By Sara Richardson, GRC Analyst, NextgenID
The NIST digital identity framework has three assurance levels. The vast majority of programs operate at IAL1 or IAL2; very few reach the top tier. Identity Assurance Level 3 is that ceiling, and it exists because some transactions carry risks that lower standards simply cannot contain. A knowledge-based quiz and a selfie with a driver’s license are not in the same category as what IAL3 demands.
This article covers what identity assurance level 3 requires under NIST 800-63-4 and its companion volume SP 800-63a, the specific evidence and verification processes it demands, how it relates to AAL3, and which organizations must operate under it. One fact worth stating early: per the Kantara Initiative’s published trust status list, only NextgenID holds independent IAL3 certification. That distinction carries more operational weight than most vendor evaluation checklists reveal. By the end, you will know exactly what IAL3 demands and whether your program needs it.
What NIST SP 800-63 Defines as Identity Assurance Level 3
The three-tier IAL model maps directly to risk. IAL1 requires no real-world identity binding; the user’s claimed identity is accepted at face value. IAL2 introduces remote or in-person proofing with a defined evidence set, giving organizations reasonable confidence in the identity claim. Identity assurance level 3 is a different class entirely: it sets the ceiling for how confident an organization can be that the person presenting credentials is actually who they claim to be.
The principle behind IAL3 is straightforward. Certain transactions carry consequences serious enough that identity fraud at enrollment could cause real harm, unauthorized access to classified systems, fraudulent benefit claims, compromised public safety infrastructure. The standard is engineered to eliminate that risk as completely as the proofing process allows.
How IAL3 Compares to IAL1 and IAL2
The clearest way to distinguish these levels is to ask what proofing controls each one applies. IAL1 stays deliberately light to favor adoption. It requires a single piece of FAIR, STRONG, or SUPERIOR evidence, validated and tied to the applicant through any approved proofing type, including remote unattended, with biometric comparison optional. IAL2 raises the evidence bar to one SUPERIOR, two STRONG, or one STRONG plus one FAIR, and tightens verification through one of three defined pathways: non-biometric, digital evidence, or biometric. Remote unattended proofing is still permitted at IAL2, which is where asynchronous review and self-service workflows leave residual exposure. IAL3 keeps the same evidence requirement but escalates the process. Proofing must be on-site and attended by a trained agent, a biometric sample is collected and retained, and ownership of the strongest piece of evidence is verified under supervision. This closes the unattended-channel gaps that IAL2 tolerates and makes it very difficult to sustain a fraudulent claim. These levels are not incremental; they represent fundamentally different categories of process.
The Binding Principle at the Heart of High-Assurance Proofing
IAL3 is not about collecting more documents. It is about achieving maximum confidence that the identity attributes presented belong to the real person in front of the system, and recording that in a way that cannot be repudiated. The biometric sample captured during proofing creates a binding between the identity evidence and the individual that persists beyond the session. That binding is what makes identity assurance level 3 durable.
The Evidence Requirements That Define Identity Assurance Level 3
NIST SP 800-63A defines three acceptable combinations of evidence for IAL3 proofing. A compliance officer needs to understand which path applies before scoping any deployment. SUPERIOR evidence sits at the top of the quality hierarchy; a U.S. passport is the most common example. STRONG evidence, such as a Real ID-compliant driver’s license, is validated and government-issued but carries slightly less inherent assurance on its own. FAIR evidence supports the identity claim but cannot anchor it. Understanding which tier each document occupies determines which combination path a program can use.
Why Biometric Collection Is Non-Negotiable at IAL3
NIST SP 800-63A requires the CSP to collect a biometric sample during the proofing session, typically a facial image or fingerprints. This requirement serves two purposes: it binds the proven identity to a physical characteristic, and it enables re-proofing if the credential is later lost or compromised. At IAL2, biometric collection is encouraged but not mandated. At IAL3, it is required, and that changes the operational setup considerably. For an industry perspective on why IAL3 elevates biometric and process controls, see Imprivata’s Identity Assurance Level 3 overview.
Validation Standards for Each Piece of Evidence
Every piece of evidence must be validated through a process capable of achieving the same assurance strength as the evidence itself. That means the CSP cannot simply examine a document visually; it must verify it against the issuing source or through a process with documented fraud-detection capability at the appropriate level. An organization that skips this step may believe it has completed IAL3 proofing. It has not. For practical guidance on implementing SP 800-63A validation processes, refer to the SP 800-63A implementation resources.
