Overview#

Level Of Assurance (LOA) refers to the degree of Assurance that:

Specific Specification for Level Of Assurance#

Level Of Assurance is a generic discussion and context is required for any formal discussion, but may be referring to any of the following Specifications:

Level Of Assurance Changes#

NIST.SP.800-63 is the doc that defined Level Of Assurance M-04-04, E-Authentication Guidance for Federal Agencies, way back in 2003. A major goal of NIST.SP.800-63, the third iteration, is to fix the Level Of Assurance to make the concept more meaningful with modern identity processes for both government and the private sector.

Specifically, this new draft decoupled the LOAs into component parts, so that instead of a blanket number (e.g. LOA 3) an authentication initiative can be ranked as a one, two or three for one facet and a different level for another Authentication Factor.

Vectors of Trust#

Vectors of Trust is a desire to create a more inter-operable Level Of Assurance.

ISO 29115 Level Of Assurance#

ISO 29115 Level Of Assurance provides another form of Level Of Assurance.

Traditional Level Of Assurance#

This is based on the NIST.SP.800-63 M-04-04 Level of Assurance (LOA) which was replaced by Identity Assurance Level (IAL) in NIST.SP.800-63A. We feel this represents a good real-world guide to build upon.

The requirements for the level of certainty or Trust at both ends of that set of transactions should be driven by a risk assessment based on the value of the Protected Resource.

Maximum Potential Impact of Event for each Assurance Level#

Balancing the Level of Assurance with the Risk Assessment is complex; However, it must be simplified enough for decision actions to be made in a reasonable time.

A Data Classification assessment is required to properly determine the sensitivity of access.

Below is a sample of a Risk Assessment for an organization.

Impact of Authentication ErrorLOA 1LOA 2LOA 3LOA 4
LoALittle or no confidence exists in the asserted identity - usually self-asserted; essentially a persistent identifierConfidence exists that the asserted identity is accurate; used frequently for self service applicationsHigh confidence in the asserted identity's accuracy; used to access restricted dataVery high confidence in the asserted identity's accuracy; used to access highly restricted data.
Potential Damage to reputationLowModerateModerateHigh
Potential financial loss or liabilityLowModerateModerateHigh
Potential for unauthorized release of sensitive informationN/A
Potential civil (or criminal) violations; e.g. out of compliance with regulatory rulesN/ALowModerateHigh
Potential harm to Organization's programs or public interestsN/ALowModerateHigh
Potential impact to personal safetyN/AN/ALowModerate/High
  • N/A - can be thought of as "Not Appropriate" for the chart.

Impact Values #

Impact values assigned by OMB for these categories of harm are defined in Federal Information Processing Standard 199, "Standard for Security Categorization of Federal Information and Information Systems" and reproduced below:
Level of ImpactDescription
LowThe loss of confidentiality, integrity and availability could be expected to have a limited adverse affect on organizational operations, organization assets or individuals.
ModerateThe loss of confidentiality, integrity and availability could be expected to have a serious adverse affect on organizational operations, organization assets or individuals.
HighThe loss of confidentiality, integrity and availability could be expected to have a severe or catastrophic adverse affect on organizational operations, organization assets or individuals.

The NIST.SP.800-63 M-04-04 Level of Assurance (LOA) provides technical requirements for each of the Authentication Levels of Assurance defined.

More Information#

There might be more information for this subject on one of the following:

Add new attachment

Only authorized users are allowed to upload new attachments.
« This page (revision-27) was last changed on 05-May-2017 10:28 by jim