API Marketplace

Solutions

Resources

Our Company

Book a Demo

← Back to Glossary

IAL / AAL (NIST 800-63)

Overview

Identity Assurance Level (IAL) and Authenticator Assurance Level (AAL) are NIST 800-63 metrics that separate identity proofing strength (IAL) from authentication strength (AAL). IAL gauges how confidently an organization has verified a person’s identity ranging from minimal evidence (remote, documentary-only) to high-assurance, in-person or multi-source verification. AAL evaluates the robustness of authenticators used at login from single-factor to phishing-resistant, multi-factor methods with hardware-backed keys.

Many regulated programs target higher IAL for onboarding and higher AAL for sensitive actions. Decoupling proofing from authentication lets institutions tailor controls: e.g., strong document + biometric proofing at signup (IAL2/3) and passkeys or hardware keys for access (AAL2/3). NIST also defines Federation Assurance Level (FAL) for token assertions across domains. Clear mapping to risk appetites, plus periodic reviews, helps align products with auditors and regulators.

Stay ahead of risk with Signzy

Explore tools that help you onboard, monitor, and verify with confidence

One Touch KYC

Launch global KYC flows with built-in document OCR, liveness checks, deepfake detection, and AML, all through a single, customizable dashboard.

Biometric Verification

Authenticate users with facial, fingerprint, and liveness biometrics powered by AI to prevent identity spoofing and fraud.

Database Verification

Instantly verify user information by connecting to trusted databases across jurisdictions for accurate, compliant, and faster onboarding.

Related Terms

Identity Proofing

Multi-factor Authentication (MFA)

Passkeys (WebAuthn)

FAQ

How do IAL and AAL differ?

IAL measures how well an identity was proven; AAL measures how strong the login authenticator is. You can mix levels, for instance, IAL2 proofing with AAL3 authentication for high-risk actions.

Which levels suit finance?

Typical targets are IAL2 for remote onboarding and AAL2+ for account access. High-risk roles or transactions often warrant phishing-resistant AAL3, especially for admins and large transfers.

How does this help design?

Decoupling lets you right-size friction: invest more in proofing for onboarding risk, and require stronger authenticators only where needed, improving security and user experience.