Read full blogpost

What are Authenticator Assurance Levels in digital identity?

Vincent Delitz

Vincent

Created: January 31, 2025

Updated: April 23, 2025

NIST Passkeys

Read the full article

Learn why synced passkeys are AAL2- & device-bound passkeys are AAL3-compliant after NIST's SP 800-63B supplement & what ENISA, NCSC & BSI say about passkeys.

Read the full article

Already read by 5,000+ enterprise security leaders.

What are Authenticator Assurance Levels (AALs)?#

Authenticator Assurance Levels (AALs) are security classifications defined by the National Institute of Standards and Technology (NIST) in their SP 800-63B guidelines. These levels help organizations determine the strength of an authentication process based on the risk associated with access to digital services. AALs range from AAL1 (low security) to AAL3 (high security), ensuring that authentication mechanisms meet appropriate security requirements.

authenticator assurance levels aal digital identity

Breakdown of AALs#

AAL LevelDescriptionUse Cases
AAL1Requires single-factor authentication, such as a password or PIN. Does not mandate phishing resistance.Consumer websites, social media platforms
AAL2Requires multi-factor authentication (MFA), meaning two or more authentication factors are needed. Must be resistant to replay attacks.Online banking, enterprise portals, government login systems
AAL3Requires hardware-based authenticators that provide cryptographic proof of possession. Mandates verifier impersonation resistance and phishing resistance.Military, critical infrastructure, high-security enterprise systems

How do Passkeys Align with AALs?#

With the latest NIST SP 800-63B supplement, synced passkeys are officially recognized as AAL2-compliant, while device-bound passkeys meet AAL3 requirements.

  • Synced passkeys (AAL2): Provide phishing resistance and secure storage while allowing key synchronization across devices. They are an improvement over passwords and SMS-based MFA but do not meet AAL3 due to cloud-based key synchronization.
  • Device-bound passkeys (AAL3): Require cryptographic proof of identity and are tied to a specific device, making them highly resistant to credential compromise.
Enterprise Icon

Get free passkey whitepaper for enterprises.

Get for free

For enterprises implementing passkeys, understanding AAL classifications is critical to selecting the right authentication security level based on business and compliance needs.

NIST Passkeys

Read the full article

Learn why synced passkeys are AAL2- & device-bound passkeys are AAL3-compliant after NIST's SP 800-63B supplement & what ENISA, NCSC & BSI say about passkeys.

Read the full article

Already read by 5,000+ enterprise security leaders.

Add passkeys to your app in <1 hour with our UI components, SDKs & guides.

Start for free

Enjoyed this read?

🤝 Join our Passkeys Community

Share passkeys implementation tips and get support to free the world from passwords.

Join for free

🚀 Subscribe to Substack

Get the latest news, strategies, and insights about passkeys sent straight to your inbox.

Subscribe for free

Share this article

LinkedInTwitterFacebook

Related FAQs

Related Terms

Related Articles

NIST Passkeys
Passkeys Strategy

NIST Passkeys: Synced Passkeys Recognized as AAL2-Compliant

Vincent - April 24, 2024

cps 234
Passkeys Strategy

How to stay compliant with CPS 234 in 2025?

Vincent - January 2, 2025

psd2 passkeys
Passkeys Strategy

PSD2 Passkeys: Phishing-Resistant PSD2-Compliant MFA

Vincent - February 7, 2023

reserve bank india banner
Authentication

Reserve Bank of India’s rules for payment security

Alex - January 20, 2025

OSFI Guideline B13 banner
Authentication

OSFI B-13 Guideline for Federally Regulated Financial Institutions (FRFIs) in Canada

Alex - January 14, 2025

FSC Standard No. 29: MFA for Australian Super Funds Preview
Passkeys Strategy

FSC Standard No. 29: MFA for Australian Super Funds

Vincent - July 10, 2024