What are Authenticator Assurance Levels in digital identity?
Authenticator Assurance Levels (AALs) define authentication security tiers in digital identity, ensuring strong protection against threats.
What are Authenticator Assurance Levels (AALs)?#
Authenticator Assurance Levels (AALs) are security classifications defined by the National Institute of Standards and Technology (NIST) in their SP 800-63B guidelines. These levels help organizations determine the strength of an authentication process based on the risk associated with access to digital services. AALs range from AAL1 (low security) to AAL3 (high security), ensuring that authentication mechanisms meet appropriate security requirements.
Breakdown of AALs#
| AAL Level | Description | Use Cases |
|---|---|---|
| AAL1 | Requires single-factor authentication, such as a password or PIN. Does not mandate phishing resistance. | Consumer websites, social media platforms |
| AAL2 | Requires multi-factor authentication (MFA), meaning two or more authentication factors are needed. Must be resistant to replay attacks. | Online banking, enterprise portals, government login systems |
| AAL3 | Requires hardware-based authenticators that provide cryptographic proof of possession. Mandates verifier impersonation resistance and phishing resistance. | Military, critical infrastructure, high-security enterprise systems |
How do Passkeys Align with AALs?#
With the latest NIST SP 800-63B supplement, synced passkeys are officially recognized as AAL2-compliant, while device-bound passkeys meet AAL3 requirements.
- Synced passkeys (AAL2): Provide phishing resistance and secure storage while allowing key synchronization across devices. They are an improvement over passwords and SMS-based MFA but do not meet AAL3 due to cloud-based key synchronization.
- Device-bound passkeys (AAL3): Require cryptographic proof of identity and are tied to a specific device, making them highly resistant to credential compromise.
Enterprise Passkey Whitepaper. Practical guidance, rollout patterns, and KPIs for passkey programs.
For enterprises implementing passkeys, understanding AAL classifications is critical to selecting the right authentication security level based on business and compliance needs.
Read the full article#
About Corbado
Corbado is the Authentication Intelligence Platform for CIAM teams running consumer authentication at scale. We help you see what IDP logs and generic analytics tools can't: where passkeys, passwords, OTP, social login and fallback journeys succeed, stall or fail, which devices and browsers create friction, and when an OS update silently breaks login. Two products: Corbado Observe layers process mining and observability across authentication journeys. Corbado Connect adds managed passkeys with analytics built in alongside your IDP. VicRoads runs passkeys for 5M+ users with Corbado (+80% passkey activation). Talk to a Passkey Expert →
Read the full article
Learn why synced passkeys are AAL2- & device-bound passkeys are AAL3-compliant after NIST's SP 800-63B supplement & what ENISA, NCSC & BSI say about passkeys.
Read the full articleRead by 5,000+ security leaders.
Share this article
Table of Contents
Related FAQs
Related Terms
Related Articles
