Making identity assurance and authentication strength work for federated infrastructures

In both higher Research and Education (R&E) as well as in research-/ e-infrastructures (in short: infrastructures), federated access and single sign-on by way of national federations, operated in most cases by NRENs, are used as a means to provide users with access to a variety of services. Whereas in national federations institutional accounts, e.g. provided by a university, are typically used to access services, many infrastructures also accept other sources of identity: provided by ''community identity providers'', social identity providers, or governmental IDs. In order to assess and communicate the quality of identities being used and authentications being performed, so called Level of Assurance (LoA) frameworks are used. Because sophisticated LoA frameworks like NIST 800-63-3, Kantara IAF 1420 or eIDAS regulation are often considered too complex to be used in R&E scenarios, the REFEDS Assurance Suite, a more lightweight approach, has been developed. To select an appropriate assurance level, Service Providers need to weigh risks and potential harms in relation to the kind of service they offer. However, the management of risks is often implicitly assumed and little or no guidance to determine the appropriate assurance level is given. ... mehrIn this paper, first, common LoA frameworks and their relation to risk management are investigated. Following that, their components are compared against the REFEDS Assurance Suite using a graphical representation. The focus of this paper lies in providing guidance and best practices based on example scenarios for both Service Providers to request the appropriate REFEDS assurance level, as well as for Identity Provider operators on how to implement REFEDS assurance components.