Understanding Levels of Assurance (LoA) in Digital Identity

LoA DefinedLevels of Assurance (LoA) quantify the confidence in a claimed digital identity, ranging from basic self-declarations to highly secure, government-backed verifications.

Why LoA MattersProperly assigning LoA prevents fraud, ensures regulatory compliance, and optimizes user experience by matching security requirements to the sensitivity of the transaction or data being accessed.

Key LoA FactorsLoA is determined by the identity proofing process, credential strength, authentication method, and the overall security of the identity management system.

Didit's RoleDidit's modular platform allows businesses to build custom identity workflows that achieve specific LoA requirements, combining ID verification, biometrics, and fraud signals seamlessly.

What Are Levels of Assurance (LoA)?

In the rapidly evolving landscape of digital identity, simply knowing 'who' a person claims to be is no longer enough. Businesses and governments need to ascertain 'how sure' they can be about that identity. This is where Levels of Assurance (LoA) come into play. LoA provides a standardized framework to categorize the degree of confidence that an identity assertion is true and that the user presenting it is indeed the individual to whom the identity was assigned.

Think of LoA as a spectrum. At one end, you might have a low LoA, where a user simply provides a username and password – suitable for accessing public content on a forum. At the other end, a high LoA would involve rigorous identity verification, biometric authentication, and possibly even proof of physical presence, necessary for sensitive transactions like opening a bank account or accessing classified government information.

Various standards bodies, such as NIST (National Institute of Standards and Technology) in the U.S. and eIDAS in the EU, have established their own LoA frameworks. While their specifics may differ, they generally focus on similar criteria:

• Identity Proofing: How was the identity originally verified? Was it self-asserted, or was it backed by official documents and evidence?
• Credential Strength: How robust is the method used to authenticate the user? Is it a simple password, a multi-factor authentication (MFA) token, or a biometric scan?
• Authentication Mechanism: How is the user confirmed each time they access a service? Is it through a shared secret, possession-based, or inherence-based?
• Security and Management: How securely are the identity credentials stored and managed within the system?

Understanding LoA is critical for any organization operating online. It dictates the appropriate level of security for different digital interactions, ensuring that sensitive data is protected without creating unnecessary friction for users in low-risk scenarios.

The Importance of Matching LoA to Use Cases

Implementing the correct Level of Assurance is not a one-size-fits-all endeavor; it's a strategic decision that balances security, user experience, and cost. Mismatched LoA can lead to significant problems:

• Too Low LoA: If the LoA is insufficient for the sensitivity of the transaction, it opens the door to fraud, data breaches, and non-compliance with regulations. For instance, allowing basic username/password access to a financial trading platform would be disastrous.
• Too High LoA: Conversely, demanding an unnecessarily high LoA for every interaction can lead to user frustration, high abandonment rates, and increased operational costs. Requiring a full KYC process just to comment on a blog post is overkill and detrimental to engagement.

Consider these practical examples:

• LoA 1 (Self-Assertion/Low Confidence): A user signs up for a newsletter with just an email address. The risk is minimal; a low LoA is appropriate.
• LoA 2 (Basic Verification/Medium Confidence): An e-commerce customer makes a purchase. Email verification and possibly a phone number are used. The risk is moderate, involving financial transactions.
• LoA 3 (High Confidence): A new customer opens a bank account. This requires robust ID document verification, liveness detection, and AML screening. The risk of financial fraud and regulatory penalties is high, demanding a strong LoA.
• LoA 4 (Very High Confidence): Accessing critical infrastructure or highly sensitive government data. This might involve NFC-based ID verification, advanced biometrics, and ongoing monitoring, aligning with the highest levels of national security.

By carefully assessing the risks associated with various digital services and data, organizations can define and implement identity workflows that provide the right amount of assurance without impeding legitimate users. This nuanced approach is key to building trust in the digital economy.

