What Should I Do?
Determine Requirements
The basic requirements (Registration and Authentication) for each assurance level are described below:
| Requirements for Registration | Requirements for Authentication | |
|---|---|---|
 |
There is no requirement to prove the identity or maintain a record of the registration information at this level. Identity assertions of users can be accepted without verification. | While there is no specific registration requirement at Level 1, the authentication mechanism should provide some assurance that the same user is accessing the service, transaction or data. There is a range of available authentication technologies for deployment at Level 1, including the use of simple PINs or passwords |
 |
It provides sufficient assurance for relatively low-risk, routine business transactions. In many cases it can be carried out on-line and not necessarily in-person. It ensures that the applicant's basic identity information is verified and checked. Identity information should include at a minimum the full name, and other supporting verifiable information to identify the applicant. A record of the registration information should be maintained. |
The assurance at Level 2 relies on a secure authentication protocol to establish proof that the user is in control of the token. There is a range of available authentication technologies that can be employed, e.g. the use of managed password tokens (governed by a password policy) on encrypted network connection session. Measures like encryption and password policy should be implemented to protect against eavesdropper, replay, and password guessing attacks. |
 |
Substantial evidence of the identity of applicant has to be verified including presentation of the applicant in person in certain situations in order to complete the registration process. In addition to the existence of the identity, it is generally required that the current status of at least some of the credentials or documents used to validate an identity is confirmed as valid and current. Identity information that needs to be verified should include at the minimum full name, date of birth, current address, and identity numbers of documents checked (such as passport or HK Identity Card). A record of facts, steps taken, and copies of examined documents in the process should be maintained. |
At this level, assurance is based on proof of possession of the authentication token (hard or soft cryptographic token). Authentication methods that may be considered include digital certificates or one-time password tokens. Measures should be implemented to protect against eavesdropper, replay, password guessing and verifier impersonation attacks. |
 |
The requirement is similar to that of Level 3 except that presentation of the applicant in person is required in order to complete the registration process. In addition to the existence of the identity, it is required that the current status of the credentials or documents used to validate an identity is confirmed as valid and current. Identity information that needs to be verified should include at the minimum a recent photo, full name, date of birth, current address, and identity numbers of the documents checked (such as passport or HK Identity Card). A record of facts, steps taken, and copies of examined documents in the process should be maintained. |
Level 4 authentication is based on proof of possession of a key through a cryptographic protocol. Level 4 is similar to Level 3 except that 'hard tokens' are required. The hard token should be a hardware cryptographic module validated using international standards. By requiring a physical token, which cannot readily be copied and which must be unlocked with a password or biometric, this level ensures good, two factor remote authentication. Validity of the credential must be time-bounded, and the revocation status of the credential must be checked at the time of the transaction. In addition to the protective measures at Level 3, systems should also be designed to prevent unauthorised access to databases containing correct client verification information |
|