What is Level of Assurance?
A Level of Assurance, as defined by the by ISO/IEC 29115 Standard, describes the degree of confidence in the processes leading up to and including an authentication. It provides assurance that the entity claiming a particular identity, is the entity to which that identity was assigned.
During a Mobile Connect API authentication request, the application declares the degree of confidence that is required in the returned (asserted) identity. The greater the risk associated with an erroneous authentication, the higher the Level of Assurance recommended. Each Level of Assurance is explained below.
For more information on how to request Level of Assurance in a Mobile Connect API authentication request, please refer to the Mobile Connect API section under acr_values.
There are 4 Levels of Assurance.
Level of Assurance 1
At Level of Assurance 1 (LoA1), there is minimal confidence in the asserted identity of the entity, but enough confidence that the entity is the same over consecutive authentication events. LoA1 is used when minimum risk is associated with erroneous authentication. There is no specific requirement for the authentication mechanism used; only that it provides some minimal assurance.
*When using Mobile Connect API, Level of Assurance 1 does not apply.
Level of Assurance 2
At Level of Assurance 2 (LoA2), there is some confidence in the asserted identity of the entity. LoA2 is used when moderate risk is associated with erroneous authentication. Successful authentication will be dependent upon the entity proving, through a secure authentication protocol, that the entity has control of an agreed credential.
During a Mobile Connect authentication for LoA2, the user will be prompted and will need to respond on their mobile device* to prove that they are in possession of the device (the credentials). As defined, LoA2 only provides some confidence that we know for sure that the user has access to the mobile device.
We also describe this as "Something you have".
If the application using the Mobile Connect API is on the mobile data network at the time of the request, the user may not have to respond to a prompt to prove that they are in possession of the device as this can be done by the mobile network. This is referred to as seamless authentication.
Level of Assurance 3
At Level of Assurance 3 (LoA3), there is high confidence in an asserted identity of the entity. LoA3 is used where a substantial risk is associated with erroneous authentication. Identity proofing procedures shall be dependent upon verification of identity information.
During a Mobile Connect authentication for LoA3, the user will be required to enter a secret PIN that they agreed beforehand. As defined, LoA3 provides a high confidence that the user that has access to the mobile device is also the entity to which the identity was assigned, as only that entity should know the PIN.
We describe this as "Something you have and something you know". It is possible to replace the "something you know" second factor in an LoA3 authentication with for "Something you are" provided by bio-metric factors such as a fingerprint . This is dependant on mobile network operators local authenticator implementations.
Level of Assurance 4
At Level of Assurance 4 (LoA4), there is very high confidence in an asserted identity of the entity. This LoA is used when a high risk is associated with erroneous authentication. LoA4 provides the highest level of entity authentication assurance defined by this standard. LoA4 is similar to LoA3, but it adds the requirements of in-person identity proofing.
Mobile Connect does not currently support LoA4.