Methics encourages the step taken by EU and US governments to map the definitions, identity assurance frameworks, and international standards referenced in the EU and US digital identity landscapes.
Note: This exercise excludes the proposed revisions to the NIST 2.0 guidelines and the recent EUDIW regulation, focusing instead on active guidance from existing standard documents. However, EUDIW level of assurances is based on current eIDAS defined LoAs.
Apart from mapping exercise, few main points noted between both standards were:
- Report pointed out that despite EU implementing act, talks about using ISO 29115 Regulation (EU) 2015/1502, Commission’s Implementation of eIDAS (910/2014) differs from the international standard ISO 29115, in relation to identity proofing and verification requirements.
- eIDAS contains several international standards references that relate to electronic signatures. However, NIST do not touch electronic signatures in depth, they do refer to international standards focused on security techniques.
- Both eIDAS and NIST standards refer to:
- ISO/IEC 29115:2013 for identity assurance of persons and non-person entities.
- RFC 5280 describing Internet X.509 PKI Certificate & CRL Profile.
Level of Assurance (LoA)
The report also examines levels of assurance (LoA), comparing them across identity proofing and authentication components. Both the EU and US frameworks employ three ascending levels to signify increasing confidence in identification methods. Notably, while the NIST guidelines delineate identity, authentication, and federation assurance levels separately, the EU opts for a unified approach. Despite this organizational discrepancy, the fundamental principles remain aligned. Table below maps NIST LoA with eIDAS LoA.
NIST SP 800-63-3 (IAL, AAL, FAL) | EU No 910/2014 eIDAS Level of assurance |
IAL1, AAL1, FAL1 | Low i.e. LoA 1 of |
IAL2, AAL2, FAL2 | Substantial i.e. LoA 2 |
IAL3, AAL3, FAL3 | High i.e. LoA 3 |
Note: As eIDAS LoA’s are mentioned as low, substantial or high, and not represented as 1, 2, 3 etc. ISO 29115 upon which eIDAS implementation is based uses numeric LoAs. In this report, reportedly eIDAS LoAs are defined as shown in right column of the table above.
Methics explained eIDAS Level of Assurances in our blog in 2023. Previously EU organizations have used this mapping for LoAs (Figure 2. page 19 of this EU_Report).
A detailed comparative analysis in the report sheds light on the similarities and differences across various LoAs. At LoA “Low i.e. LoA 1” (IAL1/AAL1), both the EU and US share similarities in addressing guessing, eavesdropping, and replay attacks. However, differences emerge in specific requirements such as address confirmation.
Similarly, at LoA2 (IAL2/AAL2), while there are commonalities in addressing security threats, disparities exist in evidence validation and address confirmation procedures.
LoA3 (IAL3/AAL3) exhibits similar trends, with both regions emphasizing multi-factor authentication while differing in specific verification processes.
LoA | NIST SP 800-63-3 | EU Regulation 910/2014 |
---|---|---|
Low (IAL1/ AAL1) | No minimum requirements for evidence, validation, or verification. | No minimum requirements for evidence, validation, or verification. EU specifies requirements for address confirmation related to binding. |
Substantial (IAL2/ AAL2) | Similar validation criteria but differences in evidence requirements and address confirmation procedures. | Differences in evidence requirements, validation, and address confirmation procedures. |
High (IAL3/ AAL3) | Similar validation criteria but differences in evidence requirements and verification processes. | Differences in evidence requirements, verification, and address confirmation procedures. |
Mapping Definitions and Frameworks
One of the report’s key findings is the significant overlap in definitions between NIST SP 800-63-3 and EU No 910/2014. While the wording may differ, the underlying meanings are often identical, underscoring the similarity in conceptual frameworks between the EU and US.
However, the report identifies differences, particularly in the treatment of trust services. The EU’s scope includes concepts such as qualified electronic signatures and conformity assessment bodies, whereas NIST guidance maintains a broader, implementation-agnostic perspective. A spreadsheet detailing the results of the mapping definitions may be viewed HERE.
Feedback to the working group
- Since both NIST & eIDAS assurance levels take reference from ISO/IEC 29115:2013, it will be ideal to have a mapping which translates ISO 29115 defined LoAs i.e. 1, 2, 3 and 4 to NIST and eIDAS current levels. As it was used by EU in some previous documentation (Figure 2. page 19 of this EU_Report). For example, Table 4 can be updated or a picture similar to below can be added.
- There is no explicit mention in eIDAS regulation as LoA 1, 2, 3. Only LoA Low, Substantial and High are used from eIDAS LoA. These should be used to avoid confusion. For example: Table 4 of Section 3.2 should also refer to eIDAS LoAs as High, Substantial or Low, instead of numeric.
- Differences listed between each LoA should be presented in tabular form instead of current section 3.2.1, 3.2.2, and 3.2.3 of the report.
- It should be highlighted that combined level of the service is the lowest of component levels. For example if a service is based on {IAL3, AAL2, FAL3} would be mapped to lowest of the aspects i.e. AAL2, which maps to eIDAS “Substantial”.
Methics compiled the image below to map different assurance levels by providing context.
Conclusion
In conclusion, the Draft EU-US TTC Digital Identity Mapping Exercise Report provides invaluable insights into the alignment and disparities between the EU and US digital identity landscapes.
While significant similarities exist in definitions and frameworks, but both standards rely on ISO 29115 to define basic levels of assurance, differences emerge in the treatment of trust services and specific procedural requirements.
Published date: 28th February 2024 Written and Edited by: Ammar Bukhari & Jarmo Miettinen
Methics being one of the leaders in mobile signatures industry has interfaced with all kinds of SSCDs which acts as a multi authentication factor i.e. what user have (a specific mobile phone) or something only the user is (biometrics) to provide solutions of all levels of assurances. Feel free to get in touch with us if you want to discuss Digital Identity, Mobile Signatures and SSCDs. We support digital identity over a wide variety of authentication mechanisms and security assertions.
References
- Draft EU-US TTC Digital ID mapping exercise report: https://www.nist.gov/system/files/documents/2023/12/22/EU-US%20TTC%20WG1_Digital_Identity_Mapping_Report_Final%20Draft%20for%20Comment_22122023.pdf
- Detail mapping exercise spreadsheet: https://docs.google.com/spreadsheets/d/e/2PACX-1vS6PNo1dIXQPs50DbOK6xC3-jf1qTx0DwOf44mdLN4Mwetm1kF2U0D1Yto7wPiSug/pubhtml#
- NIST SP 800-63-3: https://pages.nist.gov/800-63-3/sp800-63-3.html
- eIDAS (919/2014): https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=uriserv:OJ.L_.2014.257.01.0073.01.ENG
- eIDAS implementation act: https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=OJ%3AJOL_2015_235_R_0002
- ISO ISE 29115 standard: http://www.iso.org/iso/home/store/catalogue_tc/catalogue_detail.htm?csnumber=45138
- Understanding eIDAS Level of Assurance by Methics: https://www.methics.fi/understanding-eidas-level-of-assurance/
- EU’s LoA mapping. Figure 2: http://ehaction.eu/wp-content/uploads/2021/06/eHAction-D8.2.4-Common-eID-Approach-for-Health-in-the-EU-_-for-adoption_19th-eHN.pdf