How do IAL and AAL differ?

IAL measures how well an identity was proven; AAL measures how strong the login authenticator is. You can mix levels, for instance, IAL2 proofing with AAL3 authentication for high-risk actions.

Which levels suit finance?

Typical targets are IAL2 for remote onboarding and AAL2+ for account access. High-risk roles or transactions often warrant phishing-resistant AAL3, especially for admins and large transfers.

How does this help design?

Decoupling lets you right-size friction: invest more in proofing for onboarding risk, and require stronger authenticators only where needed, improving security and user experience.

← Back to Glossary

IAL / AAL (NIST 800-63)

Overview

Identity Assurance Level (IAL) and Authenticator Assurance Level (AAL) are NIST 800-63 metrics that separate identity proofing strength (IAL) from authentication strength (AAL). IAL gauges how confidently an organization has verified a person’s identity ranging from minimal evidence (remote, documentary-only) to high-assurance, in-person or multi-source verification. AAL evaluates the robustness of authenticators used at login from single-factor to phishing-resistant, multi-factor methods with hardware-backed keys.

Many regulated programs target higher IAL for onboarding and higher AAL for sensitive actions. Decoupling proofing from authentication lets institutions tailor controls: e.g., strong document + biometric proofing at signup (IAL2/3) and passkeys or hardware keys for access (AAL2/3). NIST also defines Federation Assurance Level (FAL) for token assertions across domains. Clear mapping to risk appetites, plus periodic reviews, helps align products with auditors and regulators.

Stay ahead of risk with Signzy

Explore tools that help you onboard, monitor, and verify with confidence

One Touch KYC

Simplify the Know Your Customer (KYC) process with AI and sophisticated fraud detection algorithms to provide a seamless, efficient, and highly secure user verification.

Biometric Verification

Authenticate users securely using facial, fingerprint, or liveness biometrics powered by AI. Prevent identity spoofing and stay compliant.

Database Verification

Verify user information instantly by connecting to trusted databases across jurisdictions. Ensure accuracy, compliance, and faster onboarding with real-time data checks.