What is Authentication Assurance Level (AAL)?

Authentication Assurance Level (AAL) refers to a classification used to describe the strength and reliability of authentication processes. Defined in NIST's Special Publication SP 800-63-3, AAL helps organizations determine the appropriate level of security for their digital interactions.

There are three levels of AAL:

• Offers some confidence in user authentication.
• Typically involves single-factor authentication, such as a password or an OTP device.

• Requires two different factors for authentication.
• This level addresses additional security measures like replay resistance and shorter reauthentication times.
• Synced passkeys are AAL2-compliant.

• Involves multi-factor authentication using a hardware-based authenticator.
• Features stringent security requirements including verifier impersonation resistance and verifier compromise resistance.
• Device-bound passkeys are AAL3-compliant.

Each level is tailored to different security needs, ranging from low-risk environments at AAL1 to high-security demands at AAL3.

---

Here’s a deeper dive into the authentication assurance levels level and their implications:

• Aimed at low-security applications where convenience is prioritized.
• Vulnerable to common security threats due to reliance on simple authentication forms like passwords (e.g. Phishing, Man-in-the-Middle Attack, Credential Stuffing, …)

• Suitable for transactions requiring higher security.
• Combines physical (e.g., security tokens) and knowledge-based factors (e.g., passwords) to bolster security.

• Designed for high-risk environments, ensuring maximum security.
• Utilizes advanced cryptographic measures and hardware resistance to physical tampering.

• NIST approves synced passkeys (e.g. via iCloud Keychain) as AAL2-compliant, enhancing the security framework for digital entities and paving the way for broader adoption of passkeys.
• Passkeys can also be used in higher risk scenarios as AAL3-compliant authentication, if they are device-bound passkeys, not allowing passkey synchronization across devices as in AAL2.

Read more about the AAL-conformance of passkeys in this blog.

---

AAL1 provides basic authentication security, commonly used in low-risk environments where user convenience is a priority.

AAL2 requires two different authentication factors, significantly reducing the risk of unauthorized access compared to AAL1.

AAL3 is the highest level of authentication assurance, involving hardware-based authenticators and stringent security measures like verifier impersonation resistance.

Synced passkeys (e.g. via iCloud Keychain) are classified as AA2 while device-bound passkeys are classified as AA3-compliant. Read more about it in this blog.