What does Level of Assurance really mean?

The foundation for security and enterprise management

In one of the mailing lists I read (and I do read a ton of electronic bumpf in order to glean an enlightening paragraph or two), there's been a discussion lately of the phrase "Level of Assurance" (LoA) with at least one gentleman (well known in enterprise architecture circles, but who shall remain nameless here) trying to equate it with "trust" or even "level of trust" (a new coining, I think). So what does LoA really mean?

The problems about the definition of LoA results from its use in two related, but quite different, identity-based ceremonies.

<aside> For our purposes, a "ceremony" is an identity-affected transaction: e.g., the login ceremony </aside>

To continue reading, register here and become an Insider. You'll get free access to premium content from CIO, Computerworld, CSO, InfoWorld, and Network World. See more Insider content or sign in.

In one of the mailing lists I read (and I do read a ton of electronic bumpf in order to glean an enlightening paragraph or two), there's been a discussion lately of the phrase "Level of Assurance" (LoA) with at least one gentleman (well known in enterprise architecture circles, but who shall remain nameless here) trying to equate it with "trust" or even "level of trust" (a new coining, I think). So what does LoA really mean?

The problems about the definition of LoA results from its use in two related, but quite different, identity-based ceremonies.

<aside> For our purposes, a "ceremony" is an identity-affected transaction: e.g., the login ceremony </aside>

We usually think of authentication as the basic ceremony but there is one that comes before it – the one variously called validation, verification or "vetting" (at least they all begin with "v"!). This is the process of examining documents and credentials – usually physical documents – before establishing the digital account for an entity. Take, for example, the process of opening a bank account. You present government-issued identity documents (driver's license, birth certificate, business license and so on) to an officer of the bank who examines them and assigns a number or grade to them. This is the Level of Assurance. Provided the LoA is above the minimum needed for the type of account you are opening, an identifier (i.e., bank account number) is assigned to you that you will use to access your account. A similar (but, perhaps, with shortcuts) process is used to establish your on-line account with your employer, school and so on.

This LoA is assigned once and never changed (unless new documents are presented).

There is a second use, though, of LoA and that's as part of the authentication ceremony, the login. Here LoA refers to the degree of certainty that a user indeed owns the credentials they are subsequently presenting to access a resource. This LoA can vary from login to login because, in essence, it's an assessment of the risk involved, which is determined by the context of the authentication ceremony (sometimes even before that ceremony; see "Making contextual judgments about access before authentication").

Context, the who, what, why, when, where and how of that ceremony are old friends to regular readers (see "Start-up measures users' trustworthiness for authentication into sites"). Gathering that data, analyzing and assessing it, then granting graded access (or authorization) based on that data is what many call "risk-based authorization." But this is also called LoA by some and is referred to (often informally) as "trust" or "level of trust." And that presents lots of opportunity for confusion.

I would like to ask you all to reserve the phrase Level of Assurance to the "v" event (validation, verification or "vetting") and use either risk-based or context-based for the authentication and authorization events (RBAC or CBAC where "AC" means Access Control). It's always easier when we all speak the same language!

Read more about security in Network World's Security section.

Dave Kearns is a consultant and editor of IdM, the Journal of Identity Management.