The clearest way to distinguish these levels is to ask what proofing controls each one applies. IAL1 stays deliberately light to favor adoption. It requires a single piece of FAIR, STRONG, or SUPERIOR evidence, validated and tied to the applicant through any approved proofing type, including remote unattended, with biometric comparison optional. IAL2 raises the evidence bar to one SUPERIOR, two STRONG, or one STRONG plus one FAIR, and tightens verification through one of three defined pathways: non-biometric, digital evidence, or biometric. Remote unattended proofing is still permitted at IAL2, which is where asynchronous review and self-service workflows leave residual exposure. IAL3 keeps the same evidence requirement but escalates the process. Proofing must be on-site and attended by a trained agent, a biometric sample is collected and retained, and ownership of the strongest piece of evidence is verified under supervision. This closes the unattended-channel gaps that IAL2 tolerates and makes a fraudulent claim very difficult to sustain.
Physical Presence and Supervised Remote Proofing: What Actually Qualifies
The most common question during IAL3 scoping is whether every applicant must walk into a physical office. NIST’s baseline position is that physical presence is required, but supervised remote identity proofing is an accepted equivalent when implemented correctly. The distinction between acceptable and unacceptable remote proofing is worth understanding precisely.
An unsupervised video call on a personal device does not qualify. The session must use CSP-controlled hardware, a trained operator monitoring in real time, and a mutually authenticated protected channel. The applicant cannot control the session environment; that control must remain with the CSP throughout.
Identity Assurance Level 3: Hardware and Process Controls for Remote Sessions
Qualified supervised remote proofing requires several specific elements working together:
- CSP-controlled kiosks or enrollment stations
- High-resolution video monitoring with integrated document scanners and NFC/chip readers
- Real-time biometric comparison
- Tamper-detection controls appropriate to the deployment environment
- A live operator authorized to intervene if anything appears inconsistent
NextgenID’s nationwide network of identity stations and mobile enrollment units is built to exactly these specifications, enabling supervised IAL3 proofing wherever a workforce is located, without requiring agencies to construct their own proofing infrastructure from the ground up.
Why Unsupervised Remote Proofing Stops at IAL2
Many commercial identity verification platforms handle IAL2 effectively through remote, asynchronous document review and selfie comparison. That process is not acceptable for identity assurance level 3. The gap is not one of technical capability; it is the presence of a trained human operator, controlled hardware, and real-time oversight. Those are the elements that separate the two levels in operational terms. Platforms that market “IAL3-compatible” workflows without meeting all of those criteria, as specified in NIST SP 800-63A and evaluated through Kantara’s certification process, are offering IAL2 with additional steps, not a genuine IAL3-compliant process and this can put your entity at risk.
IAL3 and AAL3 Are Separate Dimensions, and Both Matter
One of the most common misunderstandings in federal identity programs is treating IAL3 and AAL3 as interchangeable. NIST designed them as separate dimensions for a clear reason: one answers “who is this person?” and the other answers “is this the same person controlling the credential right now?”
IAL3 governs the proofing event at enrollment. AAL3 governs every authentication event after that. A program that achieves strong IAL3 proofing but deploys weak authenticators leaves the back end exposed. A program with AAL3 authenticators but weak enrollment proofing can be manipulated before the credential is ever issued. Both dimensions must be addressed to close the full risk surface. For a focused discussion on why MFA alone is insufficient in high-assurance deployments, see the NextgenID analysis on MFA and IAL3 integration.
What AAL3 Requires in Terms of Authenticators
AAL3 demands hardware-backed, phishing-resistant authenticators. PIV cards, CAC cards, FIDO2 security keys, and multi-factor cryptographic devices satisfy this requirement when properly configured. Software-based authenticators and SMS-based verification do not qualify. The hardware requirement exists because software credentials can be extracted and replayed; a hardware-bound cryptographic key cannot.
The Full High-Assurance Lifecycle When Both Are Applied
When IAL3 and AAL3 are combined, the architecture covers the entire identity lifecycle: strong evidence collection and biometric binding at enrollment, hardware credential issuance tied to the proven identity, and phishing-resistant authentication at every subsequent login. Lifecycle controls must be maintained over time, not just at enrollment. Re-proofing when credentials are lost or expired, and credential replacement when evidence of compromise exists, are part of the operating model, not optional additions.
