Quantifying authentication Levels of Assurance in grid environments

We envisage a fine-grained access control solution that allows a user´s access privilege to be linked to the assurance level in identifying the user. Such a solution would be particularly attractive to a large-scale distributed resource-sharing environment, where resources are likely to be more diversified and may have varying levels of sensitivity and resource providers may wish to adjust security protection levels in adaptation to resource sensitivity levels or the risk levels in the underlying environment. However, existing electronic authentication systems largely identify users through the verification of their electronic identity (ID) credentials. They take into account neither assurance levels of the credentials, nor any other factors that may affect the assurance level of an authentication process. This binary approach to access control may not provide cost-effective protection to resources with varying sensitivity levels. To realise the vision of assurance level linked access control, there is a need for an authentication algorithm that is able to capture the assurance level in identifying a user, expressed as an authentication Level of Assurance (LoA), and link this LoA value to authorisation decision-making. This paper investigates the feasibility of estimating a user´s LoA at run-time by designing and evaluating an authentication algorithm that derives a LoA value, based upon not only users´ ID credentials, but also other factors such as access location, system environment and authentication protocol used.