What are Authenticator Assurance Levels in digital identity?
Authenticator Assurance Levels (AALs) define authentication security tiers in digital identity, ensuring strong protection against threats.
What are Authenticator Assurance Levels (AALs)?#
Authenticator Assurance Levels (AALs) are security classifications defined by the National Institute of Standards and Technology (NIST) in their SP 800-63B guidelines. These levels help organizations determine the strength of an authentication process based on the risk associated with access to digital services. AALs range from AAL1 (low security) to AAL3 (high security), ensuring that authentication mechanisms meet appropriate security requirements.
Breakdown of AALs#
| AAL Level | Description | Use Cases |
|---|---|---|
| AAL1 | Requires single-factor authentication, such as a password or PIN. Does not mandate phishing resistance. | Consumer websites, social media platforms |
| AAL2 | Requires multi-factor authentication (MFA), meaning two or more authentication factors are needed. Must be resistant to replay attacks. | Online banking, enterprise portals, government login systems |
| AAL3 | Requires hardware-based authenticators that provide cryptographic proof of possession. Mandates verifier impersonation resistance and phishing resistance. | Military, critical infrastructure, high-security enterprise systems |
How do Passkeys Align with AALs?#
With the latest NIST SP 800-63B supplement, synced passkeys are officially recognized as AAL2-compliant, while device-bound passkeys meet AAL3 requirements.
- Synced passkeys (AAL2): Provide phishing resistance and secure storage while allowing key synchronization across devices. They are an improvement over passwords and SMS-based MFA but do not meet AAL3 due to cloud-based key synchronization.
- Device-bound passkeys (AAL3): Require cryptographic proof of identity and are tied to a specific device, making them highly resistant to credential compromise.
Enterprise Passkey Whitepaper (+70 pages). How leaders get +80% adoption. Trusted by Rakuten, Klarna & Oracle.
For enterprises implementing passkeys, understanding AAL classifications is critical to selecting the right authentication security level based on business and compliance needs.
Read the full article#
About Corbado
Corbado is the Passkey Intelligence Platform for CIAM teams running consumer authentication at scale. We help you see what IDP logs and generic analytics tools can't: which devices, OS versions, browsers and credential managers support passkeys, why enrollments don't turn into logins, where the WebAuthn flow fails and when an OS / browser update silently breaks login, all without replacing Okta, Auth0, Ping, Cognito or your in-house IDP. Two products: Corbado Observe layers observability for passkeys and any other login method. Corbado Connect adds managed passkeys with analytics built in (alongside your IDP). VicRoads runs passkeys for 5M+ users with Corbado (+80% passkey activation). Talk to a Passkey Expert →
Read the full article
Learn why synced passkeys are AAL2- & device-bound passkeys are AAL3-compliant after NIST's SP 800-63B supplement & what ENISA, NCSC & BSI say about passkeys.
Read the full articleRead by 5,000+ security leaders.
Share this article
Table of Contents
Related FAQs
Related Terms
Related Articles
