Understanding different standards and assessing the impact on your organization is very difficult. Therefore we give a comprehensive overview of all the assurance levels for onboarding and the means for eIDAS 1.0, eIDAS 2.0, NIST and Stork and use the reference framework from ISO 29115 to show where they match and where they are fundamentally different.
Onboarding / KYC
| ISO 29115 | eIDAS 1.0 | eIDAS 2.0 | NIST | Stork | |
|---|---|---|---|---|---|
| Level 1 | No proofing | – | – | IAL1 | RP1 |
| Level 2 | Simple ID check | Low | Low | IAL1 | RP2 |
| Level 3 | NFC + photo check | Substantial | Substantial | IAL2 | RP3 |
| Level 4 | NFC + Video AI check / In person check |
High | High | IAL3 | RP4 |
Means / Portable Identity
| ISO 29115 | eIDAS 1.0 | eIDAS 2.0 | NIST | Stork | |
|---|---|---|---|---|---|
| Level 1 | Password | – | – | – | EA1 |
| Level 2 | Single factor or minimal secondary | Low | Low | AAL1 | EA2 |
| Level 3 | Approved 2FA (Authenticator, App, OTP token) |
Substantial | Substantial | AAL2 | EA3 |
| Level 4 | WSCD, eID High | High | High | AAL3 | EA4 |
Note 1: There is still no agreement if Iso level 1 is equal to eIDAS low.
Note 2: NIST IAL1, like eIDAS low, does not guarantee the user is a real person.
Note 3: NIST IAL3 requires in person, some other standards do not for the highest level.
References:
eIDAS (EU 2014/910), Article 8, Article 24, https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=uriserv%3AOJ.L_.2014.257.01.0073.01.ENG
NIST 800-63-3, https://pages.nist.gov/800-63-3/
ISO 29115, https://www.iso.org/standard/45138.html