ISO IEC 29115-2013 PDF

Full title and description

ISO/IEC 29115:2013 — Information technology — Security techniques — Entity authentication assurance framework. This international standard provides a practical framework for managing and expressing the assurance of entity (user, device, service) authentication in a given context, including defined levels of assurance, criteria to meet each level, guidance on mapping other schemes to those levels, exchanging authentication results, and controls to mitigate authentication threats.

Abstract

ISO/IEC 29115:2013 specifies four levels of entity authentication assurance (LoA), describes criteria and guidelines for achieving each level, gives guidance for mapping external authentication schemes to the four LoAs, supports exchange of authentication results based on those LoAs, and identifies controls to mitigate common authentication threats. It also addresses management and organisational considerations, service assurance criteria and privacy-related aspects of credential handling.

General information

• Status: Published (Edition 1). Confirmed as current in ISO’s 2020 review; placed under systematic review / to be revised in 2024 and a Committee Draft (CD) for a revision was under development.
• Publication date: 2013 (official publication date recorded as 27 March 2013).
• Publisher: ISO/IEC (joint international standard produced under ISO/IEC JTC 1/SC 27).
• ICS / categories: 35.030 (Information technology — Security techniques).
• Edition / version: Edition 1 (2013).
• Number of pages: 36 (official ISO pagination for the 2013 edition).

Scope

Defines an entity authentication assurance framework applicable to information systems and services. The standard establishes four levels of assurance for entity authentication, specifies objectives and criteria for each level, provides guidance to map other assurance schemes to these levels, describes how to convey authentication results between parties, and recommends controls and countermeasures against authentication threats. It is intended to be technology-agnostic and usable in federated identity, eID, PKI, web authentication and other authentication ecosystems.

Key topics and requirements

• Definition of four Levels of Authentication Assurance (LoA) with criteria for each level.
• Guidance on identity proofing, credential characteristics and lifecycle considerations required to meet LoAs.
• Mapping guidance for translating external or national assurance schemes into the four LoAs.
• Guidance for exchanging and conveying authentication results between parties (relying parties, identity providers).
• Threat analysis for authentication processes and recommended mitigation controls (technical and organisational).
• Service assurance criteria and recommendations for management, auditing and operational controls.
• Privacy considerations related to credential handling and protection of personally identifiable information (PII).

Typical use and users

Used by identity and access management architects, security managers, PKI operators, identity providers, service providers implementing federated authentication, government eID program teams, auditors and compliance officers, vendors of authentication solutions, and consultants designing or evaluating authentication assurance strategies. Typical uses include selecting appropriate assurance levels for services, drafting identity-proofing and credential policies, and mapping between assurance frameworks (e.g., national schemes or other standards).

Related standards

Commonly used alongside and referenced with other identity, privacy and security standards such as ISO/IEC 29100 (privacy framework), ISO/IEC 29101 (privacy architecture), ISO/IEC 24760 series (identity management framework and terminology), ISO/IEC 27001/27002 (information security management and controls), ISO/IEC 9798 (entity authentication protocols), and relevant national/sector assurance guidance (for example NIST SP 800-63 in contexts where mapping to NIST levels is needed). Implementers should consider other cryptography, biometrics and credential-related standards when applying 29115.

Keywords

entity authentication, assurance level, LoA, identity proofing, credentials, federated identity, authentication threats, authentication controls, identity management, privacy, ISO/IEC JTC 1/SC 27

FAQ

Q: What is this standard?

A: ISO/IEC 29115:2013 is an international standard that defines a framework for assessing and expressing the assurance of entity authentication, including four defined levels of assurance and guidance to meet and map those levels.

Q: What does it cover?

A: It covers criteria and guidance for identity proofing, credential characteristics and lifecycle, mapping other assurance schemes to its four LoAs, exchanging authentication results, threat analysis for authentication, and controls and organisational considerations to achieve and maintain authentication assurance.

Q: Who typically uses it?

A: Identity and access management architects, security and compliance teams, PKI and eID operators, identity providers and relying parties, vendors of authentication solutions, government eID programs and auditors use the standard to define, compare and implement authentication assurance controls.

Q: Is it current or superseded?

A: The 2013 edition is the published edition and was confirmed in ISO’s 2020 review. ISO recorded a systematic review action and as of 3 May 2024 the standard was marked to be revised and a Committee Draft for a revision was under development. As of the publication of this product page, the 2013 edition remains the published (current) ISO edition but a revised edition has been in the ISO revision process.

Q: Is it part of a series?

A: Yes. ISO/IEC 29115 is part of the broader ISO/IEC information security and identity management family of standards (including ISO/IEC 29100, 29101, the 24760 series and related security standards). It is aligned with ISO/IEC JTC 1/SC 27 work on security techniques.

Q: What are the key keywords?

A: Entity authentication, assurance level (LoA), identity proofing, credentials, authentication controls, identity management, federation, privacy, authentication threats.