Skip to content

Understanding eIDAS Level of Assurance

Digital Identity refers to the electronic/digital representation of an individual or organization. It is a collection of electronically stored identity attributes that uniquely describe a person or legal entity, and are shared over electronic transactions. These attributes can be captured either electronically or physically, and are stored digitally.

In Europe, eID (electronic identification) is a type of Digital Identity used to access online services, sign documents electronically, and authenticate oneself online.

In context of Digital Identities, eID, and electronic transactions, parties (services, application providers or other users) involved in the transaction need to trust each other. Trust based on authenticity and reliability.

Level of Assurance (LoA) is a critical concept in digital identities, eID, and electronic transactions because it enables organizations to assess the risk associated with digital identities and decide on the level of authentication required. LoA is a measure of the level of confidence in the accuracy and reliability of the Digital Identity. It determines the extent to which the digital identity has been verified, authenticated, and secured. In general, the higher the LoA, the greater the level of trust and confidence in the digital identity, and the lower the risk of fraud or identity theft.

The ISO 29115 standard is the primary reference for defining the LoA – Level of Assurance in an asserted identity or authentication solution/credential. It specifies four levels of assurance that serve as the foundation for various assurance frameworks utilized internationally. Each level denotes the level of confidence in the authentication process, which guarantees that the entity claiming a specific identity is the same entity to which that identity was assigned.

eIDAS and it’s Level of Assurance (LoA)

In the European Union, the eIDAS definition of LOA is used as a criteria to evaluate the strength of authentication methods used to verify a user’s digital identity.

eIDAS definition outlines three levels of identity assurance: Low, Substantial, and High. These three levels align with Levels 2, 3, and 4 of the ISO 2915 definitions, respectively. The LOA – Levels of Assurance refer to the degree of confidence in the electronic identification credential that is utilized to confirm the identity of a natural entity. It ensures that the individual claiming an identity is, indeed, the person to whom the identity was assigned.

eIDA LoAs can be defined as following:

  • Low: similar to ISO 29115’s LoA2 and offers a moderate level of confidence in the person’s claimed identity. Single-factor authentication suffices in this case. For example, self-registration on a web page without any identity verification is sufficient for enrollment.
  • Substantial: similar to ISO 29115’s LoA3, which requires the use of at least two authentication factors. For enrollment, identity information must be provided and verified, and for authentication, a username, password, and one-time password sent to a mobile phone must be used as authentication factors.
  • High: similar to ISO 29115’s LoA4, which requires the use of at least two authentication factors and provides protection against potential attackers attempting to duplicate or tamper with the authentication process. For enrollment, it is necessary to register in person at an office, and for authentication, a smart card such as a National ID Card is utilized.

Image below tries to map eIDAS LoA with other defined assurance levels. Image in an extract from EU documentation. 1


eIDAS Assurance levels (Picture extract from EU documentation) 1

Level of Assurance for an eIDAS trust service is established by evaluating several factors. From the user point of view, they can be explained as such:

  1. Enrollment process: How a user registers to acquire Digital ID. It could be: Remote Identity Proofing, or Physical visit to show Identity documents, etc.
  2. Management/Design of the eID: Which type of device is used by the user. How the private keys (authentication factors) are secured and made resilient to all types of attacks.
  3. Authentication procedure: How the security controls are established for eID verification and showing the trust chain to other parties

The resulting assurance level depends on the combination of these factors. As it is said chain is only as strong as its weakest link. Any national or individual identity scheme when published need to indicate the requires LoA for the above listed factors.

LoA of existing eID scheme in EU

One research carried out in September 2022, published in December 2022 on notified eID schemes by the name ‘The eIDAS Regulation: A Survey of Technological Trends for European Electronic Identity Schemes’ by Amir Sharif, Matteo Ranzi and other, states that out of total 40 eID notified schemes:

  • 25 of them support LoA High
  • 20 of them support LoA Substantial
  • 12 of them support LoA Low

Researchers provide an overview of the authentication mechanisms adopted by MSs for each LoAs below.

Overview of Authentication Mechanisms based on LoA (H, S, L) adopted by Member States (MSs)

From the above mentioned research it can be said that 90% of eID schemes support either LoA substantial and/or high. Some notified schemes support multiple level of Assurances. We should aim for more High, rather than more Substantial for overall interoperability.

