Physical Address
304 North Cardinal St.
Dorchester Center, MA 02124
ISO/IEC 29115 — Entity Authentication Assurance Framework
A framework for defining and implementing authentication assurance levels across systems and organizations
Understanding Entity Authentication Assurance Levels
ISO/IEC 29115 provides a framework for entity authentication assurance, defining a hierarchy of assurance levels that can be applied across different systems, organizations, and jurisdictions. In an increasingly interconnected digital world, establishing confidence in the identity of remote entities — whether users, devices, or services — is fundamental to security. The standard defines four levels of authentication assurance (LoA), each specifying the rigor required for identity proofing, credential management, and authentication mechanisms. The framework is designed to be technology-neutral and scalable across different risk environments, from low-risk consumer applications to high-security government systems.
ISO/IEC 29115 aligns with and extends the authentication assurance concepts from NIST SP 800-63 and the European eIDAS regulation, providing an internationally harmonized framework that bridges regional approaches. Organizations operating across jurisdictions benefit from a single, unified authentication assurance model.
The standard distinguishes between three distinct phases of the authentication lifecycle: identity proofing (establishing that an entity is who they claim to be), credential management (issuing, storing, and revoking authentication tokens), and authentication mechanisms (the actual verification process). Each phase has independent assurance level requirements that together determine the overall authentication assurance. This separation is critical because weaknesses in any single phase can undermine the entire authentication chain — for example, a strong multi-factor authentication mechanism provides little protection if the initial identity proofing was fraudulent.
A key engineering consideration in the standard is the concept of “applicability scope” — the standard recognizes that different transactions within the same system may require different assurance levels. A user viewing their account balance may only need LoA 2, while the same user initiating a wire transfer over $10,000 may require LoA 3. The standard provides guidance on implementing risk-based, context-aware authentication that adapts assurance requirements based on transaction value, data sensitivity, and historical user behavior patterns.
The Four Levels of Authentication Assurance
Level 1: Little or No Confidence
LoA 1 provides minimal assurance of identity. No identity proofing is required — the entity may self-assert attributes. Authentication is typically based on a single factor such as a password or PIN. This level is suitable for low-risk applications where the consequences of authentication error are negligible, such as accessing public information or maintaining a forum profile. The standard notes that while LoA 1 is appropriate for low-risk scenarios, organizations should clearly communicate the limited assurance provided to users and other relying parties.
| Assurance Level | Identity Proofing | Credential Strength | Authentication Mechanism | Typical Use Cases |
|---|---|---|---|---|
| LoA 1 | None (self-asserted) | Weak (e.g., simple password) | Single-factor | Public forums, news comments |
| LoA 2 | Remote verification of one government ID | Moderate (e.g., strong password + email OTP) | Two-factor (optional) | Online banking, email accounts |
| LoA 3 | In-person or remote with biometric verification | Strong (e.g., hardware token or certificate) | Multi-factor required | Healthcare records, corporate VPN |
| LoA 4 | In-person with multiple forms of ID and background check | Very strong (e.g., FIPS 140-2 Level 3 hardware) | Multi-factor with tamper-resistant hardware | Government classified systems, high-value transactions |
Organizations that map their authentication requirements to ISO/IEC 29115 LoA levels report 40% fewer identity-related security incidents while reducing user friction at appropriate levels. The tiered approach allows security investment to be concentrated where it provides the most risk reduction.
Level 3 and Level 4: High Assurance Scenarios
For applications requiring high assurance, LoA 3 mandates multi-factor authentication using at least two of the three authentication factor categories: knowledge (something you know), possession (something you have), and inherence (something you are). The identity proofing process at LoA 3 requires either in-person verification or remote verification with biometric matching against a government-issued credential. At LoA 4, the highest level, all authentication factors must be cryptographically bound to the entity’s identity, typically through hardware cryptographic modules that have been validated against recognized security standards such as FIPS 140-2 Level 3 or Common Criteria EAL 4+.
The standard places particular emphasis on credential management security at higher assurance levels. At LoA 3 and above, credentials must be issued through a secure registration process that verifies the applicant’s identity in person or through an equivalent trusted process. Credential activation requires out-of-band verification, and credential revocation must be effective within strict time limits — typically within 24 hours for LoA 3 and within 4 hours for LoA 4. The standard also mandates comprehensive audit logging for all credential management operations, with logs retained for a minimum period specified in the organization’s security policy.
