ISO/IEC 29115 is an international standard entitled ‘Information technology — Security techniques — Entity authentication assurance framework’’.
With the activation of Artificial Intelligence and online banking systems, this standard is gaining attention and importance. It provides a framework for ensuring the security and reliability of authentication processes. The standard is used to assess and manage the level of assurance in securely authenticating the identity of an individual or a legal entity.
Assurance Levels
Assurance levels depend on the strength of the Proof of Identity process and the types of credentials and authentication mechanisms used during a transaction. For identity proofing, the level of assurance depends on the method of identification (e.g. face-to-face or remote), the attributes collected and the degree of certainty with which these attributes are verified (e.g. through cross-checks and deduplication). For authentication, the level of assurance depends on the type of credentials, the number of authentication factors used (i.e., one versus more than one), and the cryptographic strength of the transaction.
The main purpose of ISO 29115 is to outline four Levels of Assurance (LoA) that help define how confident an organisation can be that an entity claiming an identity is that entity. These levels include the following:
Level 1: Low Assurance
The risk of false or fraudulent claims is acceptable for lower-level security operations.
Level 2: Medium Assurance
Risk is moderate, with more robust authentication requirements than Level 1, but still suitable for standard applications.
Level 3: High Assurance
Strong confidence in the legal entity’s identity is required, often requiring multi-factor authentication or other secure mechanisms.
Level 4: Very High Assurance
It requires the highest level of trust in authentication, often for highly sensitive or critical systems.
ISO 29115 helps organisations implement appropriate authentication methods based on the sensitivity of the systems being accessed and the potential risks involved. It is widely applicable in areas such as online banking, government services, healthcare and other sectors where secure authentication is crucial.
This standard has been used in Europe, the UK and America since its publication. The ‘eIDAS’ (Electronic Identification, Authentication and Trust Services) ISO/IEC 29115 published by the European Union Law in September 2015 developed standards for classifying assurance levels based on processes and technologies.
Recent guidelines from the US National Institute of Standards and Technology (NIST 800-63-3) have adapted this framework to distinguish assurance levels for identity proofing (‘identity assurance level’ or IAL) and identity authentication (‘authenticator assurance level’ or AAL) as shown in Clause 39. In addition, the NIST framework separates assurance levels for authentication in a federated environment (‘federated assurance level’ or FAL).
What is Electronic Identification, Authentication and Trust Services?
The EIDAS Regulation provides the regulatory environment for the following essential aspects of electronic transactions.
- Digital identity: A Europe-wide framework for legally valid digital authentication of citizens (European Digital Identity Wallet, EDIW). Nine principles of European digital identity have been defined: user choice, privacy, interoperability and security, trust, convenience, user consent and proportionality of control, counterparty knowledge and global scalability.
- Advanced electronic signature (AdES): An electronic signature is considered advanced if it meets specific requirements:
- Provides unique identifying information linking the signatory.
- The signatory has sole control over the data used to create the electronic signature.
- Must determine whether the data accompanying the message has been changed after signing. If the signed data has changed, the signature is marked as invalid.
- For an electronic signature there is a certificate, electronic evidence that verifies the identity of the signatory and binds the electronic signature verification data to this person.
- Advanced electronic signatures can be technically implemented following the XAdES, PAdES, CAdES or ASiC Baseline Profile (Associated Signature Containers) standard for digital signatures specified by ETSI.
- Qualified electronic signature, an advanced electronic signature created by a qualified electronic signature creation device based on a qualified certificate for electronic signatures.
- Qualified electronic signature digital certificate, a certificate issued by a qualified trust service provider that proves the authenticity of a qualified electronic signature.
- Qualified website authentication certificate, a qualified digital certificate within the scope of trust services defined in the eIDAS Regulation.
- A trust service is an electronic service that creates, verifies and validates electronic signatures, time stamps, seals and certificates. In addition, a trust service website can provide authentication and protection of created electronic signatures, certificates and seals. This process is performed by a trust service provider.
- European Union Trusted Lists (EUTL)
As CFEAudit and CFECERT, we would like to state that we have started the Training and Accreditation audit of ISO 29115 Standard in addition to our ISO Management Systems Certification Audits, GAP Analysis, Internal Audit and IT Compliance audit services to our customers in the UK, Ireland and the European Union who want to comply with the European Union Banking Regulations if you want to get more information about this standard, you can contact us at sales@cfecert.co.uk.
