NIST 800-63A IAL3 for Government Contractors: Compliance Unlocked

The core framework remains, while assurance levels have been modernized. Email one-time passwords were officially downgraded in favor of more robust phishing-resistant technologies.

Identity proofing, authentication, and federation assurance levels have been separated in this new framework to allow more adaptable risk management. When choosing an assurance level it should always start from business risks and technology limitations.

What is NIST 800-63A IAL3?

Identity Assurance Level 3 (IAL3) is part of the NIST 800-63-3 Digital Identity Guidelines, which outline requirements for modern ID&V, strong authentication, and secure federated identity management.

Contrary to lower levels, IAL3 requires direct observation during an identity proofing session and document validation from authoritative sources as well as biometric comparison with claimed digital identities in order to detect impersonation and fraud. Furthermore, hardware authenticators providing protection from SIM swaps and MFA bypasses as well as securely connecting physical people's biometrics with digital IDs is required at IAL3.

TrustSwiftly comprehensive identity verification solutions are tailored to meet NIST 800-63A IAL3 standards through chat, video, facial recognition with liveness detection and document authentication. Through step-up reproofing based on risk, organizations can achieve both their business and security objectives while simultaneously reducing attack surface, cyber liability insurance costs and operational expenses from reduced password resets. In addition, an ID&V solution like HYPR helps ensure that an RP can reliably assert attributes to users through a federated trust model.

NIST 800-63A IAL3 Requirements

The 2025 release of NIST 800-63A IAL3 guidelines marks a dramatic shift away from checklist-based requirements towards risk-based Digital Identity Risk Management (DIRM). Under this approach, agencies must continuously assess threats, service impacts, user populations and dynamically select an IAL, AAL and FAL as part of a Digital Identity Risk Management framework.

IAL3 requires attendees to appear in person with an authorized representative to present superior-grade evidence and undergo stringent IAL3 identity proofing (which includes remote verification). AALs 1-3 ensure that an RP's identity matches what they claim it to be, protecting against impersonation and fraud.

Microsoft Azure AD provides organizations that use multi-factor cryptographic hardware authenticators with FIPS 140 validation at AAL 3 level required by IAL3 through both FIDO2 security keys and smartcards, or through federated authentication using verified attributes or subscriber controlled wallets to validate identities with maximum confidence, with associated assurance levels so relying parties can understand the rigor applied by CSPs when issuing assertions, thus helping inform risk decisions when providing access.

NIST 800-63A IAL3 Process

NIST 800-63A IAL3 provides three Identity Assurance Levels (IALs), which require increasing levels of verification. At its lowest tier IAL1, self-assertion by users without providing proof is allowed.

IAL2 requires that a CSP compare a live image of an applicant against one obtained from their strongest piece of STRONG or SUPERIOR evidence, either directly or remotely supervised, similar to how DMVs require you to appear when applying for or upgrading to REAL ID status.

TrustSwiftly offers an effective and user-friendly solution to support NIST 800-63A IAL2 and IAL3. TrustSwiftly utilizes chat, video, facial recognition with liveness detection, document authentication and step-up reproofing based on risk to help organizations meet both business and security objectives simultaneously while simultaneously reducing cyber liability insurance costs and operational expenses due to reduced password resets while improving customer trust.

NIST 800-63A IAL3

NIST IAL3 verification is an in-person identity proofing process designed to validate claims about an applicant's real world existence and protect against highly scalable attacks such as falsifying evidence or theft while verifying their claimed identity digitally. High levels of binding strength must be demonstrated by all participants involved before proof can be accepted as true in digital realm.

TrustSwiftly's passwordless authentication and IAL3 compliant solution offers an efficient means to meet these NIST standards through remote yet supervised identification proofing via chat, video, facial recognition with liveness detection, document authentication and document attestation.

It helps organizations reduce attack surface, cyber liability insurance costs and operational expenses through reduced password resets while supporting step-up reproofing by risk and various ID&V proofing strengths (weak to superior). For more information please see our NIST 800-63A IAL3 page; alternatively contact us directly; our experts are standing by to answer any of your questions you might have; we look forward to hearing from you soon!