eIDAS Levels of Assurance in Different National eID Schemes

Trust is at the core of every form of electronic identification (eID), from logging in to digitally signing documents to conducting e-commerce transactions.

The eIDAS (Electronic Identification, Authentication, and Trust Services) framework regulates eID systems in Europe and relies on the concept of Levels of Assurance (LoA) to measure trust.

Below, we’ll explore the eIDAS Levels of Assurance, how they’re different, and how they’re implemented in various European eID schemes.

What are levels of assurance?

A "level of assurance" measures the degree of confidence a service provider has in the claimed identity of a person using an eID. It reflects how well the digital identity has been verified, authenticated, and secured.

It’s an attempt to quantify the level of trust in the digital identity and assess the risk of identity fraud. The higher the LoA, the higher the trust and the lower the risk of fraud.

What factors determine the level of assurance?

There are several elements that affect the level of assurance in an eID system:

• Enrollment: How can an individual acquire the eID in question? Is the process conducted in person or online? Does it require a biometric passport or a paper identity document?
  
  
• eID design & management: For instance, how many factors are required for authentication? Is just the password sufficient or is there a multi-factor authentication in place?
  
  
• Authentication itself: How is it performed? What are the requirements for confirming an identity to a relying party? What security protocols are employed during the eID verification?

The lowest level in any of the above elements determines the overall level of assurance in the eID scheme.

The three levels of assurance

The eIDAS Regulation defines three levels of assurance.

Low (LoA1)

This is the lowest level of assurance. It involves minimal identity verification and is typically used for low-risk applications.

Example: Accessing a public website with username and password.

Substantial (LoA2)

This reflects a higher level of assurance compared to LoA1. It typically involves stronger identity verification methods, such as an ID card or a one-time code. LoA2 is suitable for applications that involve moderate risks, such as accessing government services online.

Example: Users provide identity information that is verified during enrolment. Authentication uses a combination of username, password, and a one-time code sent to a mobile phone. 

High (LoA3)

This is the highest level of assurance defined by eIDAS. It requires the most robust identity verification methods, often relying on in-person identity proofing and the use of hardware tokens or smart cards. LoA3  is typically reserved for high-risk transactions, like signing legally binding contracts or accessing highly sensitive information.

Example: Face-to-face enrolment and authentication with a smart card.

Different national eID systems

The eIDAS regulation does not define specific technologies required to meet different LoA requirements. As such, EU Member States develop their own eID systems that adhere to eIDAS principles but are designed in a way that reflects the legal, social, and technological landscapes of each country.

If a national eID scheme offers multiple levels of assurance, organizations and service providers can choose the LoA that best aligns with the risks involved in their particular operations.

According to a September 2022 study of 40 European eID schemes:

• 25 support LoA High.
• 20 support LoA Substantial.
• 12 support LoA Low.

Now, let’s take a closer look at several national eID schemes and the levels of assurance they offer.

Danish MitID

MitID offers all three levels of assurance:

• Low: For some digital services, a combination of the MitID user ID with one other authentication factor (e.g. password) is sufficient. 
  
  
• Substantial: This requires two different authentication factors. For instance:
  • the MitID app + user ID
  • an alternative authenticator, such as the MitID code display + user ID + OTP code + password. 
• High: This assurance level is available in selected municipalities. It requires in-person enrollment, and a minimum of two authenticators (e.g., the MitID app and a code display) to be achieved.

MitID lets service providers determine the appropriate level of assurance for their specific needs. LoA Substantial is the most common. It is typically used for public self-service platforms like skat.dk and sundhed.dk, as well as for online banking and insurance.

Swedish BankID

In Sweden, twelve major banks provide the electronic identification for citizens. It requires users to install the BankID app (available on desktop, mobile, and tablet).

BankID meets trust level 3 requirements of the Swedish eID quality mark, which translates to LoA “Substantial” in eIDAS classification.

Norwegian BankID 

The new BankID Biometric allows end users to identify themselves with biometrics and operates at the "Substantial" assurance level. 

Organizations and service providers that require LoA "High" (e.g. for large money transfers) can still use one of the older versions of Bank ID: regular BankID or BankID on mobile.

Finnish Trust Network

The Finnish Trust Network (FTN) regulates authentication mechanisms used by citizens to access national public and private services online.

All eIDs provided by the FTN – including ​Finnish Bank ID and Mobiilivarmenne​ – operate at the eIDAS “Substantial” level of assurance. 

Belgian itsme®

itsme® functions via a mobile app that can be used with over 800 organizations in Belgium, the Netherlands, and Luxembourg. 

It operates at the “High” level of assurance in eIDAS classification.

Dutch iDIN 

iDIN is offered by Dutch banks and allows individuals to interact online with a wide variety of public and private services and platforms.

The eIDAS level of assurance for the Dutch iDIN is “Substantial.”