- the degree of confidence that data presented by a party in an access transaction accurately represents or describes that party,
- the degree of confidence that information used to represent a party in a digital identity record is correct.
Assurance is about the level of trust that can be placed in information presented during an access transaction. It is a function of the technology, processes, policy and practices in place to control the operational environment.
Assurance is a function of,
- the security of the channels over which an access transaction takes place,
- the quality of information produced by an identity provider or verification service.
In federated identity transactions it is especially important to have standardised assurance levels, based on assessment criteria that are agreed and shared by all the identity and service providers within the federation. In that way relying parties can taylor authorisations to the risks associated with the transaction.
Some approaches to assurance focus on the security of the communications channel and do not factor in the validity of identity binding at the time a digital identity record is created. For example, the Kantara Assurance Framework. As assurance is a function of trust, and identity binding establishes responsibility within a civil jurisdiction, controlling the validity of identity data at the point of creation can substantially increase assurance.