Identity assurance refers to the level of confidence a system can have in a user’s identity (that they are who they claim to be). There are three levels covered in the CBK:
Identity Assurance Level 1 (IAL1) – self assertion. There is no confidence, except that the user has asserted their identity. For example, our website would be considered IAL1 because you (the user) can enter a fictitious name during the registration process and the self-assertion is accepted.
Identity Assurance Level 2 (IAL2) – proof is required. Unlike the previous level, you have to verify your claimed identity somehow. This can be achieved by providing a scanned image of a government document such as a driver’s license, or verifying your address by entering a code into the system that was mailed to your address.
Identity Assurance Level 3 (IAL3) – requires in-person verification. A visit to the front counter, presenting your photo ID to the clerk, and filling out paperwork that is then queried against government or public databases. Additional supporting documents are typically required.
These levels are derived from the National Institute of Standards and Technology (NIST) Special Publication 800-63A.
There is also a thing called Authenticator Assurance Levels (AAL). This is the level of confidence that the user controls the authenticators (such as passwords, etc.).
AAL1 – provides some confidence. A password for example. Can be one or two-factor authentication.
AAL2 – provides high confidence. Minimum of two factors must be provided.
AAL3 – provides very high confidence. Two factors are required, with the added requirement of a cryptographic key and a physical device (a single device can provide both). When combined with a username/password combination this provides the highest level of confidence in the authentication.
And… There is a thing called Federation Assurance Level (FAL). This refers to the level of confidence in federated assertions.
Here are some additional terms to be aware of:
Credential – a binding that exists between authenticator and subscriber via identifier.
Credential Service Provider – the entity that collects and manages the credential.
Sponsorship – authorized entity “sponsors” a credential with a credential service provider.
Enrollment – a sponsored user/claimant enrolls for the credentials, includes identity proofing.
Credential production – as the term implies, the credentials are created, including cards, cryptographic keys, digital certificates, etc.
Issuance – disclosing or granting access to the credentials.
Credential lifecycle management – activities including re-issuance, revocation, re-enrollment, expiration, suspension, reinstatement, etc.