Levels of Assurance

Derived from NIST Guidelines.

Characteristic	Level 1	Level 2	Level 3	Level 4
Potential Identifier	OpenID	OpenID, ePPN	OpenID¹, ePPN	OpenID¹, ePPN
Registration and Issuance
Anonymous Credentials	Permitted	Permitted
Basis for Credentials, In Person	None	Government Photo ID	Government Photo ID	Government Photo ID and additional Photo ID
Basis for Credentials, Remote	None	Government ID Number, Financial Account Number	Government ID Number, Financial Account Number	Not Permitted
Biometrics Captured?	Not Required	Not Required	Not Required	Required
Tokens²
Password/PIN	Permitted	Permitted
20 Questions	Permitted	Permitted
Lookup (eg: TreasuryDirect card)	Permitted	Permitted
Out of Band (eg: SMS to phone)	Permitted	Permitted
Single Factor OTP (eg: without PIN)		Permitted
Single Factor Crypto (eg: cert on USB)		Permitted
Multi Factor Software Crypto (eg: cert with PIN)			Permitted
Multi Factor OTP (eg: with PIN)				Permitted
Multi Factor Crypto (eg: cert on USB with PIN)				Permitted
Authentication Protocol Threat Resistance
Online Guessing	Required	Required	Required	Required
Replay	Required	Required	Required	Required
Session Hijacking		Required	Required	Required
Eavesdropping		Required	Required	Required
Phishing/Pharming			Required	Required
Man in the Middle		Weak	Weak	Strong
Denial of Service
Assertion Protocol³ Threat Resistance
Assertion Manufacture/Modification	Required	Required	Required	N/A
Assertion Disclosure		Required	Required	N/A
Assertion Repudiation			Required	N/A
Secondary Authenticator Manufacture	Required	Required	Required	N/A
Secondary Authenticator Capture and Replay		Required	Required	N/A
Assertion Substitution	Required	Required	Required	N/A

¹ Requires non-anonymous IdP.

²Different levels impose different per-token requirements. Tokens may be combined for Multi Factor with various LoA. Different Levels impose different storage, verification, renewal, and revocation requirements.

³ eg: Cookies, SAML. Level 4 does not permit assertions.