Level of Assurance
Level of Assurance (LoA) has been defined to support the OpenID Connect API security framework. OpenID Connect introduces the concept of identity claims about the end user.
LoA in OIDC refers to the certainty an API Provider can have about the identity of the Health Sector Participant accessing their service. It's determined by how strong the authentication was and the verification methods used by the identity provider. Higher LoA means stronger verification. OIDC uses the Authentication Context Class Reference acr token claim to communicate LOA levels to API Providers.
Think of it as a confidence score for user identity: low LoA for basic tasks like commenting on a forum, high LoA for financial transactions.
The Level of Assurance or acr claim is required to:
-
Mitigate the risk of exposing sensitive data to unauthorised users by defining an authorisation strength
-
Provide a strong authentication model to reduce attack surface
-
Provides a trust model that can be applied between API Consumers and API Providers
-
Provides a model for granting granular access to sensitive data, basically higher levels of assurance are required for highly sensitive data
-
Ensure the API Consumer has the appropriate authorisation to act on behalf of the end user
API Providers MUST adopt a Level of Assurance model which can be applied when API Consumers are accessing health records that are classed as MEDICAL IN-CONFIDENCE.π‘
API Providers MUST indicate the LoA associated with a Health Sector Participant's authentication and authorisation process in any issued tokens.π‘
Level of Assuranceβ
Issued tokens can include the following claims that relate to the Level of Assurance (LoA) of the user authentication.
The LoA captures the strength of the authentication method used and provides an indication of the trust that the user's identity is correct.
The API Provider uses these claims to confirm the level of trust that the user is who they say they are, and based on this, what level of access should be granted.
| Claim | Description | How They Are Applied |
|---|---|---|
acr | Authentication Context Class Reference | LoA based on a pre-defined set of values, the higher the value the stronger the LoA.
|
amr | Authentication Methods References | Details the authentication method used e.g. - password - OTP - Biometrics API Providers can define the requirements (acr) based on this information which are enforced by the API Consumers |
azp | Authorised party | Client id of the API Consumer, used where there can be multiple API Consumer services |
Aotearoa New Zealand LoA Standardsβ
There are two key Level of Assurance standards in use in Aotearoa:
-
New Zealand Department of Internal Affairs - Identification Management Standards
-
National Institute of Standards and Technology (NIST) - Digital Identity Guidelines
New Zealand Department of Internal Affairs - Identification Management Standardsβ
Defines four components that focus on the assurance process
- IA - Information Assurance
- BA - Binding Assurance
- AA - Authentication Assurance
- FA - Federation Assurance
National Institute of Standards and Technology - Digital Identity Guidelines (NIST)β
Defines three levels of confidence in the identity of an end user.
- Identity Assurance Level
- Authenticator Assurance level
- Federation Assurance level
Additional LoA Standardsβ
FHIRβ
FHIR currently define a trial Use Level of Assurance model.
This defines the four levels of identity assurance:
| Code | Definition |
|---|---|
| Level 1 | Little or no confidence in the asserted identity's accuracy |
| Level 2 | Some confidence in the asserted identity's accuracy |
| Level 3 | High Confidence in the asserted identity's accuracy |
| Level 4 | Very High confidence in the asserted identity accuracy |
OpenID Connect Level of Assurance Standardsβ
OpenID Connect and Financial Grade API (FAPI) define a Level of Assurance model that API providers MAY use to implement the standards defined above.π‘