Virtual Organisations (VOs) are collaborative environments where institutions share data, knowledge, services and computing power. Contributed resources typically have varying degrees of sensitivity: for example, news feeds, stock market quotes and weather forecasts available to everyone have lower sensitivity and privacy levels compared to confidential course information and exam papers or private medical data and health patients’ records. Such resources need to be protected with adequate security services that can cater for their varying security requirements.

Authentication is always the first line of defense in any secure system and plays a critical role in the provision of a number of essential security services such as authorisation, access control and accounting. The authentication process can be characterised by its Level of (Authentication) Assurance (LoA). LoA can be defined as the strength of authentication required for a Service Provider to be assured that a resource access is only granted to users whose identities have been verified with certain amount of assurance. LoA reflects the degree of confidence in an authentication process used to establish the identity of an entity who the credential was issued to. The established assurance level is influenced by all the actions associated to the authentication process, including the process of identity proofing at the time of credential issuance, the type of authentication credential being used by the entity (e.g. PIN, password, smart-card, finger print, etc.), and the cryptographic protocol used by the underlying authentication service. The knowledge of the LoA level that an authenticated user has achieved can be used provide a fine-grained access control to resources.