NIST IAL3 (Identity Assurance Level 3) is the highest identity proofing standard defined in NIST SP 800-63A. It provides the strongest available confidence that the applicant is who they claim to be, requiring in-person identity proofing with verified biometrics and rigorous evidence validation.
What does IAL3 require?
IAL3 identity proofing is on-site attended. The applicant must appear in person before a trained representative, who examines the applicant's identity documents and the applicant directly. This cannot be fully achieved through remote proofing alone.
The process requires the presentation of superior-strength identity evidence, such as a passport or other forms of strong identity evidence, as defined by NIST, and verified against the issuing authority's databases. Biometric capture is mandatory, and the biometric must be bound to the proofing event using strong controls defined in the guidelines.
IAL3 also requires verification that the identity evidence belongs to the applicant and hasn't been reported lost, stolen, or compromised. The proofing event itself is logged and auditable.
When is IAL3 appropriate?
IAL3 is reserved for high-risk transactions where identity errors could cause serious harm, for example, access to classified information, critical infrastructure, or law enforcement systems.
For most government services and financial transactions, IAL2 with strong biometric matching provides sufficient assurance. IAL3's in-person requirement makes it less accessible and more resource-intensive, so it should be reserved for genuinely high-stakes use cases.
How credentials reflect IAL levels
Credentials should explicitly indicate the identity assurance level under which they were issued. This allows verifiers to determine whether a credential meets the requirements for a specific transaction. A credential issued at IAL3 might be accepted for secure physical building access, while an IAL2 credential might suffice for benefits eligibility checks.
This tiered approach ensures that resources are applied proportionally to transaction sensitivity, while maintaining clear standards for what different credential types represent.
Want to keep learning?
Subscribe to our blog.
