The IAL process includes identity proofing to validate real world existence of claimed identities as well as rigorous evidence verification. Azure AD supports authenticators and verifiers at AAL3 level that satisfy NIST requirements, such as FIDO2 security keys and smartcards.

NIST IAL3 verification

IAL3 identity proofing is the highest and most stringent level, essential for FedRAMP high compliance. It requires in-person attended IAL3 sessions with on-site identification and capture of biometrics which can then be compared with reference images - this process can be expensive and is therefore often not practical when employed remotely.

The 2025 revision of NIST 800-63A IAL3 signals an important shift towards prioritizing strong, phishing-resistant authentication protocols and adopting Passkeys, FIDO2, and other cryptographic authenticators such as Passkeys or FIDO2. Email OTP authentication has been deprecated, while SMS-based authentication was downgraded, reflecting their ineffectiveness against modern threats.

IAL3 identity proofing

IAL3 is the highest identity assurance level available, reserved for sensitive government services. To confirm real world identity of applicants and limit more sophisticated attacks such as evidence falsification, theft and repudiation. IAL3 also limits more sophisticated attacks such as evidence falsification, theft repudiation or advanced social engineering tactics.

TrustSwiftly comprehensive identity verification solution directly assists agencies in meeting NIST compliance by offering high levels of assurance (IAL2 and IAL3). Using chat, video, facial recognition with liveness detection and document authentication it supports workforce proofing throughout employee lives cycles.

NIST guidelines now recommend step-up reproofing based on risk, eliminating password resets and cutting cyber liability insurance costs significantly. In contrast to previous NIST recommendations that focused on one level of assurance dictating implementation requirements, which led to password resets. NIST now suggests an open approach which allows agencies to select individual AAL levels based on security needs.

NIST IAL3 compliant solution

IAL3 identity proofing represents the highest level of identity verification and requires in-person biometric NIST IAL3 verification to verify an individual is who they claim they are; it's highly effective, yet expensive and resource intensive for CSPs; thus it should only be reserved for highly sensitive transactions such as accessing secure buildings or government services.

NIST SP 800-63-3's risk-based approach to digital identity management outlined a framework where agencies dynamically select an IAL (Identity Assurance Level), AAL (Authenticator Assurance Level), and FAL (Federated Authentication Level). This new framework requires multifactor authentication with hardware-backed authenticators like FIDO2 security keys or Windows Hello for Business to prevent phishing attacks from exploiting weak authentication processes.

Guidelines set out by FedRAMP require CSPs to offer clear privacy policies, support diverse user groups and minimize data collection while providing accessible processes that address common fraud threats - all key components to achieving FedRAMP compliance. HYPR's passwordless authentication and identity verification solutions directly aid CSPs in meeting this goal, fulfilling AAL3 and IAL3 standards for remote workers  set by NIST.

TrustSwiftly’s IAL3 solution

NIST has identified Identity Assurance Level 3 (IAL3) as its highest level of identity assurance, requiring non-biometric proof of identity, liveness detection and stringent chain-of-custody procedures in order to verify an applicant's true-to-life attributes. Implementing such protocols prevent socially engineered fakes from bypassing verification processes while also safeguarding customer experiences.

Traditional IAL3 must be completed in-person and cannot scale for remote workforces. It requires expensive in-person proofing processes that entail having to find an agent during specific hours to review ID documents and capture biometrics for comparison with reference images.

Trust Swiftly's IAL3 solution eliminates these costs and allows agents to remotely check evidence on any device of their choosing, while simultaneously performing additional spoofing attempts that help identify sophisticated threats, making it an effective defense against insider risks and nation-state attacks. Furthermore, this approach allows bind authenticators with verified identities almost instantly after verification to prevent stand-in fraud.