- New attack fells Internet Explorer
- Steve Jobs is a man of a few words
- Oddball gifts for uber geeks
- Global warming research exposed after hack
- Google adding IPv6 to YouTube
Dave Kearns provides the information you need to evaluate, install and maintain your corporate identity management system.
In one of the mailing lists I read (and I do read a ton of electronic bumpf in order to glean an enlightening paragraph or two), there's been a discussion lately of the phrase "Level of Assurance" (LoA) with at least one gentleman (well known in enterprise architecture circles, but who shall remain nameless here) trying to equate it with "trust" or even "level of trust" (a new coining, I think). So what does LoA really mean?
The problems about the definition of LoA results from its use in two related, but quite different, identity-based ceremonies.
<aside> For our purposes, a "ceremony" is an identity-affected transaction: e.g., the login ceremony </aside>
We usually think of authentication as the basic ceremony but there is one that comes before it – the one variously called validation, verification or "vetting" (at least they all begin with "v"!). This is the process of examining documents and credentials – usually physical documents – before establishing the digital account for an entity. Take, for example, the process of opening a bank account. You present government-issued identity documents (driver's license, birth certificate, business license and so on) to an officer of the bank who examines them and assigns a number or grade to them. This is the Level of Assurance. Provided the LoA is above the minimum needed for the type of account you are opening, an identifier (i.e., bank account number) is assigned to you that you will use to access your account. A similar (but, perhaps, with shortcuts) process is used to establish your on-line account with your employer, school and so on.
This LoA is assigned once and never changed (unless new documents are presented).
There is a second use, though, of LoA and that's as part of the authentication ceremony, the login. Here LoA refers to the degree of certainty that a user indeed owns the credentials they are subsequently presenting to access a resource. This LoA can vary from login to login because, in essence, it's an assessment of the risk involved, which is determined by the context of the authentication ceremony (sometimes even before that ceremony; see "Making contextual judgments about access before authentication").
Context, the who, what, why, when, where and how of that ceremony are old friends to regular readers (see "Start-up measures users' trustworthiness for authentication into sites"). Gathering that data, analyzing and assessing it, then granting graded access (or authorization) based on that data is what many call "risk-based authorization." But this is also called LoA by some and is referred to (often informally) as "trust" or "level of trust." And that presents lots of opportunity for confusion.
Dave Kearns is a consultant and editor of IdM, the Journal of Identity Management.
Rss FeedRss Feed
The Leader in Network Knowledge
Comments (3)
Isn't it all risk-basedBy Anonymous on June 8, 2009, 2:00 pmDave, I almost always agree with you but isn't this all about risk-management? Establishing 1st trust is a difficult operational challenge where you need to balance...
Reply | Read entire comment
risks and othe funny thingsBy tuomoks on June 8, 2009, 4:26 pmAnonymous brings a good question which is often forgotten? I would leave the cost out but today when IT is more a commodity than a managed business function I probably...
Reply | Read entire comment
Level of Assurance - LoA101By Anonymous on July 8, 2009, 3:12 amI believe you're unnecessarily complicating things, Dave, by trying to rename and redefine the issue. I've said it numerous times before, for years past. I've...
Reply | Read entire comment
View all comments