NIST IAL2 (Identity Assurance Level 2) is a moderate-strength identity proofing standard defined in NIST SP 800-63A. It provides reasonable confidence that the applicant is who they claim to be, requiring evidence verification and either in-person or remote identity proofing with controls appropriate to the assessed risk, which may include biometric comparison.
What does IAL2 require?
With IAL2, the identity proofing process must verify identity evidence against authoritative sources. This typically involves presenting government-issued identification, such as a driver's license or passport, which is then validated against the issuing authority's records.
Identity verification can be accomplished with or without biometrics, depending on the approved pathway used (e.g., non-biometric, biometric, or digital-evidence pathways). When biometrics are used, a facial image (or other biometric) may be compared to evidence or authoritative records to help confirm that the applicant matches the identity evidence.
When is IAL2 appropriate?
IAL2 is suitable for transactions where identity errors could cause moderate harm, such as financial account opening, access to government benefits, or professional licensing, or situations where knowing the identity of the applicant is essential but doesn't require the highest level of assurance.
For high-assurance digital identity credentials, such as state-endorsed digital IDs, IAL2 with strong biometric matching is often considered the minimum acceptable level. It provides sufficient confidence for most government services and financial transactions, while remaining accessible to a wide range of applicants.
How IAL2 differs from IAL1
IAL1 requires minimal identity evidence, essentially self-assertion with limited verification. It's appropriate for low-risk transactions where identity errors would cause minimal harm. IAL2 significantly strengthens this by requiring verified evidence and biometric matching, providing a higher degree of confidence.
Remote vs. in-person proofing at IAL2
Both in-person and remote proofing can achieve IAL2, but they use different controls. In-person proofing relies on a trained operator examining documents and the applicant directly. Remote proofing relies on technology, document authentication, facial matching against the document photo, and liveness detection to achieve equivalent confidence without physical presence.
Want to keep learning?
Subscribe to our blog.
