Building Digital Trust: Trust Swiftly's Hardware-Anchored IAL3 Compliant Solution

The NIST 800-63A Digital Identity Guidelines focus on enrolling and verifying individuals for digital authentication. Their latest revision adapts to modern threats while still balancing security with user experience and ongoing evaluation.

IALs provide various levels of assurance that an identity claimed corresponds to its physical counterpart; with level 3 requiring in-person verification. Through ID&V validation process, this link between strongest piece of identification evidence and physical existence of applicant can be confirmed.

TrustSwiftly is NIST IAL3 compliant

At NIST 800-63A IAL3, there are three levels of assurance for identity verification processes known as the level of assurance (IAL). NIST defines these three IAL levels for credential service providers (CSPs), verifiers, and relying parties. While IAL1 offers minimal assurance with no verification needed of claims or attributes verified or attributes verified at all; at the other extreme IAL3 requires in-person physical biometric proofing in high stakes transactions such as benefits eligibility checks or secure building access verifications.

Complying with NIST 800-63A IAL3 requires striking an optimal balance between security, privacy, and usability. This requires conducting regular risk analyses, rigorous IAL3 identity proofing and enrollment processes, as well as an efficient federated ID management mechanism. Furthermore, this latest version of the guidelines enhances measures against identity-related fraud and phishing attacks, adds more phishing-resistant authentication options, and prepares for new technologies like mobile driver's licenses; in addition it requires CSPs to verify subscriber control of authenticators in order to prevent unauthorized re-enrollment or prevent unauthorized re-enrollment.

NIST IAL3 verification

The new NIST 800-63A IAL3 guidelines update IAL, AAL, and FAL levels to be more applicable for modern security requirements. They move away from an all-encompassing ordinal that dictates implementation requirements to selecting identity assurance levels based on application needs - with improvements that address accessibility concerns as well as user friction reduction included within them. Ultimately the guideline's goal is to increase adoption by prioritizing user experience while decreasing implementation requirements imposed from above.

NIST has developed Identity Assurance Levels (IALs) to describe the strength of evidence used to verify an individual's claimed identity. IALs measure certainty between real-world identities and digital ones, and used to communicate authentication and verification information across federated environments. Each IAL level increases in amount of verification needed until reaching level IAL3 which requires superior-strength identity proofing; such transactions could include accessing classified information, critical infrastructure or law enforcement systems.

NIST IAL3 identity proofing

The NIST 800-63-3 Digital Identity Guidelines offer an indispensable framework for extensive identity proofing, strong authentication and secure federated identity management. NIST has revised these guidelines in response to emerging threats such as phishing by advocating for stronger password policies, MFA with phishing-resistant authenticators, user controlled credentials such as FIDO passkeys or subscriber wallets as well as strong multifactor authentication with strong password policies and strong multi-factor authentication (MFA).

The new guidelines update and redefine levels of assurance from Initial, Annual and Final (IAL, AAL and FAL), with increasingly stringent requirements. Furthermore, they remove any implied equality among levels; instead recommending that agencies select an adequate level based on mission needs, security requirements, privacy/risk considerations and costs.

The revised guidelines also eliminate the requirement that IAL2 verification must take place in-person, permitting remote identity proofing using strong biometrics such as face scans and fingerprints. This will make identity proofing much more accessible to many users while helping lower implementation costs for IAL2. Furthermore, FAL can now be accomplished using cryptographic binding in federated transactions, formalising techniques like FIDO passkeys, user wallets, and subscriber credentials into FAL systems.

NIST IAL3 compliant solution

The 2025 final version of TrustSwiftly NIST SP 800-63-3 marks a significant shift towards stronger, phishing-resistant authentication protocols. It deprecates email OTP authentication and downgrades SMS-based authentication while mandating MFA with integrated Passkeys as these traditional methods prove ineffective against targeted attacks.

IAL3 compliant solution requires RPs to verify that a user's identity is genuine, correct, and belongs to an actual human being. This process builds on that of IAL2, with additional checks such as biometric authentication that ensure that users claim ownership of identities they claim as their own; additional safeguards may include remote proofing supervised remotely.

NIST IAL3 requirements consist of multiple Federated Assurance Levels (FALs) and enrollment and NIST IAL3 verification processes that define FALs as well as requirements for CSPs to reliably identify authenticators and link it with user accounts, while Reputation Proofers must consider potential risks from accepting self-asserted attributes and costs associated with identity proofing processes before selecting an initial FAL level for any user group.