3rd International ICST Symposium on Information Assurance and Security

Research Article

Levels of Authentication Assurance: an Investigation

  • @INPROCEEDINGS{10.1109/IAS.2007.88,
        author={Aleksandra  Nenadic and Ning  Zhang and Lix Yao and Terry  Morrow},
        title={Levels of Authentication Assurance: an Investigation},
        proceedings={3rd International ICST Symposium on  Information Assurance and Security},
        keywords={Access control  Authentication  Authorization  Computer science  Computer science education  Computer security  Helium  Information security  Information systems  Protection},
  • Aleksandra Nenadic
    Ning Zhang
    Lix Yao
    Terry Morrow
    Year: 2007
    Levels of Authentication Assurance: an Investigation
    DOI: 10.1109/IAS.2007.88
Aleksandra Nenadic1,*, Ning Zhang1,*, Lix Yao1,*, Terry Morrow1
  • 1: School of Computer Science, University of Manchester
*Contact email: anenadic@cs.man.ac.uk, nzhang@cs.man.ac.uk, yaol@cs.man.ac.uk


The ES-LoA project, funded by the UK Joint Information Systems Committee (JISC) under its e- Infrastructure Security Programme, investigates current and future needs among UK research and education community for a more fine-grained authorisation scheme that would allow service providers to take into account of the levels of confidence in identifying a remote entity requesting for service access. Such a fine-grained authorisation scheme is attractive to service providers offering resources with varying levels of sensitivity and/or wishing to tailor their security protections based upon risk levels. Service providers may wish to restrict access to more sensitive resources only to those who have gone through a more stringent authentication process, or given the same remote entity, require the use of a stronger authentication token should the access request come from a more risky environment. In this way, the quality of an authentication instance, expressed as an authentication Level of Assurance (LoA), becomes one of the parameters used in access control decision making. This paper investigates the current worldwide efforts in defining LoA and identifies gaps in existing definitions when they are applied to a federated environment.