The 3 Identity Assurance Levels for Continuous Identity Management

11.10.2022

Continuous identity assurance confirms an individual’s identity throughout the customer lifecycle. It satisfies Know Your Customer (KYC) verification guidelines by ensuring that applicant-provided evidence meets the appropriate level of assurance (LOA) rating. Moreover, digital enrollment methods must have the correct Identity Assurance Level (IAL). Learn how to reduce fraud using the digital identity framework. 

What Are Digital Identity Guidelines?

The National Institute of Standards and Technology (NIST) uses the term “level of assurance” to define the trustworthiness of identity information. Low LOA refers to unconfirmed or unverified self-declarations of identity, whereas high LOA data comes from a trusted source. 

The NIST Digital Identity Guidelines provide LOA standards for different processes, such as customer onboarding or logging in as a regular, confirmed user. It also details credential service provider (CSP) responsibilities for data governance. 

NIST breaks these guidelines into three categories:


  • Identity Assurance Level (IAL) for identity proofing
  • Authenticator Assurance Level (AAL) for authentication processes
  • Federation Assurance Level (FAL) for use in a federated environment

Many online services abide by guidelines for IAL and AAL, allowing them to verify applicants and returning customers. Identity Assurance Levels define how users can prove their identity to your organization, whereas Authenticator Assurance Levels authenticate a returning user using single or multifactor authentication tools (MFA).

The 3 Identity Assurance Levels

NIST provides an IAL decision tree to help determine your required Identity Assurance Level. It assesses the risks of delivering digital services to individuals and your organization. If any threats are high, you must use IAL3. However, if you rank personal safety as a moderate risk, that also requires IAL3. 

IAL 1: Some Confidence

This level doesn’t require identity proofing, as fewer threats, such as account takeover fraud, exist. You may request self-verification, such as an email address or full name, but you don’t need to validate or verify the information. Any information provided is considered self-asserted. The risks for IAL 1 are low to none for financial loss, liability and inconvenience, distress or damage to standing or reputation. If you require verification and validation of personal information, then you must use IAL 2.

IAL 2 - High Confidence

This level represents a moderate risk in the decision tree categories, such as financial loss and liability. It also covers low risk for harm to the agency or the public interest, unauthorized release of sensitive information and civil or criminal violations. IAL 2 supports KYC requirements and requires in-person or remote identity proofing. The provided identity evidence should be rated “Strong” or “Superior” and can include a passport, driver’s license and biometrics. 

IAL 3 - Very High Confidence

This is the highest level of identity assurance. Any categories marked as high risk require IAL 3. In addition, moderate threats to personal safety must be treated as IAL 3. Unlike IAL 2, biometrics are mandatory. You also must prove identities in person or through supervised proofing methods.

Supervised remote identity proofing is a robust procedure. It must include a trained operator, various security controls and high-resolution video monitoring through a company-controlled device. The evidence should consist of at least one Strong- or Superior-rated document.

IAL Evidence Categories

IAL 2 and IAL 3 describe how many pieces of proofing evidence you need to establish an applicant’s identity. The evidence falls into categories of strength related to acquiring and verifying the data. 

The four proofing evidence categories are: 


  1. Weak: Basic verification via a unique reference number, biometric data or a photograph.
  2. Fair: Combines weak evidence with verification through proofing. It can include knowledge-based questions, and the digital information should be encrypted.
  3. Strong: Meets fair evidence standards and has additional confirmation required by regulations or compliance standards. The verification must include a biometric ID or photo.
  4. Superior: Adheres to strong evidence guidelines and uses visual or background checks to confirm identity and connect a user to the identity. Superior evidence needs a photo and biometric ID. 

IAL Identity Proofing Steps

NIST describes how to establish an applicant’s identity. Before beginning the identity proofing process, your organization should decide what information you need to collect. The data should reflect your desired level of assurance based on the nature of your business. Common data types include name, email address, date of birth, physical address and social security number. 

Use a secure hosting service to request and collect information, such as an online form or website. Also, consider integrating a customer acceptance platform to automate the process. This allows you to gather and protect evidence like a driver’s license, birth certificate or passport. After collection, it’s time to verify and validate your application and materials. 

This stage involves proving that the documents are valid. They should be official government documents and be up to date. You can perform these checks manually, through a third party or use an automated fraud detection system.

NIST outlines the three-step process:


  1. Resolution: The collection stage is where you distinguish the individual from others in your system. It includes asking for personally identifiable information (PII) and identity evidence.
  2. Validation: Confirm the accuracy and authenticity of documents by verifying that applicant-supplied data matches the evidence and that the provided documents haven’t been altered.
  3. Verification: Match the validated data to the person supplying the evidence. Request a photo to match the identity documents and ensure they match. Send an enrollment code to the user’s phone number and confirm that they have it.

The Importance of Identity Assurance Levels to Your Organization

Failing to abide by IAL standards can threaten your business reputation and customer data. The Identity Theft Resource Center’s 2021 annual report found that data breaches are up over 68% compared to 2020," and 23% more than the previous all-time high in 2017. Additionally, your adherence or nonadherence also impacts your compliance with industry regulations. Any business that collects PII should review NIST guidelines, complete the decision tree and align its process with the appropriate level. 

Collect and Verify Data Securely

Satisfy IAL evidence requirements automatically with a fully managed customer acceptance platform. Instnt Verify™ confirms identity and authenticates transactions from Day-zero to Day-N. It uses behavioral and device intelligence to prevent account takeovers and improve your Anti-Money Laundering (AML) efforts. Request a demo to learn how Instnt can help your organization comply with NIST Identity Assurance Levels, and accept and monitor more good customers.

Share

About the Author

Instnt Inc. is a public benefit corporation on a mission to bring inclusion and instant account opening experiences for businesses and their customers through proprietary technology, artificial intelligence, open standards and a collaborative effort in the identity governance industry. With Instnt AcceptTM the first fully managed customer acceptance solution with up to $100M in annual fraud loss warranty, businesses can onboard more good customers, grow their top-line revenue, and cut their operational costs without friction or fraud losses in minutes.  Instnt AcceptTM powers various fast-growing financial institutions and credit unions.