Identity Assurance Level or IAL refers to the levels of confidence or assurance that a system can have in a user’s identity and credentials. There are three levels used as measurement in the identity proofing process:
- Some confidence, completed via self assertion, often a password
- High confidence, two factors of authentication
- Very high confidence, a combination of two factors of authentication with an added requirement of a physical device and cryptographic key.
These levels are determined by the National Institute of Standards and Technology (NIST), a non-regulatory federal agency that serves to inform, protect, and enforce cybersecurity standards. Identity Assurance Levels (IAL) falls under NIST Special Publication 800-63-3, a publication that lists requirements for companies in the digital identity service industry.
These levels are a critical part of the identity proofing process, which ensures a user is who they say they are. Identity proofing prevents problems such as fraud, identity theft, and manipulation.
How do Identity Assurance Levels work?
Identity assurance consists of 3 levels that can be used to deal with digital identities. The NIST goes into further detail regarding the full processes for each level here. An organization’s selection of the proper IAL for its use case is determined by factors including the risk to the business, users, and programs if a breach occurs; the likelihood of a breach; and the convenience of the authentication and identity proofing process. An identity proofing architecture should allow for multiple levels of assurance as required by multiple use cases.
Identity Assurance Level 1 (IAL 1)
The first level is the lowest degree of confidence and least strict meaning that no verification is required. The attributes are usually self-asserted by the user, for example, using an email account creation to assert their identity.
Identity Assurance Level 2 (IAL 2)
The second level requires either remote or physically-present proof that the user is who they claim to be. The proof can consist of but is not limited to: address confirmation, credential document, passport, or driver’s license. Biometric collection is optional.
Identity Assurance Level 3 (IAL 3)
The third level requires physical presence of evidence to verify that the user is who they are. The proof consist of address confirmation or government identification. Lastly, biometric verification (i.e. photo, fingerprint) is required.
The higher the need for security or permission to access accounts, the more confidence the business should have in determining the true identity of its user. Higher levels of required assurance will reduce fraud but may also add friction to a user’s journey.
Where and how are Identity Assurance Levels used?
The NIST’s guidance applies to all transactions where digital identity or authentication are required, but does not include national security systems. Government agencies as well as private sector businesses utilize these levels as part of identity proofing and authentication systems and to comply with regulations such as KYC. The IAL framework has been implemented or is in the implementation process as part of digital regulations and frameworks in a variety of countries.