NIST SP 800-63-4's core concepts of IAL, AAL, and FAL remain relevant today's threat landscape; new requirements include using phishing-resistant authentication methods like FIDO Passkeys for AAL levels as well as robust standards-compliant assertion handling.

HYPR Affirm offers a scalable workforce identity proofing solution, compliant with both IAL2 and IAL3 standards, that utilizes chat, video, facial recognition with liveness detection and document validation technologies to meet business and security objectives. Risk-based step up re-proofing helps bridge between business goals and security goals.

IAL3 Identity Proofing

NIST has defined Identity Assurance Level 3 (IAL3) as their highest level. To meet its requirements, IAL3 demands high confidence that any digital identity claimed exists in reality and associates accurately with those presenting it. Furthermore, this level allows for enhanced verification through superior evidence such as document validation and biometric comparison and direct oversight.

NIST IAL3 identity proofing process conducted remotely and mobile. Mitek's document verification features scan government-issued documents to check for authenticity before comparing them against live photos of applicants and performing biometric checks to match up faces captured on identification documents with images captured live images of each individual applicant.

IAL3 also features the optional IAL2 Non-Biometric Pathway to protect CSPs against impersonation attacks by providing verification methods that don't rely on automated biometric comparison. For example, visual comparison to biometric sample contained within identification document may be conducted by CSP representative to avoid impersonation attacks.

IAL3 Compliant Solution

IAL3 framework is suitable for higher risk scenarios that require high levels of identity assurance, such as healthcare services, financial transactions and accessing sensitive data. At this level, a CSP representative must attend an identity proofing session onsite (this can also be conducted remotely) and collect at least one biometric characteristic. IAL3 compliant solution utilize sophisticated liveness detection and face matching technologies to verify enrollee presence during enrollment and prevent presentation attacks, SIM swaps and MFA bypasses. In addition, these systems bind an extensive set of attributes and credentials with enrollee biometrics using best practices; including face, fingerprint and dual iris biometric modalities for identity confirmation.

Contrary to other levels, IAL3 primarily focuses on verifying the claimed identity of an applicant. This can be accomplished by comparing biometric characteristics against evidence stronger than their claimed ID, and restricting collection of personal identifiable information (PII) data collection only for attributes which facilitate identification resolution.

IAL3 Capture

IAL3 is the highest level of identity proofing and assurance. This approach requires on-site attended verification as well as more robust, in-depth data collection to verify a person's claimed digital identity, while at the same time providing protection from sophisticated attacks such as evidence falsification or repudiation through more stringent processes and additional requirements.

At the IAL3 capture phase, a trained CSP representative must engage directly with an enrollee during a live session to collect biometric attributes and verify them against identity documents presented by them. Liveness detection technologies also capture images that cross-verify an enrollee across various identity documents in order to detect SIM swapping or bypasses of MFA processes. Click here or visit our official website to learn more about NIST IAL3 verification.

IAL3 is typically reserved for applications where the highest standards of assurance are required, such as healthcare and government services. Other use cases include e-commerce, banking and telecommunications as well as educational institutions providing access to student records or online learning platforms; industries which value this additional layer of protection to prevent impersonation and fraud are likely to benefit greatly from using this solution.

IAL3 Reporting

NIST (National Institute of Standards and Technology) sets numerous industry-specific standards, from plumbing pressure-loss measurements to viscosity of chemical elements. NIST Special Publication NIST 800-63A IAL3 provides guidance for selecting identity assurance levels (IALs). IALs represent confidence levels associated with claimed digital identities of an individual and should be carefully chosen in order to protect sensitive data, maintain trust among stakeholders, meet regulatory compliance, and offer user convenience.

IAL1 assurance level is designed for low-risk applications and relies on self-asserted data or verified documents as its foundation. While this level may not prevent fraud or impersonation, it's often less costly and user-friendly than alternative forms of verification.

IAL2 requires superior-strength evidence such as government ID cards or passports, with an accompanying verification process such as in-person or remote identification and biometric matching. Furthermore, this level of verification provides more robust methods for detecting presentation attacks such as spoofing or selfies.