The IAL/AAL/FAL stack in plain language

NIST SP 800-63-3 (Grassi, Garcia, & Fenton 2017, with Revision 4 in active draft as of 2024) defines digital identity guidelines for US federal information systems. The standard separates three assurance dimensions. Identity Assurance Level (IAL) addresses the proofing process: how confident the system is that the user is who they claim to be at enrollment. IAL1 means self-asserted identity with no verification. IAL2 means remote or in-person identity proofing with documentary evidence. IAL3 means in-person proofing with biometric capture by a trained agent.

Authenticator Assurance Level (AAL) addresses the authentication process: how confident the system is that the person logging in now is the same person who enrolled. AAL1 means single-factor authentication (a password is enough). AAL2 means two-factor authentication with at least one phishing-resistant or one cryptographic-software factor. AAL3 means hardware-based cryptographic authenticator with phishing-resistant proof of possession (FIDO2 hardware key, smart card with a PIN-protected private key).

Federation Assurance Level (FAL) addresses the federation process: how confident a relying party can be in the assertion it receives from an identity provider. FAL1 means a signed assertion. FAL2 means encryption of the assertion to the relying party's key. FAL3 means the assertion is bound to a holder-of-key proof (the bearer of the assertion must prove possession of a separate key). The three dimensions combine: a system can require IAL2 + AAL2 + FAL1 for typical workforce access, or IAL3 + AAL3 + FAL2 for high-assurance federal staff.