A Defined Set of LoA Recommendations for the Use within the UK Education and Research Communities

The ES-LoA project, funded by the UK Joint Information Systems Committee (JISC) under its e-Infrastructure Security Programme, investigates current and future needs among UK research and education community for a more fine-grained access control, which allows service providers to take into account of the levels of confidence in identifying a remote entity requesting for service access. Such a fine-grained access control scheme can be attractive to service providers offering resources with varying levels of sensitivity or wishing to tailor their security protections based upon risk levels. Service providers may wish to restrict access to more sensitive resources only to those who have gone through a more stringent authentication process, or given the same remote entity, require the use of a stronger authentication token should the access request come from a more risky environment. In this way, the quality of an authentication instance, expressed as an authentication Level of Assurance (LoA), becomes one of the parameters used in access control decision making. The project has investigated existing LoA definitions at both national and international levels, and examined the suitability of these definitions when being applied for use in UK education and research communities, and identified gaps in existing authentication and authorization policies, procedures and infrastructure structure and processes in the use of LoA in long term in the UK education and research community. Our research has revealed that the most notable and widely used LoA regime is the one produced by the US government (the OMB Memorandum M-04-04 and NIST SP 800-63 E-Authentication Guideline), which proposes a 4-level LoA model (with Levels 1 to 4). The OMB/NIST 4-level LoA model is being used, or being referenced, by several initiatives, including the US e-government, e-commerce and a number of international federations and research initiatives. A critical mass of institutions adopting and implementing this regime seems to have been established. Through our community consultation with the UK education and research community in terms of LoA definitions and applications, taking into account issues such as interoperability with other international federations and communities, we are able to recommend the community to use the OMB/NIST LoA regime, while addressing the gaps identified when applying this model to federated access management environments based on the Shibboleth technology. This document gives recommendations with regard to concrete steps for the UK education and research community to take in order to implement the OMB/NIST LoA regime, and highlight further work …