Understanding Levels of Assurance (LoA) for Digital Identity

LoA DefinedLevels of Assurance (LoA) quantify the confidence that a claimed identity is true, encompassing factors like identity proofing, authentication strength, and binding to an individual.

Tiered ApproachDifferent LoA levels exist (e.g., NIST LoA 1-4, eIDAS Low, Substantial, High) to match the risk and security needs of various digital services and transactions.

Use Case SpecificityChoosing the correct LoA is critical; a simple forum login requires a lower LoA than a financial transaction or accessing highly sensitive personal data.

Dynamic OrchestrationModern identity platforms like Didit allow businesses to dynamically orchestrate verification flows to achieve specific LoA levels, optimizing both security and user experience.

What are Levels of Assurance (LoA)?

In the digital world, establishing trust in who a user claims to be is paramount. Levels of Assurance (LoA) provide a standardized framework for evaluating and communicating the confidence that a claimed identity is legitimate. Essentially, LoA indicates how certain you can be that a person is who they say they are, based on the rigor of the identity verification and authentication processes they've undergone.

Various standards bodies, such as NIST (National Institute of Standards and Technology) in the US and eIDAS (electronic IDentification, Authentication and trust Services) in Europe, have defined their own LoA frameworks. While their specifics may differ, the core concept remains consistent: higher LoA means greater confidence in the user's identity, typically requiring more stringent verification steps.

Factors contributing to a specific LoA include:

• Identity Proofing: How was the identity initially verified? Was it based on a self-declaration, a government-issued ID, or an in-person check?
• Authentication Strength: How is the user authenticating their identity? Is it a simple password, multi-factor authentication (MFA), or biometrics?
• Binding to an Individual: How strongly is the digital identity linked to a unique physical person?
• Fraud Detection: What measures are in place to detect and prevent imposters or synthetic identities?

Common LoA Frameworks and Their Characteristics

Let's look at two prominent LoA frameworks to understand their distinctions:

NIST's Digital Identity Guidelines (SP 800-63-3)

• LoA 1 (Low): Provides some confidence in the asserted identity. Typically involves self-asserted identity with email/phone verification. Suitable for public access to information where the risk of misuse is low. Example: Anonymous forum posts or newsletter subscriptions.
• LoA 2 (Medium): Increased confidence. Identity proofing usually involves remote verification against authoritative sources (e.g., ID document scan + selfie). Authentication often uses single-factor remote authentication (like a password) or basic MFA. Example: Accessing non-sensitive online services, basic e-commerce.
• LoA 3 (High): High confidence. Robust identity proofing, often requiring a strong binding to a physical person, potentially with biometric verification or NFC document reading. Authentication typically involves strong MFA (e.g., biometrics, hardware tokens). Example: Online banking, government services accessing personal data, high-value financial transactions.
• LoA 4 (Very High): Very high confidence. Requires in-person identity proofing or equivalent, and highly secure cryptographic authentication. Designed for extremely high-risk transactions or access to critical infrastructure. Rarely implemented in purely online scenarios.

eIDAS Regulation (EU) - Low, Substantial, High

• Low: Provides a limited level of confidence in the asserted identity. Similar to NIST LoA 1, often relies on basic registration and single-factor authentication. Example: Access to general public information.
• Substantial: Provides a substantial level of confidence. Requires identity proofing with remote verification against official documents and strong authentication (e.g., MFA). Comparable to NIST LoA 2-3. Example: Accessing public services with personal data, online tax filing.
• High: Provides a high level of confidence. Involves rigorous identity proofing, potentially requiring face-to-face or equivalent remote verification with biometrics, combined with strong cryptographic authentication. Aligns with higher NIST LoA 3. Example: Opening a bank account, signing contracts electronically, cross-border public services.

Matching LoA to Your Use Case: Practical Examples

The key is to select an LoA that balances security requirements with user experience and operational cost. Over-verifying can lead to friction and abandonment, while under-verifying exposes you to fraud and compliance risks.

