While researching identity verification, you may have heard of the NIST IAL standards. Identity Assurance Levels (IALs) are a key component of the National Institute of Standards (NIST) Digital Identity Guidelines, NIST 800-63-3. The standards are used by federal agencies to verify that people are who they say they are before being granted access to restricted information or accounts.
IAL2 is one of three levels of Identity Assurance along with IAL1 and IAL3. IAL2 requires identity proofing, which can be completed remotely or in person. The person requesting access to an asset must provide evidence that they are the owner of the identity they are claiming. While not required, biometrics, like a face scan or fingerprints, can be collected.
Example
Consider accounts that hold information already registered to a certain person, such as a government account linked to a social security number. To request access to that information, you first have to provide evidence that you are the owner of that identity, potentially by using a passport or driver’s license.
What You Need to Verify at IAL2
Evidence Collection
Any one of the below combinations of evidence:
- One Superior / Strong piece of evidence if the issuing body confirmed the claimed identity with two pieces of Superior or Strong evidence and the credential service provider (CSP) checks with the issuer (e.g., the DMV would be the issuing body for driver’s licenses)
- Two Strong pieces of evidence
- One Strong piece of evidence and two Fair pieces of evidence
Validation of Evidence Requirements
Validation must occur for each piece of evidence. The strength of the evidence defines which level of validation is necessary. Each piece of evidence must be validated by one method per row.
For example, when validating a strong piece of evidence like a government document, the verifier can validate the document through its physical security features and compare the personal details to an authoritative data source.
Verification
To tie the identity claimed to the identity presented on the evidence, complete one of the following:
- Physical comparison of the strongest piece of evidence to a photograph of the applicant
- Biometric comparison (e.g., selfie with liveness detection or fingerprint) of the strongest piece of evidence to the applicant
Platform & Personnel
When verifying at IAL2, there are three main categories of confirming identity: remote unsupervised, remote supervised, and in-person.
ID.me’s IAL2/AAL2 Identity Proofing Services
The digital identity landscape can be confusing, but ID.me is here to simplify the industry for businesses, government agencies, and consumers. ID.me’s team can help you build a robust, scalable, and efficient solution. We provide a complete identity platform featuring NIST 800-63-3 IAL2 and AAL2 aligned capabilities with identity proofing and a flexible identity broker.
ID.me is compliant at NIST IAL2/AAL2 by the Kantara Initiative and can provide secure credentialing at NIST IAL1 for lower-risk logins. We also offer a NIST IAL2 + Liveness policy which prevents fraud by adding a video selfie for “genuine presence detection” to make sure the person getting verified is really there.
In addition, ID.me offers authentication options that meet AAL3, should your organization choose to strengthen authentication requirements.
See ID.me’s work in action by contacting us on our sales demo page.
