Authenticator Assurance Level (AAL)

Authenticator Assurance Level describes how much confidence a login gives that the legitimate account holder is the one authenticating. It is the NIST 800-63 scale for authentication strength, and it is separate from how the identity was proofed at enrollment.

The levels rise with resistance to attack. AAL1 allows single-factor authentication, including a password alone. AAL2 requires two distinct factors, the common bar for accounts of meaningful value. AAL3 requires a hardware-based authenticator and proof of possession that resists phishing, the level passkeys and FIDO2 security keys are designed to reach.

In CIAM, AAL is the vocabulary behind step-up and adaptive decisions. An everyday session might run at AAL1, while a sensitive action steps up to AAL2 or AAL3. Pairing AAL with adaptive authentication lets a platform demand more assurance only when risk or value justifies it, rather than forcing the strongest factor on every login. AAL measures the login; Identity Assurance Level measures the proofing behind the account.

Sources

• NIST SP 800-63B, Digital Identity Guidelines: Authentication and Lifecycle Management: https://pages.nist.gov/800-63-3/sp800-63b.html