Making Identity Assurance and Authentication Strength Work for Federated Infrastructures

In both higher Research and Education (R&E) as well as in research-/ e-infrastructures (in short: infrastructures),  federated  access  and  single  sign-on  by  way  of  national  federations,operated  in  most  cases  by  NRENs,  are  used  as  a  means  to  provide  users  with  access  to  a variety  of  services.   Whereas  in  national  federations  institutional  accounts,  e.g.   provided by a university, are typically used to access services, many infrastructures also accept other sources  of  identity:  provided  by  “community  identity  providers”,  social  identity  providers,or  governmental  IDs.   In  order  to  assess  and  communicate  the  quality  of  identities  being used  and  authentications  being  performed,  so  called  Level  of  Assurance  (LoA)  frameworks are used.  Because sophisticated LoA frameworks like NIST 800-63-3, Kantara IAF 1420 or eIDAS regulation are often considered too complex to be used in R&E scenarios, the REFEDS Assurance Suite, a more lightweight approach, has been developed.  To select an appropriate assurance level, Service Providers need to weigh risks and potential harms in relation to the kind of service they offer.  However, the management of risks is often implicitly assumed and little or no guidance to determine the appropriate assurance level is given.  In this paper, first,common LoA frameworks and their relation to risk management are investigated.  Following that, their components are compared against the REFEDS Assurance Suite using a graphical representation.  The focus of this paper lies in providing guidance and best practices based on example scenarios for both Service Providers to request the appropriate REFEDS assurance level,  as  well  as  for  Identity  Provider  operators  on  how  to  implement  REFEDS  assurance components.