NIST SP 800-63 introduces Identity Assurance Levels (IAL), which specify the certainty with which digital identities correspond with real world identities. Furthermore, this framework offers federated authentication mechanisms – allowing one assertion to be trusted by multiple relying parties at once.
HYPR Affirm, our passwordless authentication solution and comprehensive identity proofing platform, helps organizations meet NIST requirements by strengthening IALs. This enables them to meet both business and security objectives while eliminating password-based authentication methods as a result of meeting them.
IAL3 Compliant Solution
NIST has issued guidelines aimed at verifying identity proofing to help verifying digital services are being accessed by legitimate people, known as identity proofing. These regulations can be found in NIST 800-63A IAL3 verification which combine document validation with biometric comparison to reduce fraudulence risks as well as impersonation risks.
Trust Swiftly’s hardware-based remote NIST IAL3 verification solution meets NIST requirements while saving businesses money and mitigating security risks while satisfying auditors. Our scalable IAL3 compliant solution can support central agents during identity proofing processes which includes chat, video, facial recognition with liveness detection as well as document authentication as well as step-up reproofing according to risk.
NIST’s IAL, AAL and FAL levels remain, but their requirements have been modified to modernize the framework for federated assertions (FALs). SP 800-63-4 specifically mandates cryptographic binding in transactions that use FALs while formalizing user-controlled wallets and verifiable credentials integration.
Reduced Risk of Fraud
Identity fraud is one of the leading causes of data breaches. By verifying a user’s claimed identity each time they make a transaction or access information, NIST 800-63A IAL3 can reduce this risk and ensure only legitimate holders perform these actions.
NIST guidance outlines a tiered framework for digital authentication with different levels of assurance, each requiring different proofing levels and authenticators; level IAL1 requires no link with real world identities while IAL3 involves verification by CSP representatives in person.
NIST 800-63A IAL3 modernizes this framework with a more granular modular approach to IAL, AAL and FAL. Incorporating remote identity proofing for IAL2 as well as supporting authenticators like FIDO Passkey into this new approach to NIST compliance allows organizations to reach NIST compliance without impacting business operations or user experiences – this approach has come to be known as finding their “sweet spot” of feasible implementation and effective risk reduction.
Reduced Risk of Data Breach
IAL3 Identity Proofing Process addresses complex threats such as password guessing, social engineering, and phishing attacks. IAL3 verification goes beyond simple email OTPs or SMSs by collecting detailed evidence that verifies identities and prevent fraud; step-up reproofing to mitigate the most dangerous threats is also implemented as part of this process.
NIST 800-63A IAL3 outlines a modular assurance model, moving away from fixed assurance levels towards risk-based identity management. Its digital identity framework provides essential support to agencies by helping reduce fraud while speeding mission-critical digital transformation securely.
NIST 800-63-3 outlines minimum assurance level requirements for an identity lifecycle, including secure travel of user-controlled credentials through all phases. It encourages antiphishing MFA, hardware authenticators (e.g. PIV/CAC cards), subscriber wallets, strong authentication at IAL level and an elegant federation architecture featuring encryption standards-compliant assertion handling. Furthermore, NIST 800-63-3 calls out risk-based DIRM approaches which consider mission delivery impacts as well as individual user impacts; Zero Trust operationalizes this framework daily to provide continuous adaptive verification of users, devices networks and applications across every stage.
Reduced Costs
NIST 800-63 is an important and influential standard that describes how organizations must authenticate identity. However, its complex and technical document can often be misinterpreted or applied improperly and lead to security gaps which expose organizations to risk while decreasing productivity.
TrustSwiftly’s holistic identity verification solution HYPR Affirm helps organizations comply with IAL2 and IAL3 compliance. By combining chat, video, facial recognition with liveness detection, document authentication and document authentication it validates a user’s claimed identity remotely while offering step-up reproofing based on risk to align with NIST guidelines and reduce attack surface area.
NIST SP 800-63-4 establishes more systematic DIRM processes and expands risk considerations beyond enterprise risks to include their effects on mission delivery, public trust, equity and privacy for individual users (equity and privacy). Furthermore, SMS-based OTP has been significantly downgraded; Phish-resistant MFA methods must be adopted; and FIDO Passkeys become the default for AAL2 and AAL3.