Low LoA Use Cases

• Newsletter Sign-up / Blog Commenting: A simple email verification (Didit's Email Verification module) is often sufficient. The risk of fraud is minimal, and the goal is to reduce spam.
• Basic Content Access: For platforms offering free content that requires a quick login, a username/password combination with a basic email or phone verification for account recovery might suffice (Didit's Phone Verification).

Medium LoA Use Cases

• E-commerce Account Creation: When users create accounts to save shipping details or view order history, an ID document scan combined with a passive liveness check (Didit's ID Verification + Passive Liveness) provides a good balance. This helps prevent multi-accounting and basic fraud.
• Gaming Platforms: For age-restricted games or in-game purchases, age estimation (Didit's Age Estimation) or a full ID verification might be needed to comply with regulations.
• Accessing Non-Sensitive Customer Portals: A multi-factor authentication (MFA) step, such as an OTP to a registered phone or email, after initial identity proofing, is usually appropriate.

High LoA Use Cases

• Financial Account Opening (KYC/AML): This is a classic high LoA scenario. It demands robust identity proofing with government-issued ID verification, active liveness detection, face matching, and comprehensive AML screening (Didit's ID Verification + Active Liveness + Face Match 1:1 + AML Screening). Ongoing AML monitoring is also crucial.
• Regulated Online Services (e.g., Gambling, Crypto Exchanges): Similar to financial services, these require stringent KYC/AML processes to prevent fraud, money laundering, and ensure age compliance. NFC document reading can add an extra layer of assurance.
• Telemedicine / Healthcare Access: Verifying a patient's identity before they access sensitive health records or receive medical advice requires a high degree of confidence. Biometric authentication for returning users (Didit's Biometric Authentication) is vital here.
• Government Services (High-Value): Accessing tax records, applying for benefits, or digital signing of legal documents requires very high assurance to prevent identity theft.

How Didit Helps Achieve Required LoA

Didit's all-in-one identity platform is designed to provide the flexibility and power to achieve any required Level of Assurance, tailored to specific use cases and regulatory needs.

• Modular Architecture: Didit offers 18 composable modules, from basic email verification to advanced NFC document reading and ongoing AML monitoring. Each module contributes to increasing the LoA of a user's identity.
• Workflow Orchestration: The visual Workflow Builder allows businesses to drag-and-drop these modules to create custom verification flows. This means you can design workflows that dynamically adjust LoA based on risk factors, transaction value, or user behavior. For instance, a simple login might only require face match, while a high-value withdrawal triggers full ID verification, liveness, and AML screening.
• Biometric Verification: With passive and active liveness detection, 1:1 face matching, and biometric authentication, Didit provides robust biometric capabilities crucial for higher LoA.
• ID Document & Database Validation: Supporting 14,000+ document types across 220+ countries, Didit's ID verification, combined with NFC reading and database validation, provides government-grade identity assurance.
• Fraud Signals & AML: Integrated IP analysis, device data, and real-time AML screening against 1,300+ global watchlists significantly bolster the confidence in a user's identity and mitigate fraud risks, essential for higher LoA.
• Reusable KYC: For returning users, Didit's eIDAS2-compatible Reusable KYC allows users to share pre-verified credentials with biometric re-authentication, maintaining high LoA while vastly improving user experience.

By orchestrating these powerful tools, businesses can precisely control the level of assurance for each interaction, ensuring compliance, minimizing fraud, and optimizing the user journey without unnecessary friction.

Ready to Get Started?

Understanding and implementing the right Levels of Assurance is fundamental to building secure and compliant digital services. With Didit, you gain a powerful, flexible platform to manage all your identity needs, from basic verification to the most stringent LoA requirements. Explore how Didit can elevate your identity strategy.

View Didit Pricing | Try the Didit Business Console | Calculate Your ROI