Glossary>AAL (Authenticator Assurance Level)

AAL (Authenticator Assurance Level)

A NIST standard that measures authentication strength across three levels, from basic passwords to multi-factor cryptographic verification.

NIST SP 800-63-3 StandardFederal Identity, Credential, and Access Management (FICAM)Required for government and healthcare systems

What is AAL (Authenticator Assurance Level)?

Authenticator Assurance Level (AAL) is a metric defined by NIST (National Institute of Standards and Technology) in Special Publication 800-63-3 that quantifies the confidence level in the authentication process. It evaluates how strongly an authentication method proves the user's identity.

AAL has three levels:

  • AAL1: Basic authentication (single factor like password or OTP)
  • AAL2: Multi-factor authentication with requirements for authentication intent and verifier impersonation resistance
  • AAL3: Highest assurance using hardware-based cryptographic authenticators with verifier impersonation resistance

Organizations use AAL to determine appropriate authentication requirements based on the sensitivity of the data or systems being accessed.

Analogy

Think of AAL like security clearance levels at a government building. Level 1 is showing a basic ID badge, Level 2 is ID plus a fingerprint scan, and Level 3 is ID plus fingerprint plus a security escort - each level provides stronger assurance that you are who you claim to be.

Types and Use Cases

  • Government Systems: Federal agencies use AAL2 or AAL3 for accessing sensitive citizen data and internal systems
  • Healthcare: HIPAA-compliant systems require AAL2+ for accessing patient health information (PHI)
  • Financial Services: Banks and fintech apps use AAL2 for transaction authorization and AAL3 for high-value transfers
  • Corporate Security: Enterprises map internal access levels to AAL standards for consistent security policies

How it Works

1
Organization assesses the risk level of their systems and data sensitivity
2
NIST guidelines are consulted to determine required AAL level (1, 2, or 3)
3
Authentication methods are implemented that meet the technical requirements for the target AAL
4
Regular audits verify that authentication methods continue to meet AAL requirements
terminal
{
  "authenticationPolicy": {
    "resource": "/api/sensitive-health-records",
    "requiredAAL": "AAL2",
    "acceptedMethods": ["sms-otp", "totp", "push-notification"],
    "sessionDuration": "30m",
    "reauthRequired": true
  }
}

AAL (Authenticator Assurance Level) vs FIDO2/WebAuthn

AAL (Authenticator Assurance Level)
FIDO2/WebAuthn

AAL is a measurement framework by NIST

FIDO2 is a technical standard for passwordless authentication

AAL defines policy requirements

FIDO2 provides implementation methods that can satisfy AAL2 or AAL3

AAL applies to all authentication types

FIDO2 specifically addresses phishing-resistant passwordless auth

Best Practices for AAL (Authenticator Assurance Level)

  • Map AAL to data sensitivity: Use AAL1 for public data, AAL2 for personal data, AAL3 for regulated/sensitive data
  • Document AAL requirements: Maintain clear policies showing which systems require which AAL level
  • Regular compliance audits: Review authentication methods quarterly to ensure they still meet the assigned AAL requirements

How LoginRadius Powers AAL (Authenticator Assurance Level)

LoginRadius Identity Platform provides flexible authentication options that map to NIST AAL requirements. Our MFA suite includes SMS/Email OTP, TOTP, Push Notification, and FIDO2/WebAuthn support. With our adaptive authentication engine, you can enforce AAL-based policies that require step-up authentication for sensitive resources. LoginRadius also provides audit logs and compliance reporting to demonstrate AAL adherence during security assessments.

Resources

Documentation

View Security Docs

FAQs

AAL (Authenticator Assurance Level) measures the strength of the authentication process (how well you prove who you are). IAL (Identity Assurance Level) measures the confidence in the identity proofing process (how well you verified the person's identity when creating the account). Both are part of NIST SP 800-63-3 but address different phases of the identity lifecycle.

SMS OTP can meet AAL2 requirements but with limitations. NIST considers SMS OTP as 'restricted' due to vulnerabilities like SIM swapping and interception. For full AAL2 compliance without restrictions, use TOTP (Google Authenticator), push notifications, or hardware tokens. SMS OTP is not acceptable for AAL3 under any circumstances.

LoginRadius supports authentication methods that can satisfy AAL1, AAL2, and AAL3 requirements. Our platform offers SMS/Email OTP (AAL1), TOTP and Push Notification (AAL2), and integrates with FIDO2/WebAuthn hardware keys (AAL3). We also provide session management and adaptive authentication to help organizations enforce AAL-based policies.

Related Terms

fidomfaadaptive authentication

Customer Identity, Simplified.

No Complexity. No Limits.
Thousands of businesses trust LoginRadius for reliable customer identity. Easy to integrate, effortless to scale.

See how simple identity management can be. Start today!
Free Trial
Contact Sales