What is Authentication Assurance Level (AAL)?

Blog-Post-Author

Vincent

Created: May 10, 2024

Updated: September 10, 2024


What is AAL (Authentication Assurance Level)?#

Authentication Assurance Level (AAL) refers to a classification used to describe the strength and reliability of authentication processes. Defined in NIST's Special Publication SP 800-63-3, AAL helps organizations determine the appropriate level of security for their digital interactions.

Slack Icon

Become part of our Passkeys Community for updates and support.

Join

There are three levels of AAL:

AAL1: Basic Assurance#

  • Offers some confidence in user authentication.
  • Typically involves single-factor authentication, such as a password or an OTP device.

AAL2: High Assurance#

  • Requires two different factors for authentication.
  • This level addresses additional security measures like replay resistance and shorter reauthentication times.
  • Synced passkeys are AAL2-compliant.

AAL3: Very High Assurance#

  • Involves multi-factor authentication using a hardware-based authenticator.
  • Features stringent security requirements including verifier impersonation resistance and verifier compromise resistance.
  • Device-bound passkeys are AAL3-compliant.

Each level is tailored to different security needs, ranging from low-risk environments at AAL1 to high-security demands at AAL3.

  • Authentication Assurance Level (AAL) is a measure of authentication strength.
  • AAL1 involves basic security, AAL2 enhances it with two factors, and AAL3 offers the highest security with multi-factor hardware-based authentication.
  • Key requirements include replay resistance, verifier impersonation resistance, and verifier compromise resistance.

Authentication Assurance Level are a Classification used to describe the strength and reliability of authentication processes.

Here’s a deeper dive into the authentication assurance levels level and their implications:

AAL1: Accessibility and Risks#

  • Aimed at low-security applications where convenience is prioritized.
  • Vulnerable to common security threats due to reliance on simple authentication forms like passwords (e.g. Phishing, Man-in-the-Middle Attack, Credential Stuffing, …)
Substack Icon

Subscribe to our Passkeys Substack for the latest news, insights and strategies.

Subscribe

AAL2: Enhanced Security Measures#

  • Suitable for transactions requiring higher security.
  • Combines physical (e.g., security tokens) and knowledge-based factors (e.g., passwords) to bolster security.

AAL3: Highest Security Standards#

  • Designed for high-risk environments, ensuring maximum security.
  • Utilizes advanced cryptographic measures and hardware resistance to physical tampering.
  • NIST approves synced passkeys (e.g. via iCloud Keychain) as AAL2-compliant, enhancing the security framework for digital entities and paving the way for broader adoption of passkeys.
  • Passkeys can also be used in higher risk scenarios as AAL3-compliant authentication, if they are device-bound passkeys, not allowing passkey synchronization across devices as in AAL2.

Read more about the AAL-conformance of passkeys in this blog.

Ben Gould Testimonial

Ben Gould

Head of Engineering

I’ve built hundreds of integrations in my time, including quite a few with identity providers and I’ve never been so impressed with a developer experience as I have been with Corbado.

3,000+ devs trust Corbado & make the Internet safer with passkeys. Got questions? We’ve written 150+ blog posts on passkeys.

Join Passkeys Community

Authentication Assurance Level (AAL) FAQs#

What is AAL1 and when is it used?#

AAL1 provides basic authentication security, commonly used in low-risk environments where user convenience is a priority.

How does AAL2 improve security over AAL1?#

AAL2 requires two different authentication factors, significantly reducing the risk of unauthorized access compared to AAL1.

What are the requirements for AAL3?#

AAL3 is the highest level of authentication assurance, involving hardware-based authenticators and stringent security measures like verifier impersonation resistance.

How do Passkeys impact AAL classifications?#

Synced passkeys (e.g. via iCloud Keychain) are classified as AA2 while device-bound passkeys are classified as AA3-compliant. Read more about it in this blog.

Share this article


LinkedInTwitterFacebook

Enjoyed this read?

🤝 Join our Passkeys Community

Share passkeys implementation tips and get support to free the world from passwords.

🚀 Subscribe to Substack

Get the latest news, strategies, and insights about passkeys sent straight to your inbox.


We provide UI components, SDKs and guides to help you add passkeys to your app in <1 hour

Start for free