---
url: 'https://www.corbado.com/faq/authenticator-assurance-levels-aal-digital-identity'
title: 'What are Authenticator Assurance Levels in digital identity?'
description: 'Authenticator Assurance Levels (AALs) define authentication security tiers in digital identity, ensuring strong protection against threats.'
lang: 'en'
keywords: 'Authenticator Assurance Levels, AAL, AAL1'
---

# What are Authenticator Assurance Levels in digital identity?

## What are Authenticator Assurance Levels (AALs)?

[Authenticator](https://www.corbado.com/glossary/authenticator) Assurance Levels (AALs) are security
classifications defined by the **National Institute of Standards and Technology (NIST)**
in their **SP 800-63B** guidelines. These levels help organizations determine the strength
of an authentication process based on the risk associated with access to digital services.
AALs range from **AAL1 (low security)** to **AAL3 (high security)**, ensuring that
authentication mechanisms meet appropriate security requirements.

### Breakdown of AALs

| **AAL Level** | **Description**                                                                                                                                            | **Use Cases**                                                       |
| ------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------- |
| **AAL1**      | Requires single-factor authentication, such as a password or PIN. Does not mandate phishing resistance.                                                    | Consumer websites, social media platforms                           |
| **AAL2**      | Requires multi-factor authentication (MFA), meaning two or more authentication factors are needed. Must be resistant to replay attacks.                    | Online banking, enterprise portals, government login systems        |
| **AAL3**      | Requires hardware-based authenticators that provide cryptographic proof of possession. Mandates verifier impersonation resistance and phishing resistance. | Military, critical infrastructure, high-security enterprise systems |

### How do Passkeys Align with AALs?

With the latest **NIST SP 800-63B supplement**, **synced passkeys** are officially
recognized as **AAL2-compliant**, while **device-bound passkeys** meet **AAL3
requirements**.

- **Synced passkeys (AAL2)**: Provide [phishing](https://www.corbado.com/glossary/phishing) resistance and secure
  storage while allowing key synchronization across devices. They are an improvement over
  passwords and SMS-based MFA but do not meet [AAL3](https://www.corbado.com/blog/nist-passkeys) due to
  cloud-based key synchronization.
- **Device-bound passkeys (AAL3)**: Require cryptographic proof of identity and are tied
  to a specific device, making them highly resistant to credential compromise.

For enterprises implementing **passkeys**, understanding AAL classifications is critical
to selecting the right authentication security level based on business and compliance
needs.

## Read the full article