Components That Build LoA

Achieving a specific Level of Assurance involves combining several distinct identity verification and authentication components. Each component adds a layer of confidence, contributing to the overall LoA:

1. Identity Proofing: This is the initial process of verifying the user's claimed identity. For higher LoA, this typically involves:
   • ID Document Verification: Automated checks of government-issued IDs (passports, driver's licenses) for authenticity, tampering, and data extraction.
   • NFC Document Reading: Cryptographic validation of e-passports and e-IDs for government-grade assurance.
   • Database Validation: Cross-referencing identity data against official government or trusted third-party databases.
   • Proof of Address: Verifying residency through utility bills or bank statements.
2. Biometric Verification: These technologies confirm that the person presenting the identity is indeed the legitimate owner.
   • Liveness Detection: Verifies that the user is a real, live person and not a spoof (photo, video, deepfake). This can be passive (frictionless) or active (requiring user actions).
   • Face Match 1:1: Compares a live selfie to the photo on the ID document to confirm the user is the document holder.
   • Biometric Authentication: Using a live selfie for passwordless re-authentication for returning users, often combined with liveness.
3. Authentication & Fraud Signals: Beyond initial verification, ongoing checks maintain LoA.
   • Multi-Factor Authentication (MFA): Combining something the user knows (password), has (phone), or is (biometric).
   • IP Analysis: Detecting suspicious IP addresses, VPNs, or device anomalies.
   • AML Screening: Checking against sanctions lists, PEP databases, and adverse media for financial compliance.
   • Ongoing AML Monitoring: Continuous re-screening of users post-onboarding.
   • Phone/Email Verification: Confirming ownership and assessing risk associated with contact details.

The combination and strength of these components define the overall LoA. For example, a system requiring ID document verification, active liveness, and Face Match 1:1, followed by ongoing AML screening, would achieve a very high LoA suitable for regulated industries.

How Didit Helps Achieve the Right LoA

Didit is purpose-built to empower businesses to implement precise Levels of Assurance for any digital interaction. Our all-in-one identity platform provides the modularity and flexibility needed to construct identity workflows tailored to specific LoA requirements, without stitching together multiple vendors.

• Comprehensive Module Suite: Didit offers 18 composable modules covering ID verification, biometrics, AML screening, fraud signals, and more. This extensive toolkit allows you to pick and choose the exact components needed for your desired LoA. For a high LoA, you might combine NFC Document Reading, Active Liveness, Face Match 1:1, and Ongoing AML Monitoring. For a lower LoA, Passive Liveness and Face Match might suffice.
• Visual Workflow Orchestration: Our no-code Workflow Builder allows you to visually design complex identity flows. You can drag and drop modules, set conditional logic (e.g., if age estimation is uncertain, escalate to full IDV), and configure thresholds for auto-approval or manual review. This means you can dynamically adjust the LoA based on risk factors like transaction value, country of origin, or user history.
• Pay-per-Success Model: Didit's transparent pricing ensures you only pay for successfully completed verification steps. This allows businesses to experiment with different LoA configurations and optimize their workflows for both security and cost-efficiency without financial penalties for abandoned sessions.
• Security and Compliance: With SOC 2 Type II, ISO 27001, GDPR compliance, and iBeta Level 1 certified liveness detection, Didit provides the underlying security and compliance necessary to support high LoA requirements for even the most regulated industries.
• Seamless Integration: Whether you prefer hosted verification links, Web SDKs, native Mobile SDKs, or direct API integration, Didit makes it easy to embed robust identity verification into your existing applications, minimizing integration time and resources.

By leveraging Didit's platform, businesses can confidently assert the identity of their users, mitigate fraud, meet regulatory obligations, and provide a frictionless experience – all while precisely controlling the Level of Assurance for each unique use case.

Ready to Get Started?

Defining and implementing the right Levels of Assurance is fundamental to securing your digital services and fostering user trust. With Didit, you gain a powerful, flexible, and cost-effective solution to build identity workflows that precisely match your security needs.

Explore how Didit can elevate your identity verification strategy. Visit our pricing page to see our transparent pay-as-you-go model, or check out our demo center to experience the platform firsthand. For a deeper dive into our capabilities, browse our technical documentation or contact us at hello@didit.me.