What is Identity Assurance?
Understanding Identity Assurance
What is Identity Assurance?
It is a term that many encounter through work activities and almost everyone does in daily life – but what does it mean and how does it impact you?
Why should you care?
This brief, prepared by the Identity & Access Forum of the Secure Technology Alliance, provides a simple, easy to understand explanation for those who are new to the terms associated with identity management, is not intended for subject matter experts or those whose work is centered around identity and its various components, and is the first of several position papers designed to provide an understanding of terminology used in identity. This brief is intended to provide the foundation for future learning.
Why should you care?
It’s almost guaranteed that you have or will encounter Identity Assurance when accessing online services or getting a badge to enter a building, perhaps without you knowing it. The concepts of Identity Assurance are intended to protect you, as well as the services that you want to access when engaging with providers that manage those assets, whether for personal use or for business.
Overview
The sections below provide a high-level overview of the three levels of Identity Assurance as adopted and defined in standards published by the National Institute of Standards and Technology (NIST). The closing section provides links to these and additional resources for those seeking more information or a deeper understanding of the term and concepts of “Identity Assurance.” The three levels of Identity Assurance cover how and when they are applied, and how service providers determine which level is required to access their managed resources.
While these resources are primarily focused on the United States, similar levels of Identity Assurance are used globally, although there may be slight differences between them. For example, IAL2 may not map directly to the European Level 2. Future educational papers by the Alliance’s Identity and Access Forum will expand on the Identity Assurance Levels (IALs), and then explore related assurance levels that further support protected access to a variety of services, i.e., Authentication Assurance Levels (AALs) and Federation Assurance Levels (FALs).
The Three Levels of Identity Assurance
Identity Assurance refers to the unique attributes provided by an individual in order to onboard, register, or enroll with service providers that manage assets that an individual wishes to access. In some cases, service providers may establish or issue some form of logical or physical credential that an individual will use to gain access to the service provider’s offerings, such as a unique ID and password, a license, a token, or a physical access card.
The owner of a service, frequently referred to as a Relying Party (RP), will decide whether an individual should be granted access to services provided and what level of assurance that that individual must attain in order to access those services. The required level of assurance is governed by the impacts or risks that might occur if a bad actor’s (or unauthorized user’s) actions might compromise or degrade access to a service and its data, which may result in damage to assets, or cause financial loss or physical harm to other individuals. Hence, depending on the risk factor, different levels of identity proofing and individual attributes are required when establishing an identity within a Relying Party’s purview.