An entity can be a person, a server a or a client etc. We need secure and standard ways to do entity authentication.
To fulfil that requirement International Standard defines a framework for managing entity authentication assurance in a given context. Which is named as Entity Authentication Assurance Framework (EAAF). It specifies four Levels of Assurance(LoA).
- Level of Assurance 1 (LoA1)
- Level of Assurance 2 (LoA2)
- Level of Assurance 3 (LoA3)
- Level of Assurance 4 (LoA4)
Each Level of assurance describes the degree of confidence in the authentication process. The level of assurance is going high when it is considering from LoA1 to LoA4. So LoA4 is the highest level of assurance and LoA1 is the lowest level of assurance.
Level of Assurance 1 (LoA1)
LoA1 has minimal confidence in the asserted identity of the entity. This is used when minimum risk is associated with the authentication process.
Example for LoA1
A learning management system that requires registration to access study materials and documentation. Here, the user can use a self-registered username or password to login to his account and access resources.
Level of Assurance 2 (LoA2)
LoA2 has some confidence in the asserted identity of the entity. This is used when moderate risk is associated with the authentication process. Here successful authentication is dependent upon the entity proving through a secure authentication protocol. And the entity has control of the credential.
Example for LoA2
Whenever you sign in to your Google account, first you have to enter your password. If your password is correct then a code will be sent to your phone via text and you need to enter that code to login into your account. With this 2-Step Verification, you will protect your account with something you know (your password) and something you have (your phone).
Level of Assurance 3 (LoA3)
LoA3 has high confidence in the asserted identity of the entity. This is used when substantial risk is associated with the authentication process. Multi-factor authentication is used when LoA3 requires. So authentication process consists of the account-based credential with additional verification. LoA3 is used to protect sensitive data, online bank accounts etc.
Example for LoA3
With an iPhone 6 or iPhone 6 Plus or later user can make a purchase in the App Store using the Touch ID on his iPhone.
Level of Assurance 4 (LoA4)
LoA4 has very high confidence in the asserted identity of the entity. This is used when high risk is associated with the authentication process. LoA4 is similar to LoA3, but it adds the requirements of in-person identity proofing for human entities. And the use of tamper-resistant hardware devices for the storage of all secret or private cryptographic keys.
At LoA4, digital certificates may be used to authenticate non-person entities( Such as laptops, mobile phones, fax machines), and other devices connected to a network.
Example for LoA4
Smartphone enrolment process may require the deployment of digital certificates to the smartphone.
Summary
Selection of the appropriate LoA is based on a risk assessment. So you have to consider which kind of entities will be authenticated in the authentication process. Level of Assurance can be easily described as follows.
LOA1 :-
Something you know Eg - Password, PIN
LOA2 :-
Something you have Eg -ATM card, smart card, RFID
LOA3 :-
Something you are Eg - Biometric characteristic such as a fingerprint
LOA4 :-
In-person identity proofing with LoA3
Source - Text for ITU-T Recommendation X.1254 | ISO/IEC DIS 29115 -- Information technology – Security techniques – Entity authentication assurance framework
No comments:
Post a Comment