Categories
Tags
Archives
NIST 800-63A IAL3 for security-first digital ecosystems
-
NIST 800-63-3 defines identity assurance levels (IALs), which measure how certain it is that a claimed identity corresponds to real world identities. Verifying claims at the traditional model for IAL3 verification can be costly and logistically complex, particularly for remote-first companies.
At Level III of assurance (IAL3), physical or biometric validation evidence must be compared directly. The table below details which methods and strengths of validation evidence are necessary at each assurance level.
TrustSwiftly IAL3 Compliant Solution
NIST defines Identity Assurance Level 3 (IAL3) as its highest identity assurance standard, which requires an in-person verification session with all employees of an organization to receive it. Although difficult for businesses, this requirement provides a strong layer of defense against even advanced cyber attacks.
NIST 800-63A IAL3 describes three levels of identity proofing: IAL1, IAL2 and IAL3. IAL1 does not require verification and does not correspond to real people; while the second level -- IAL2 -- involves physically or biometric comparison between claimed identities and validated evidence sources, while thirdly (IAL3) involves conducting an IAL3 identity proofing session on site and collecting at least one biometric characteristic for verification.
To meet FedRAMP High compliance, businesses must implement an NIST IAL3verification process which includes live chat, video streaming, facial recognition with liveness detection and document authentication. Trust Swiftly's hardware-based remote IAL3 compliant solution meets these criteria and saves businesses both time and resources by meeting these demands.
NIST IAL3 verification
Identity proofing refers to the process of verifying whether or not someone presenting identity evidence is actually who they claim to be. This is accomplished by comparing their primary form of identification (photo or video) against photos, videos or biometric characteristics associated with that person (IAL2 certification requires this action but physical comparison may optional).
NIST guidelines have recently been revised to emphasize extensive identity proofing and strong authentication against phishing attacks, while encouraging federated identity management practices that increase security and decrease fraud. They also advocate cryptographic authenticators such as FIDO security keys or device-bound passkeys which are less vulnerable to spoofing attacks such as man-in-the-middle.
The new guidelines officially endorse remote identity proofing as a path towards IAL2 authentication, while providing flexibility by permitting various devices to be used for this process. Furthermore, they encourage continuous evaluation with recommended metrics so organizations can adjust their identity management systems according to evolving threats and user populations.
IAL3 identity proofing
At its highest identity assurance level, IAL3 provides the strongest confidence that the claimed digital identity exists and is attached directly to its claimant. To meet these stringent standards it requires either in-person or remote e-identity proofing, stringent evidence validation, biometric comparisons, technology enhanced document authentication to avoid counterfeiting documents presented for review, as well as authoritative source signature verification that addresses potential spoofing attacks such as voice cloning attacks, AI deepfakes or synthetic identities.
Contrasting with IAL2, which relies on automated biometric comparison methods for identity proofing, IAL3 Non-Biometric Pathway allows CSPs to conduct identity proofing using methods that don't involve visual comparison between enrollee and identity document photo. This approach reduces false positives while simultaneously being more effective against attacks such as faked facial recognition attacks or multimodality spoofing.
NIST IAL3 compliant solution
IAL3 is an in-person verification level designed for use cases requiring maximum trust, such as accessing secure buildings or financial transactions that involve sensitive data. Furthermore, this level requires more stringent verification measures such as face scanning or fingerprints as well as formal procedures to confirm credential validity.
Revision 4 retains the tripartite model of IAL, AAL and FAL while updating requirements to address evolving threats and technologies. It puts more focus on user experience to make solutions accessible and user-friendly while refining an IAL taxonomy to accommodate multiple proofing methods.
TrustSwiftly, our comprehensive identity verification solution, assists organizations with meeting NIST 800-63A IAL3 guidelines by using its FIDO Certified passwordless authentication and IAL3 capabilities to meet them. This significantly enhances user experience while simultaneously helping reduce cyber liability insurance costs and operational expenses through reduced password resets; providing a safer digital workplace overall.
