Your browser currently has JavaScript turned off, which means that Digital.govt.nz might not display properly on your device. It’s easy to turn JavaScript on - find out how to enable JavaScript in your browser.

Levels of Assurance

Understand the concept of Levels of Assurance, how it relates to the Identification Standards and how to declare them.

Levels of Assurance (LoA) indicate how robust identification processes are to assure the right Entity Information, Authenticators, and the connections between these and an Entity.

The assurance aspect of Levels of Assurance

There are 3 assurance aspects to LoA:

Information Assurance (IA)
Binding Assurance (BA)
Authentication Assurance (AA).

These relate directly to 3 of the Identification Standards with the same names.

Applying the assurance aspects to identification processes

In identification, when an Entity enrols in a particular context, usually related to a Relying Party, a triangle is formed by 3 elements:

the Entity
the Entity’s information
the Authenticators they use within that context.

Diagram 1 shows the triangle and the relationships between the elements.

A picture of a person, a key and folders of information arranged in a triangle with lines connecting them — **Diagram 1:** Relationship between identification elements

Descriptions of the enrolment elements and their relationships

Entity: An Entity can be anything with a distinct existence, though the content on this website will focus mainly on Entities that carry out transactions. Within the context of identification management, they’ll be those who enrol with organisations for various services.
Entity Information: Information related to an Entity, which is collected and stored by an organisation in order to provide a service.
Authenticators: Authenticators are things known and/or possessed and controlled by an Entity that they’ll use to be recognised when they return to an organisation’s service. Authenticators act as shortcuts to avoid having to repeat all the identification steps carried out during the enrolment process.
Entity Binding: Entity Binding is the process of ensuring the Entity Information belongs to the Entity that’s using it.
Authenticator Registration: Authenticator Registration is the process of creating and/or linking an Authenticator to the information about an Entity.
Authenticator Control: Authenticator Control is a process of ensuring the user of the Authenticator is the same Entity to which the Entity Information relates.

Each of the LoA assurance aspects relates to 1 or more elements within the triangle.

Information Assurance (IA): Robustness of the process to establish the quality and accuracy of Entity Information.
Binding Assurance (BA): Robustness of Entity Binding, the process to bind the Entity to Entity Information.
Authentication Assurance (AA): Robustness of the Authenticator and the process to ensure an Authenticator remains solely in control of its holder and is registered.

When applied together they ensure the integrity of the triangle is maintained and that the risk of identity theft is reduced.

The level aspect of Levels of Assurance

Each assurance aspect has 4 levels representing the degree of robustness in the processes associated with that aspect. Where 1 represents the weakest process and 4 represents the strongest process.

The level to use is determined by the amount of risk to be mitigated by the process. This methodology helps to balance the effort and the effectiveness of processes. More information about assessing identification risk is available in the following guidance:

Assessing identification risk

To achieve a particular level requires all the controls of the relevant standard to be applied at that level or above. For example, if all the controls in the Information Assurance Standard are applied at or over level 3 then the Level of Information Assurance (LoIA) level will be 3.

Declaring Levels of Assurance

Levels of Assurance tell people how robust identification processes are or need to be. Therefore, there are several reasons why a party might want to declare the Levels of Assurance. These include when a party is:

required to meet a certain risk profile following an assessment of identification risk
wants to change identification processes after a review of their current capability
needs to show trust in an identification process.

Other reasons to declare Levels of Assurance can include a:

Credential Provider indicating the quality of their Credential to a Relying Party or Entity
Relying Party advising potential suppliers of identification services the level they need
Relying Party indicating to customers the level of evidence they’ll accept.

Format of the declaration

Levels of Assurance are not declared as a single value, or as an accumulated value of the 3 assurance aspects, due to the independence of each of the 3 identification processes. They’re declared as a 3-part expression such as:

{IAn, BAn, AAn} or more simply as {n,n,n}

Where n represents the assurance level (1 to 4) achieved by each identification process. The order of the values also remains persistent.

The Levels of Assurance expression is applied to individual pieces of information in a context, not to a whole Credential, Entity or an event such as enrolment. This is because not all information is treated the same in these cases. For example, some information contained in a Credential may have robust processes applied, while other information may not have.

It’s also possible for 1 or more of the values in an expression to be 0, if that process is not present in the instance.

How to declare Levels of Assurance expressions

Levels of Assurance can be declared in several ways. These include:

with other general information about a Credential and its purpose. For example, on a website
making Levels of Assurance part of the functional requirements when procuring identification services
including them in metadata as part of a presentation or information sharing arrangement
on public registers where the ability of the party to meet the levels has been independently assessed and certified.

Wherever the Levels of Assurance are declared, it will be accompanied with a statement about the nature of the declaration. For example, if an organisation is self-attesting to the declaration, this will be stated.

More information about getting a certificate for declarations for Levels of Assurance can found at Conforming with the Identification Standards.

JavaScript is currently turned off in your browser — this means you cannot submit the feedback form. It’s easy to turn on JavaScript — Learn how to turn on JavaScript in your web browser.

If you’re unable to turn on JavaScript — email your feedback to info@digital.govt.nz.

Was this page helpful?

Yes No Partly

Thanks, do you want to tell us more?

Do not enter personal information. All fields are optional.

What did you come here to do?

How can we improve this information?

Last updated 23 January 2025