An assurance level is a measure of the veracity of information representing an identity.
Assurance levels are assigned to identity records and access control models according to predefined schema.
Assurance levels are a classification of the risk of accepting information presented in a transaction. Like all risk assessments they are a function of the probability of misrepresentation, and the severity of the effect fraudulent or otherwise inaccurate information may have.
Once established, assurance levels allow service providers and other relying parties to decide whether to grant an access request and at what level of authorisation.
The Kantara Identity Assurance Framework defines four levels of assurance.
Minimal confidence the asserted digital identity is accurate.
A PIN or username and password is sufficient to establish AL1.
AL1 is suitable when no negative consequences result from erroneous authentication.
For example AL1 is sufficient to safely allow self-registration for access to a public web site, or registration of interest in a customer relationship management business system.
Some confidence the asserted digital identity is accurate.
Single factor authentication and proven control of the security token by the authentication protocol will establish AL2.
AL2 is suitable when a moderate risk of erroneous identification is acceptable.
For example, AL2 is sufficient for providing the ability for a user to change their own address where information that may be sent to that address is not of a highly confidential nature.
High confidence the asserted digital identity is accurate.
Multi-factor authentication and and the use of cryptographic authentication protocols will establish AL3
AL3 is suitable when a substantial risk is associated with erroneous identification.
For example AL3 is suitable for authorising access to a service that would allow the exchange of commercial in confidence documents between organisation.
Very high confidence the asserted digital identity is accurate.
This level provides remote-network authentication assurance, based on proof of possession of a key through a cryptographic protocol. Only hard cryptographic tokens are allowed.
AL4 is suitable for situations where risk associated with erroneous identification are unacceptable.
For example AL4 is suitable for authorising access to law enforcement databases by police, or to medical records by authorised clinicians.