What is FAL (Federation Assurance Level)?

The Federation Assurance Level (FAL) is a standardized measure defined by NIST SP 800-63 to describe the strength and security of federated identity assertions shared between identity providers (IdPs) and relying parties (RPs). FAL indicates the robustness of protocols and safeguards used when an authenticated user's identity information is communicated across different systems.

FAL is divided into three distinct levels:

• FAL1 (Basic Federation Assurance): Requires assertions to be digitally signed, ensuring their integrity.
• FAL2 (Intermediate Federation Assurance): Adds encryption to assertions, protecting user information against disclosure during transmission.
• FAL3 (High Federation Assurance): Demands additional cryptographic protection, including the use of holder-of-key assertions, which bind assertions tightly to cryptographic keys controlled by the user.

Choosing the right FAL helps organizations balance security needs, compliance, interoperability, and user convenience when managing federated identity scenarios.

---

Federation Assurance Levels (FALs) were introduced in NIST Special Publication 800-63C as part of guidelines to standardize security in federated authentication. Federated identity management allows users to access multiple systems with a single set of credentials provided by a trusted identity provider (IdP). To maintain security in this environment, FAL provides a structured approach ensuring identity information remains trustworthy and protected during transmission between systems.

To fully understand FAL, it’s crucial to know the specifics of each level:

• FAL1 (Basic):

  • Identity assertions must be digitally signed.
  • Ensures assertions cannot be altered during transmission.
  • Suitable for low-risk scenarios, such as general web-based services, where confidentiality of assertion data isn’t critical.

• FAL2 (Intermediate):

  • Adds encryption alongside digital signatures to protect assertions during transit.
  • Prevents unauthorized parties from accessing sensitive user information.
  • Suitable for moderate-risk environments, including healthcare systems, financial applications, or services where assertion data contains sensitive personal information.

• FAL3 (High):

  • Requires strong cryptographic binding (holder-of-key), ensuring the assertion is uniquely linked to a cryptographic key controlled exclusively by the user.
  • Provides the highest security, suitable for high-risk scenarios involving sensitive or regulated data.
  • Commonly used by governmental, critical infrastructure, or sensitive financial service applications.

When choosing the appropriate FAL, consider:

• Risk Assessment: Higher risk situations (e.g., accessing financial records, health records, or government databases) demand higher FAL.
• Regulatory Compliance: Regulations and standards such as GDPR, HIPAA, or PSD2 might dictate specific FAL requirements.
• Technical Complexity: Higher FALs increase complexity and cost in implementation, requiring careful planning to ensure optimal user experience and cost-effectiveness.

• FAL1: Accessing online forums, news subscriptions, or public services that do not handle sensitive personal data.
• FAL2: Logging into medical patient portals, banking platforms, or cloud-based SaaS applications containing personal or confidential data.
• FAL3: Accessing governmental systems, national security databases, or highly sensitive business environments where robust identity verification and protection are mandatory.

FAL1 ensures assertions are digitally signed for integrity. FAL2 adds encryption for confidentiality. FAL3 provides the highest assurance by requiring assertions bound cryptographically to user-held keys (holder-of-key assertions).

Organizations should use FAL3 for high-risk scenarios involving sensitive data, regulatory requirements, or where high assurance of identity assertion protection is mandatory, such as government or financial services.

Higher FAL provides stronger security but involves increased implementation complexity and costs. The best FAL choice balances security needs with practicality, risk profile, and user convenience.

Federation Assurance Levels (FAL) are defined by the U.S. National Institute of Standards and Technology (NIST) in the Special Publication 800-63C, widely recognized internationally as authoritative standards for federated identity management.