Identity Assurance Levels (IAL)
Identity Assurance Levels (IAL) represent standards set by the National Institute of Standards and Technology (NIST) to gauge the certainty that a claimed identity matches the real identity of an individual. The IAL framework encompasses three levels in the identity proofing process:
- IAL 1: Some confidence
- Completed through self-assertion, often using a password.
- IAL 2: High confidence
- Requires two factors of authentication for increased assurance.
- IAL 3: Very high confidence
- Involves a combination of two factors of authentication, along with the use of a physical device and cryptographic key.
These levels play a crucial role in identity proofing, safeguarding against issues like fraud, identity theft, and manipulation.
How Identity Assurance Levels Work:
Identity assurance operates across three levels, offering flexibility for various digital identity scenarios. The appropriate IAL selection depends on factors such as business risk, likelihood of a breach, and the convenience of the authentication process. An effective identity proofing architecture accommodates multiple assurance levels to meet diverse use cases.
- Identity Assurance Level 1 (IAL 1):
- Lowest confidence level with no verification required.
- User attributes are typically self-asserted, such as in email account creation.
- Identity Assurance Level 2 (IAL 2):
- Requires remote or physically-present proof of the user’s claimed identity.
- Proof may include address confirmation, credential documents, passport, or driver’s license. Biometric collection is optional.
- Identity Assurance Level 3 (IAL 3):
- Highest confidence level, demanding physical evidence of the user’s identity.
- Proof involves address confirmation or government identification, with mandatory biometric verification (e.g., photo, fingerprint).
The choice of assurance level correlates with the need for security and access permissions. While higher assurance levels enhance security and reduce fraud, they may introduce additional friction to the user experience.
Application of Identity Assurance Levels:
NIST’s guidelines are applicable to all transactions requiring digital identity or authentication, excluding national security systems. Both government agencies and private sector businesses employ these levels in identity proofing and authentication systems, ensuring compliance with regulations like Know Your Customer (KYC). The IAL framework is being implemented globally as part of digital regulations and frameworks across various countries.