...
- Have you made any cost analysis for introducing (a higher) LoA? Is a higher LoA want from IdPs?
- Any experiences, which costs IdPs have to make in order to achieve a specific LoA?
- Impacts on adopting LoA
Persons asked
- Mikael Linden, CSCHaka
- Wolfgang Pempe, DFN-AAI
- Leif Johansson, SWAMID
- Tom Scavo, InCommon
- David Simonsen, WAYF
Results
- YES (and support of eduPersonAssurance attribute) - Do you have a LoA (schema) in place and which one?
- YES - Do you have contracts with IdPs?
- YES and NO, mostly in mother tongue - Do you require an Identity Management Practice Statement? Do you enforce it?
- Mostly only documentation, not enforced, some have self-audits or pairwise audits (WAYF as exception, as all public institutions are audited); NemID as national two-factor-authentication mechanism at WAYF - Do you require any audits/documentations for IdPs?
- NO and NO - Have you made any cost analysis for introducing (a higher) LoA? Is a higher LoA want from IdPs?
- NO - Any experiences, which costs IdPs have to make in order to achieve a specific LoA?
- Between none till high costs + High burden on the SP side to handle multiple LoA’s - in terms of knowledge needed and changing technical installations to support multi-LoA-policies. - Impacts on adopting LoA
IGTF
[this section was not much discussed in the meeting - the draft answers given should be reviewed by the PMA - so EXPLICITLY: comments welcome!]
1. General overview
- Do you have a LoA (schema) in place and which one? - Yes, as per <https://www.igtf.net/ap/loa/>
- Do you have contracts with IdPs? - No, but there are sanctions for not complying with the requirement (e.g. on attending policy meetings and meeting the self-assessment requirements) that will result in expulsion of an IdP from the federation.
- Do you require an Identity Management Practice Statement? Do you enforce it?- Yes, required and enforced.
- Do you require any audits/documentations for IdPs? - Yes, required for documentation. Audits in the sense of peer-reviewed self-assessment are required periodically, and additional scrutiny is performed on accession.
2. Level of assurance
- Have you made any cost analysis for introducing (a higher) LoA? Is a higher LoA want from IdPs? - No assessment has been done - and for now no relying parties have requested a higher LoA than the one provided (i.e. higher than F2F+2FA)
- Any experiences, which costs IdPs have to make in order to achieve specific LoA? - This is unknown at a federation level, and is much country- and model-dependent. In most cases, the cost of LoA is distributed to the user who has to perform the F2F vetting
- Impacts on adopting LoA - Differentiated LoA has been introduced recently (adding a 'lower' "Identifier-Only" assurance level below the conventional F2F+real name), which has resulted in some relying parties and end-users being confused about the 'trustworthiness' of the credential. It is rather complex to explain to non-experts that within a single federation multiple LoA levels exist, and that these should not be automatically all treated as equal.