quality of an authentication instance, expressed as an authentication Level of Assurance (LoA), becomes one of the parameters used in access control decision making. This paper investigates the current worldwide efforts in defining LoA and identifies gaps in existing definitions when they are applied to a federated environment.