What is Authentication Assurance Level (AAL)?

What is AAL (Authentication Assurance Level)?#

Authentication Assurance Level (AAL) refers to a classification used to describe the strength and reliability of authentication processes. Defined in NIST's Special Publication SP 800-63-3, AAL helps organizations determine the appropriate level of security for their digital interactions.

There are three levels of AAL:

AAL1: Basic Assurance#

• Offers some confidence in user authentication.
• Typically involves single-factor authentication, such as a password or an OTP device.

AAL2: High Assurance#

• Requires two different factors for authentication.
• This level addresses additional security measures like replay resistance and shorter reauthentication times.
• Synced passkeys are AAL2-compliant.

AAL3: Very High Assurance#

• Involves multi-factor authentication using a hardware-based authenticator.
• Features stringent security requirements including verifier impersonation resistance and verifier compromise resistance.
• Device-bound passkeys are AAL3-compliant.

Each level is tailored to different security needs, ranging from low-risk environments at AAL1 to high-security demands at AAL3.

---

Here’s a deeper dive into the authentication assurance levels level and their implications:

AAL1: Accessibility and Risks#

• Aimed at low-security applications where convenience is prioritized.
• Vulnerable to common security threats due to reliance on simple authentication forms like passwords (e.g. Phishing, Man-in-the-Middle Attack, Credential Stuffing, …)

AAL2: Enhanced Security Measures#

• Suitable for transactions requiring higher security.
• Combines physical (e.g., security tokens) and knowledge-based factors (e.g., passwords) to bolster security.

AAL3: Highest Security Standards#

• Designed for high-risk environments, ensuring maximum security.
• Utilizes advanced cryptographic measures and hardware resistance to physical tampering.

Enhancements in AAL Related to Passkeys#

• NIST approves synced passkeys (e.g. via iCloud Keychain) as AAL2-compliant, enhancing the security framework for digital entities and paving the way for broader adoption of passkeys.
• Passkeys can also be used in higher risk scenarios as AAL3-compliant authentication, if they are device-bound passkeys, not allowing passkey synchronization across devices as in AAL2.

Read more about the AAL-conformance of passkeys in this blog.

---

Authentication Assurance Level (AAL) FAQs#

What is AAL1 and when is it used?#

AAL1 provides basic authentication security, commonly used in low-risk environments where user convenience is a priority.

How does AAL2 improve security over AAL1?#

AAL2 requires two different authentication factors, significantly reducing the risk of unauthorized access compared to AAL1.

What are the requirements for AAL3?#

AAL3 is the highest level of authentication assurance, involving hardware-based authenticators and stringent security measures like verifier impersonation resistance.

How do Passkeys impact AAL classifications?#

Synced passkeys (e.g. via iCloud Keychain) are classified as AA2 while device-bound passkeys are classified as AA3-compliant. Read more about it in this blog.

About Corbado

Corbado is the Passkey Intelligence Platform for CIAM teams running consumer authentication at scale. We help you see what IDP logs and generic analytics tools can't: which devices, OS versions, browsers and credential managers support passkeys, why enrollments don't turn into logins, where the WebAuthn flow fails and when an OS / browser update silently breaks login, all without replacing Okta, Auth0, Ping, Cognito or your in-house IDP. Two products: Corbado Observe layers observability for passkeys and any other login method. Corbado Connect adds managed passkeys with analytics built in (alongside your IDP). VicRoads runs passkeys for 5M+ users with Corbado (+80% passkey activation). Talk to a Passkey Expert →