Choice of login method - two steps

Step 1: Risk assessment - explanations

The following risk assessment is based on ISO Standard No. 29115:2013 which describes a procedure whereby the service provider can assess the need for a particular login method. Since various services may be more or less vulnerable to abuse, the service provider must carry out a risk assessment for each type of service provided.

The following factors must be examined in order to evaluate their possible impact. The service provider will then be able to choose an appropriate login method, based on the results of risk assessment. If the highest result was in Column 1 or 2, IceKey would be chosen; if the highest result was in Column 3, a multi-factor IceKey would be chosen; if the highest result was in Column 4, digital certification would be chosen. See more below in regard to Step 2.

 Possible impact of invalid logins  1  2  3  4
Discomfort, distress or a damaged reputation Low Moderate  High Very high
Financial loss or compensation liability Low Moderate High Very high 
Damage to operations or to the public interest Does not apply  Low  Moderate Very high 
Prohibited communication of sensitive information Does not apply Moderate  High Very high
Risk to personal security Does not apply  Does not apply  Low/Moderate  Very high 
Infringement of law or of citizen rights Does not apply  Low  High  Very high
         

Step 2 : Choice of login method - explanations

Levels of assurance

The levels of assurance of login methods shall be assessed in accordance with ISO Standard No. 29115:2013, which divides login methods into four categories or levels of assurance. The appropriate level of assurance is determined by the confidence in the process, management and technology which are maintained when recording, delivering and applying login data.

The ISO standard specifies precisely what measures must be present if a login method is considered as achieving a certain level of assurance. Based on this standard, the methods of logging into the Icelandic National Portal login service at www.island.is belong to the following categories:

  • Level of assurance 1: Simple password (not offered by the Icelandic National Portal login service)
  • Level of assurance 2: Complex password - IceKey
  • Level of assurance 3: Enforced password - multi-factor IceKey
  • Level of assurance 4: e-Authentication from the company Auðkenni, involving a smart card or SIM card

Choice of login method based on the results of Step 1

  • If the highest possible impact of an invalid login is 1 or 2, IceKey shall be chosen as the minimum. This means that multi-factor IceKeys and digital certificates would also be permissible.
  • If the highest possible impact of an invalid login is 3, multi-factor IceKeys shall be chosen as the minimum. This means that digital certificates would also be permissible.
  • If the highest possible impact of an invalid login is 4, digital certificates shall be chosen as the minimum. This means that only digital certificates are permissible.

Note: If any customer of a company or other organisation is dissatisfied with the risk assessment above, feeling that the login requirements are too low, this customer is invited to log into My pages at www.island.is by means of a digital certificate and to select the option on the National Portal that access only be given to websites when a digital certificate is presented.

Rights and privileges

  • The Icelandic National Portal login service at island.is provides access to the websites of many companies, organisations, municipalities and other public and private bodies, with the following conditions:
    • Such bodies must decide for themselves what requirements they will place on logging in to their services and data.
    • Such bodies are themselves responsible for allowing access only to the proper parties.
    • Such bodies must themselves see to restricting access to the age of majority, if this is relevant.
  • No rights or privileges can be attained by logging in through the Icelandic National Portal beyond those permitted in laws and regulations.