Selecting an appropriate authentication assurance level requires balancing security requirements against user experience and operational cost. LoA 4 implementations can cost 5-10x more per user to deploy and maintain compared to LoA 2, primarily due to hardware token distribution, in-person identity proofing, and ongoing credential management overhead.
Practical Implementation Considerations
Implementing ISO/IEC 29115 requires organizations to conduct a risk assessment for each system or transaction type, identifying the consequences of authentication failures. The standard provides detailed guidance on mapping risk levels to assurance levels, considering factors such as the value of assets being protected, the potential for fraud, privacy implications, and regulatory requirements. The risk assessment methodology is based on a systematic evaluation of the likelihood and impact of authentication errors, including both false acceptance (allowing an unauthorized entity) and false rejection (denying a legitimate entity).
A critical implementation consideration is credential lifecycle management. The standard specifies requirements for credential issuance, activation, suspension, revocation, and reissuance. For example, at LoA 2 and above, credentials must have defined expiration periods, and mechanisms must exist for users to securely report lost or compromised credentials. At LoA 3 and above, credential revocation must take effect within strict time limits, and audit logs must be maintained for all credential management operations. The standard also addresses the increasingly important area of credential recovery — how users can securely regain access when their primary authentication factor is lost or unavailable.
A common implementation mistake is applying the same authentication assurance level across all systems. This either creates security gaps in high-risk areas or imposes unnecessary friction on low-risk operations. ISO/IEC 29115 explicitly supports risk-based, tiered authentication strategies where users are prompted for stronger authentication only when the transaction risk warrants it.
Frequently Asked Questions
Q: How does ISO/IEC 29115 relate to FIDO2/WebAuthn?
A: FIDO2 and WebAuthn are authentication protocols that can be used to meet the authentication mechanism requirements at various LoA levels in ISO/IEC 29115. The standard is protocol-agnostic and focuses on assurance outcomes rather than specific technologies. A FIDO2 implementation can achieve LoA 2 or LoA 3 depending on the identity proofing process used during credential registration.
A: FIDO2 and WebAuthn are authentication protocols that can be used to meet the authentication mechanism requirements at various LoA levels in ISO/IEC 29115. The standard is protocol-agnostic and focuses on assurance outcomes rather than specific technologies. A FIDO2 implementation can achieve LoA 2 or LoA 3 depending on the identity proofing process used during credential registration.
Q: Can biometrics alone achieve LoA 3 or LoA 4?
A: No. The standard does not recognize biometrics as a sole authentication factor due to the non-revocable nature of biometric data. Biometrics can serve as an inherence factor within a multi-factor scheme, but must be combined with a possession or knowledge factor. The standard provides specific guidance on biometric error rates and liveness detection requirements for use at each LoA level.
A: No. The standard does not recognize biometrics as a sole authentication factor due to the non-revocable nature of biometric data. Biometrics can serve as an inherence factor within a multi-factor scheme, but must be combined with a possession or knowledge factor. The standard provides specific guidance on biometric error rates and liveness detection requirements for use at each LoA level.
Q: Is there a certification program for ISO/IEC 29115 compliance?
A: Yes. Independent third-party evaluation is available through accredited conformity assessment bodies. Certification typically involves review of identity proofing procedures, credential management systems, and authentication infrastructure. The evaluation scope must cover all three authentication lifecycle phases to achieve certification.
A: Yes. Independent third-party evaluation is available through accredited conformity assessment bodies. Certification typically involves review of identity proofing procedures, credential management systems, and authentication infrastructure. The evaluation scope must cover all three authentication lifecycle phases to achieve certification.
Q: How long does a typical LoA 3 system take to implement?
A: Implementation timelines vary significantly based on existing infrastructure. Organizations with existing PKI and identity management systems typically require 3-6 months for LoA 3, while greenfield implementations may take 9-18 months. The standard recommends a phased approach, starting with LoA 2 and incrementally strengthening processes to reach higher assurance levels.
A: Implementation timelines vary significantly based on existing infrastructure. Organizations with existing PKI and identity management systems typically require 3-6 months for LoA 3, while greenfield implementations may take 9-18 months. The standard recommends a phased approach, starting with LoA 2 and incrementally strengthening processes to reach higher assurance levels.
