eIDAS Levels of Assurance (LoA)
What is a level of assurance?
The term “level of assurance” refers to the degree of confidence in the claimed identity of a person – how certain a service provider can be that it is you the one using your eID to authenticate to the service, not someone else pretending to be you. In other terms, it refers to the difficulty one would have trying to use someone else’s eID to access an online service.
The level of assurance of an eID scheme is determined by taking into account several elements, such as:
- The process of obtaining the eID scheme, known as “enrolment”: for instance, does one have to show a biometric passport to obtain one’s eID? Or was it sufficient to only show a paper identity document?
- How the eID means is managed, how it is designed: for instance, how many authentication factors are needed to authenticate (is a password sufficient, or does one also need a physical token one owns?)
- How authentication is performed: for instance, what security controls are in place for the verification of the eID means?
What levels of assurance are there?
The three levels of assurance are as follows:
- Low: for instance, enrolment is performed by self-registration in a web-page, without any identity verification;
- Substantial: for instance, enrolment is performed by providing and verifying identity information, and authentication by using a user name and a password and a one-time password sent to your mobile phone;
- High: for instance, enrolment is performed by registering in person in an office, and authentication by using a smartcard, like a National ID Card.
Why does this matter?
Service providers require the eID used to authenticate to their service to be of a certain level of assurance, depending on the sensitivity of the information they manage. For instance, if a given tax authority requires a high level of assurance, you will not be able to authenticate using an eID with a low or substantial level of assurance: the tax authority will not be confident enough that you are the one trying to authenticate.
By contrast, your mobile network provider is likely to request a low or substantial level of assurance, simply because the information you can access after authenticating is less sensitive than in the case of the tax authorities.
Note that an eID with a high level of assurance can be used to authenticate to service providers requiring any level of assurance.