Authentication Assurance Levels

Q: What are the three Authentication Assurance Levels defined by NIST and what do they represent?

The three levels are: * **AAL1 (Low Assurance):** Requires single-factor authentication, such as a password. It provides some assurance that the claimant controls the authenticator but is vulnerable to common threats like phishing and password spraying. * **AAL2 (High Assurance):** Requires multi-factor authentication (MFA) using two different types of factors. This level provides high confidence in the user's identity and protects against online guessing attacks and theft of a single factor. * **AAL3 (Very High Assurance):** Requires cryptographic, hardware-based MFA. This is the highest level, providing very high confidence by using a 'hard token' that is physically separate from the device being used, making it resistant to sophisticated attacks like phishing and man-in-the-middle attacks.

Intermediate

Authentication Assurance Levels (AAL) are a standard defined by the U.S. National Institute of Standards and Technology (NIST) in its Special Publication 800-63-3. They provide a measure of confidence in the authentication process, specifying the strength and security requirements for verifying a user's identity. There are three levels—AAL1, AAL2, and AAL3—each corresponding to an increasing level of security and assurance, typically mapped to the risk associated with unauthorized access.

First Used

2017

Definitions

Synonyms

Levels of Assurance (LoA)Identity Assurance Levels (IAL)

Definitions

NIST Digital Identity Guidelines (SP 800-63-3)

Authentication Assurance Levels (AAL) are a core component of the NIST Digital Identity Guidelines, providing a risk-based framework for selecting authentication mechanisms. The appropriate AAL is determined by the potential impact of an attacker successfully impersonating a user.

AAL1: Low Assurance

This is the lowest level, providing limited assurance of a user's identity. It requires only single-factor authentication. This can be something the user knows (like a password) or something they have (like a device cookie).

Requirements: At least one authentication factor.
Use Case: Accessing public-facing websites, forums, or low-risk applications where the consequence of a compromised account is minimal.
Vulnerabilities: Susceptible to phishing, credential stuffing, and password guessing attacks.

AAL2: High Assurance

This level provides high confidence in the user's identity by requiring multi-factor authentication (MFA). It necessitates two distinct authentication factors, such as something you know (password) and something you have (a code from an authenticator app).

Requirements: Two different authentication factors. Requires secure communication channels (e.g., TLS).
Use Case: Online banking, accessing employee portals, or any system where a compromise could lead to moderate financial or reputational damage.
Key Feature: Provides strong protection against online attacks that could compromise a single factor.

AAL3: Very High Assurance

This is the highest level, designed for high-risk scenarios. It requires cryptographic, multi-factor authentication using a hardware-based authenticator (a 'hard token') that is physically separate from the system being accessed. This is often referred to as phishing-resistant MFA.

Requirements: Multi-factor authentication where one factor is a hardware-based cryptographic device (e.g., smart card, FIDO2 security key). The authenticator must be approved by the Federal Information Processing Standards (FIPS).
Use Case: Accessing classified government systems, managing critical infrastructure, or performing high-value financial transactions.
Key Feature: Provides robust protection against man-in-the-middle (MitM) attacks, phishing, and malware that might compromise software-based authenticators.

Origin & History

Etymology

The term is a descriptive combination of its core concepts: 'Authentication' (the process of verifying a claimed identity), 'Assurance' (the degree of confidence in that verification), and 'Levels' (a standardized, hierarchical scale). It was formally coined by NIST to create a clear framework for digital identity risk management.

Historical Context

The concept of standardized assurance levels originated with the U.S. Office of Management and Budget (OMB) memorandum M-04-04 in 2003, which established four **Levels of Assurance (LoA)** for federal agencies implementing e-authentication. These LoAs combined identity proofing and authentication strength into a single measure. Over time, the National Institute of Standards and Technology (NIST) took over the responsibility for these guidelines. In 2017, NIST released a major update, Special Publication (SP) 800-63-3, which significantly restructured the framework. This update decoupled the different aspects of digital identity into three distinct components: * **Identity Assurance Levels (IAL):** The identity proofing process. * **Authentication Assurance Levels (AAL):** The authentication event itself. * **Federation Assurance Levels (FAL):** The assertion used in a federated environment. This revision introduced the AAL1, AAL2, and AAL3 framework we use today, replacing the old LoA 1-4 model. This change provided greater flexibility and clarity, allowing organizations to apply different levels of security to different parts of the identity lifecycle based on specific risks.

Usage Examples

To comply with federal regulations, our application must enforce Authentication Assurance Level 2 for all users handling personally identifiable information.

While viewing public records only requires AAL1, modifying them demands a higher Level of Assurance (LoA) to prevent unauthorized changes.

The Department of Defense requires AAL3 for access to its most sensitive systems, ensuring that authentication is protected by a hardware cryptographic device.

Frequently Asked Questions

What are the three Authentication Assurance Levels defined by NIST and what do they represent?

The three levels are:

AAL1 (Low Assurance): Requires single-factor authentication, such as a password. It provides some assurance that the claimant controls the authenticator but is vulnerable to common threats like phishing and password spraying.
AAL2 (High Assurance): Requires multi-factor authentication (MFA) using two different types of factors. This level provides high confidence in the user's identity and protects against online guessing attacks and theft of a single factor.
AAL3 (Very High Assurance): Requires cryptographic, hardware-based MFA. This is the highest level, providing very high confidence by using a 'hard token' that is physically separate from the device being used, making it resistant to sophisticated attacks like phishing and man-in-the-middle attacks.

What is the primary distinction between AAL2 and AAL3?

The primary distinction lies in the requirement for a hardware-based cryptographic authenticator for AAL3. While AAL2 allows for software-based authenticators (like an OTP app on a smartphone), AAL3 mandates a 'hard token' (e.g., a YubiKey or smart card). This hardware requirement provides strong phishing resistance because the cryptographic key material cannot be extracted from the device, a key security feature that separates it from AAL2.

Authentication Assurance Levels

Definitions

NIST Digital Identity Guidelines (SP 800-63-3)

Origin & History

Etymology

Historical Context

Usage Examples

Frequently Asked Questions

What are the three Authentication Assurance Levels defined by NIST and what do they represent?

What is the primary distinction between AAL2 and AAL3?

Categories

Tags