---
url: 'https://www.corbado.com/glossary/authentication-assurance-level'
title: 'Authentication Assurance Level (AAL)'
description: 'What is AAL (Authentication Assurance Level)?'
lang: 'en'
keywords: 'authentication assurance level (aal)'
---

# Authentication Assurance Level (AAL)

## What is AAL (Authentication Assurance Level)?

**Authentication Assurance Level (AAL)** refers to a classification used to describe the
strength and reliability of authentication processes. Defined in
[NIST](https://www.corbado.com/blog/nist-passkeys)'s Special Publication SP 800-63-3,
[AAL](https://www.corbado.com/faq/authenticator-assurance-levels-aal-digital-identity) helps organizations
determine the appropriate level of security for their digital interactions.

There are three levels of [AAL](https://www.corbado.com/faq/authenticator-assurance-levels-aal-digital-identity):

### AAL1: Basic Assurance

- Offers some confidence in user authentication.
- Typically involves single-factor authentication, such as a password or an OTP device.

### AAL2: High Assurance

- Requires two different factors for authentication.
- This level addresses additional security measures like replay resistance and shorter
  reauthentication times.
- Synced passkeys are [AAL2](https://www.corbado.com/blog/nist-passkeys)-compliant.

### AAL3: Very High Assurance

- Involves multi-factor authentication using a hardware-based
  [authenticator](https://www.corbado.com/glossary/authenticator).
- Features stringent security requirements including verifier impersonation resistance and
  verifier compromise resistance.
- [Device-bound passkeys](https://www.corbado.com/faq/are-passkeys-device-specific) are
  [AAL3](https://www.corbado.com/blog/nist-passkeys)-compliant.

Each level is tailored to different security needs, ranging from low-risk environments at
[AAL1](https://www.corbado.com/faq/authenticator-assurance-levels-aal-digital-identity) to high-security demands
at [AAL3](https://www.corbado.com/blog/nist-passkeys).

> - **Authentication Assurance Level (AAL) is a measure of authentication strength.**
> - [AAL1](https://www.corbado.com/faq/authenticator-assurance-levels-aal-digital-identity) involves basic
>   security, [AAL2](https://www.corbado.com/blog/nist-passkeys) enhances it with two factors, and
>   [AAL3](https://www.corbado.com/blog/nist-passkeys) offers the highest security with multi-factor hardware-based
>   authentication.
> - Key requirements include replay resistance, verifier impersonation resistance, and
>   verifier compromise resistance.

---

Here’s a deeper dive into the authentication assurance levels level and their
implications:

### AAL1: Accessibility and Risks

- Aimed at low-security applications where convenience is prioritized.
- Vulnerable to common security threats due to reliance on simple authentication forms
  like passwords (e.g. [Phishing](https://www.corbado.com/glossary/phishing), Man-in-the-Middle Attack,
  [Credential Stuffing](https://www.corbado.com/glossary/credential-stuffing), …)

### AAL2: Enhanced Security Measures

- Suitable for transactions requiring higher security.
- Combines physical (e.g., security tokens) and knowledge-based factors (e.g., passwords)
  to bolster security.

### AAL3: Highest Security Standards

- Designed for high-risk environments, ensuring maximum security.
- Utilizes advanced cryptographic measures and hardware resistance to physical tampering.

### Enhancements in AAL Related to Passkeys

- [NIST](https://www.corbado.com/blog/nist-passkeys) approves synced passkeys (e.g. via
  [iCloud Keychain](https://www.corbado.com/glossary/icloud-keychain)) as [AAL2](https://www.corbado.com/blog/nist-passkeys)-compliant,
  enhancing the security framework for digital entities and paving the way for broader
  adoption of passkeys.
- Passkeys can also be used in higher risk scenarios as AAL3-compliant authentication, if
  they are [device-bound passkeys](https://www.corbado.com/faq/are-passkeys-device-specific), not allowing
  passkey synchronization across devices as in AAL2.

Read more about the
[AAL](https://www.corbado.com/faq/authenticator-assurance-levels-aal-digital-identity)-conformance of passkeys in
this blog.

---

## Authentication Assurance Level (AAL) FAQs

### What is AAL1 and when is it used?

[AAL1](https://www.corbado.com/faq/authenticator-assurance-levels-aal-digital-identity) provides basic
authentication security, commonly used in low-risk environments where user convenience is
a priority.

### How does AAL2 improve security over AAL1?

AAL2 requires two different authentication factors, significantly reducing the risk of
unauthorized access compared to AAL1.

### What are the requirements for AAL3?

AAL3 is the highest level of authentication assurance, involving hardware-based
[authenticators](https://www.corbado.com/glossary/authenticator) and stringent security measures like verifier
impersonation resistance.

### How do Passkeys impact AAL classifications?

Synced passkeys (e.g. via [iCloud Keychain](https://www.corbado.com/glossary/icloud-keychain)) are classified as
AA2 while [device-bound passkeys](https://www.corbado.com/faq/are-passkeys-device-specific) are classified as
AA3-compliant. Read more about it in this blog.