This suggests that these eID methods enhance service security by requiring two authentication factors. By making it challenging for an attacker to exploit someone else’s eID means. However, Commission and eIDAS have not defined the specific technologies to address the reported technical requirements for different LoAs. Thus, there are different routes that the MSs can consider during their development of their eID schemes.

EUDI Wallet and it’s Level of Assurance (LoA)

The electronic identification of individuals or legal entities have been tackled over the years in different pan-European projects. With eIDAS and now eIDAS 2 (EUDI Wallet ecosystem), level of assurance will be more critical for trust services. As it can be seen from the direction of large scale pilots (LSPs) and ARF for EUDI Wallets.

‘Substantial and High are two levels in discussion for the ID Wallet scope. It is not completely resolved yet. What is clear that Wallet will be on High level of assurance to have mutual recognition among member states. As cybersecurity risks are not decreasing, it is good to aim for high level of security. Moreover there is a plan in discussion for path member states with substantial LoA can follow to achieve high LOA.’

Gregory Kuhlmey, Digital Identity programme manager at IDEMIA. IDEMIA is currently leading the consortium behind EUDI Wallet large scale pilot 2

Currently there are few national eID schemes which are notified at substantial level. However with recent developments of Commission, it can be said that aim may be ‘high’ LoA for EUDI Wallets.

Considering different types of information exchange, and as described in EUDIW ARF document, it appears that not all transactions require the substantial or highest level of assurance. There are some cases where not so strong user authentication is required. Hence requiring the wallet to support two configurations i.e

  • Type 1: aimed specifically at LoA High
  • Type 2: aimed specifically where High LoA is not required

Conclusion

Stakeholders need to choose a LoA which will cover all use cases. Or opt a solution offering by Methics. We supports digital identity over a wide variety of signing key stores (for example SAM – Signature Activation Module and HSM as a remote key store, SIM/eSIM as local key store, or app keystore).

Unified Signature SDK which combines multiple mobile PKI key stores seamlessly so that they complement each other. Usage of any key store is optional. SDK provides the flexibility to the user while maintaining needed level of trust and security for their multiple keys and certificates/credentials.

https://www.methics.fi/unified-signature-sdk/

At Methics we believe, this is an incredible step by EU to make High LoA mandatory for the Wallets. As pointed out by Eurosmart in their position paper, EUDI Wallets should be reliant only on High LoA. For EUDI Wallet apps, Unified Signature SDK is a modular way to implement High and Substantial LoA trust services needed to cover maximum use cases.

Methics is positioned to support the key stakeholders responsible for making the EUDIW a reality. In preparation for development and implementation of European Digital Identity (EUDI) Wallet, feel free to get in touch with us if you want to discuss Identity Wallets. And how Qualified Trust Services for secure digital identity wallets i.e SSCD/QSCD, can be provided for EUDI Wallet Solution.

As a global leader of open standard Mobile ID services, our products are delivering tech for strong authentication. Methics has supplied its award-winning ‘Best Mobile Authentication Solution’ i.e Kiuru MSSP as a solution for critical business applications and several national identity management systems. Methics can integrate existing services and high level of assurance identity mechanisms to a new identity framework. We support digital identity over a wide variety of authentication mechanisms and security assertions.


References:

  1. http://ehaction.eu/wp-content/uploads/2021/06/eHAction-D8.2.4-Common-eID-Approach-for-Health-in-the-EU-_-for-adoption_19th-eHN.pdf
  2. https://www.euractiv.com/section/digital/podcast/the-european-digital-identitys-pilot-project/
  3. https://www.mdpi.com/2076-3417/12/24/12679: Sharif, A., Ranzi, M., Carbone, R., Sciarretta, G., Marino, F. A., & Ranise, S. (2022). The eIDAS Regulation: A Survey of Technological Trends for European Electronic Identity Schemes. Applied Sciences12(24), 12679
  4. https://www.eurosmart.com/wp-content/uploads/2023/01/Eurosmart_positionpaper_level_High_eIDAS_Final_public.pdf
  5. https://ec.europa.eu/digital-building-blocks/wikis/display/DIGITAL/eIDAS+Levels+of+Assurance
  6. https://www.methics.fi/strong-authentication-and-citizens-identity-in-mobile-id/
  7. REGULATION (EU) No 910/2014 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 23 July 2014 on electronic identification and trust services for electronic transactions in the internal market and repealing Directive 1999/93/EC: https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:32014R0910&from=EN
  8. https://ec.europa.eu/digital-building-blocks/wikis/display/DIGITAL/eIDAS+Levels+of+Assurance