- Why would anyone care for the Identity Assurance Framework since we already have NIST SP 800-63?
Response: If it addresses other use cases than the US federal government: Yes
- Is it true that identity assurance applies only to Identity Federation scenarios?
Response: Identity Assurance has several connotations: LoA, the IAF, and the information security related identity assertion of a remote user.
The LoA is an essential construct in federations (flat or somewhat hierarchical) to fight complexity. But any large system/organization can profit from LoA.
The same is true for the IAF: It provides a policy for federations or large organizations.
The identity assertion in the infosec-view is completely independent of federations.
- Am I correct is assuming that identity assurance is relevant only for PKI-based authentication?
- I understand that identity assurance is about strong authentication, so Identity assurance = two-factor authentication, right?
Response: No, LoA 1 and LoA 2 are included as well.
- There are no publicly available Identity Assurance standards, correct?
- Is Kantara Initiative