The Identity Assurance Levels (IALs) is a framework outlined in the National Institute of Standards and Technology (NIST) Special Publication (SP) 800 63-3 Digital Identity Guidelines standard and are a set of standards that convey the degree of confidence that someone's claimed identity is their real identity. It represents the level of confidence that an identity is authentic and accurate. IAL helps determine the extent to which identity proofing (the process of verifying someone’s identity) has been conducted before granting access to systems or resources. IAL is one of the three components of identity assurance, alongside Authenticator Assurance Level (AAL) and Federation Assurance Level (FAL).

NIST SP 800 63-3 outlines the guidelines for IALs, including the requirements for each level and the types of evidence that can be used to support an identity claim. It also provides guidance on how to select the appropriate IAL for a given application. 

Levels of IAL

There are three levels of Identity Assurance Levels, each corresponding to a different degree of verification rigor:

1. Identity Assurance Level 1 (IAL1)
   • Low assurance: Identity is self-asserted, meaning minimal verification is required. The individual provides personal information, but there is no significant proof required, such as government-issued ID.
   • Use case: Suitable for low-risk applications where the cost of a compromised identity is low, and minimal identity verification is needed.
2. Identity Assurance Level 2 (IAL2)
   • Moderate assurance: Identity is verified through some form of credentialing, such as presenting a government-issued ID or undergoing a real-time verification process. A more formal process of identity proofing is involved, and the individual’s identity is validated. IAL2 might require one strong piece of evidence and two fair pieces of evidence to verify an identity. 
   • Use case: This level is used for medium-risk applications where some degree of verification is necessary to mitigate identity fraud and ensure proper access control.
3. Identity Assurance Level 3 (IAL3)
   • High assurance: The individual’s identity is rigorously validated through in-person verification or a highly trusted remote identity proofing process. The person’s identity is verified using multiple, reliable identity sources, with additional validation steps to ensure that the identity is legitimate and the individual is physically present. IAL3 might require a combination of biometric verification and in-person verification. 
   • Use case: Used for high-risk applications where the cost of identity fraud is high, such as in government services, financial institutions, or healthcare.

Purpose of IALs

• IALs help determine the appropriate level of assurance required for different digital services and applications. 
• They are used by federal agencies to verify that people are who they say they are before being granted access to restricted information or accounts. 
• They are also used by organizations to establish a secure and reliable identity management process.