Trust and Internet Identity Meeting Europe
2013 - 2020: Workshops and Unconference

TIIME 2015 Session 8: Quality of Authentication and identification

Convener: Peter Pichler

Abstract: IDPs of last resort: user-centric identity - unique challenges.
What are IDP's of last resort, what different models are available? What can ORCID deliver and what not, and is ORCID an IDP?

Bullet points:

  • introducing to the Austrian authentication and security requirements
  • low and higher LoA, 3 security classes are 10 years old already, modernization going on
  • single factor and two factor auth. for higher level
  • in addition network level security or working place security (some resources can be accessed only from intranet)
  • eIDAS has 3 level LoA for citizen authentication (the presenter’s use case concerns Austrian civil servants)
  • eIDAS 3 level LoA based on ISO standard
  • low passwords
  • substantial two factor auth soft
  • highest two factor hard
  • "The IGTF Authentication Profiles de-facto describe a technology-agnostic assurance level that represent the IGTF consensus on achievable trustworthy authentication seen from both the relying party point of view as well as being a feasible level for identity service providers to achieve for a variety of scenarios."
  • of those present most have not implemented LoA
  • IGTF has defined levels of assurance
  • Kantara IAF (Identity Assurance Framework)

Main issues discussed

Introduction to discussion:

Austrian eGov federation - a project for many services, authorization, security requirements with high assurance

Security classes from 1 to 3 - this system is 10 years old - we try to further develop it

  1. the type of network
  1. the quality of authentication - how the used is authenticated (low- just a password, higher with another authentication, for example a call or extra code)
  1. resources combined

This qualification is called in Austria "security classes".

To be discussed: classes and problems (government to government services)

For governmental use cases and also business cases.

Comment from the audience:

The eIDAS 2015/1502 Implementing regulation - seasonal authentication

Implementation acts

  • 1st layer password
  • 2nd tokens, delivered to the user
  • 3rd (highest) - extra, tokens or other authentication delivered to the user face to face

Question to the group: Are there examples on any form of a classification? Or plans to do something like this?

Audience: IGTF has defined levels of insurance

(Example: for scientific calculations for research work)

Summer federation based on protocols "authentication context"

- Possibilities to describe (in the case when the users forgets the password) - in a larger federation it is difficult, the higher (1,2,3) classification is a better solution.

Service providers have different security standards/policies - the classificated level of insurance should simplify this.

Kantara IAF SAC (Identity Assurance Framework) is also a75 framework, 4 layers called assurance levels (organization maturity)

(this was discussed in another session - K2 09:45 Wednesday - Tom Barton "Trust and assurance" & Identity Assurance Framework - building critical trust)


Classifying (levels) could/should simplify the handling of different authentication qualities in an identity federation.

(Peter Pichler is working on improving the Austrian framework.)