Overview#LOA 3 High confidence in the asserted Digital Identity accuracy
LOA 3 authentication requires cryptographic strength mechanisms that protect the primary authentication token (secret Key, private Key or one-Time password) against compromise by the protocol threats including: eavesdropper, replay, on-line guessing, verifier impersonation and man-In-The-Middle attackers. A minimum of two Authentication Factors is required. Three kinds of tokens may be used: “soft” cryptographic tokens, “hard” cryptographic tokens and “one-time password” device tokens.
Authentication requires that the claimant prove through a secure authentication protocol that he or she controls the token, and must first unlock the token with a password or biometric data, or must also use a password in a secure authentication protocol, to establish two factor authentication. Long-term shared authentication secrets, if used, are never revealed to any party except the claimant and verifiers operated directly by the Credentials Service Provider (CSP), however session (temporary) shared secrets may be provided to independent verifiers by the CSP. Approved cryptographic techniques are used for all operations. Assertions issued about claimants as a result of a successful authentication are either cryptographically authenticated by relying parties, or are obtained directly from a trusted party via a secure authentication protocol.
LOA 3 is used to access restricted data.