Which Agencies and Use Cases Require IAL3
Not every program needs identity assurance level 3. The contexts where it is required, or where compliance frameworks imply proofing at a comparable level of rigor, are specific and consequential.
Federal civilian agencies operating under HSPD-12 and FIPS 201-3 must issue PIV credentials, and the proofing processes that support PIV issuance align closely with IAL3 requirements. DoD components and intelligence community organizations require high-assurance proofing for personnel accessing classified systems or sensitive facilities. FedRAMP High cloud environments carry identity proofing requirements that map functionally to IAL3. CJIS security policy demands a comparable baseline for access to criminal justice systems. In each case, the policy may not cite “IAL3” by name, but the proofing rigor it prescribes corresponds to what identity assurance level 3 defines.
Federal Frameworks That Reference or Map to IAL3
The frameworks that align most directly with IAL3-level proofing include HSPD-12, FIPS 201-3, NIST SP 800-53 at the high baseline, FedRAMP High, and CJIS security policy. Each of these points, directly or functionally, to the class of identity assurance that IAL3 represents. Organizations building identity programs under any of these mandates should confirm specific requirements with their contracting or agency compliance authority, but they are generally operating in IAL3 territory even when the specific IAL designation does not appear in the policy document itself. For mappings between NIST 800-63 guidance and control baselines, see relevant framework mapping resources such as NIST SP 800-53 to SP 800-63 mapping.
Enterprise and Regulated-Industry Use Cases Where IAL3 Is the Right Choice
Beyond the federal government, high-volume contractor and vendor onboarding programs benefit from IAL3-level proofing when access risk is high. Background screening integrations for sensitive roles increasingly call for the evidence strength and audit trail that identity assurance level 3 delivers. Healthcare credentialing programs, KYC/AML programs at financial institutions subject to FinCEN guidance, and state and local government identity programs operating under their own compliance mandates are all scenarios where the auditable, biometrically bound record produced by IAL3 proofing offers a meaningful assurance advantage.
What to Look for in an IAL3-Certified Provider
Not every identity verification vendor can deliver identity assurance level 3. The certification process is rigorous, the operational requirements are demanding, and the accountability structure must be formally evaluated by an independent third party. Choosing a vendor that claims IAL3 compatibility without holding independent certification means operating under an assumption of assurance that may not survive an audit.
The most reliable indicator of a qualified provider is Kantara Initiative IAL3 certification: an independently audited assessment against the full NIST SP 800-63A standard. Per Kantara’s published trust status list, only one commercial provider in the world currently holds IAL3 certification. NextgenID Achieves The First IAL-3 Certification By Kantara and operates with a nationwide footprint of identity stations and mobile enrollment units, purpose-built for supervised proofing at scale, not retrofitted from a lower-assurance baseline.
Why Kantara Certification Is the Reliable Benchmark
Kantara certification is a third-party conformity assessment, not self-attestation. An independent assessor evaluates the provider’s proofing workflows, evidence handling, biometric collection, validation processes, operator training, and lifecycle controls against the full SP 800-63A requirements. That process is what separates vendors who have engineered for IAL3 from vendors who have adapted their marketing materials after reading the standard. For more on the Kantara approval classes and what assessors evaluate, see the Kantara classes of approval documentation.
Deployment Capability Matters as Much as Certification
Certification on paper means little if the provider cannot reach your workforce. Operational IAL3 delivery requires controlled hardware at every proofing location, trained live operators, PIV-I credential issuance capability, FIDO2 binding, mobile enrollment units for distributed or remote locations, and encrypted audit packages delivered directly to agency or enterprise credential management systems. These capabilities are foundational to how NextgenID was designed, built in from the start rather than layered on as compliance checkboxes after the fact.
Building Your IAL3 Program on Solid Ground
If your program involves federal access, defense contractor onboarding, classified systems, or compliance mandates under HSPD-12 or FedRAMP High, the proofing rigor of identity assurance level 3 is almost certainly the required baseline, not an aspirational target. Confirm the specific designation with your agency or compliance authority, but expect that the evidence class, biometric collection, and supervised proofing controls IAL3 demands will apply. What actually determines whether a program meets the standard comes down to three things: the right class of evidence, mandatory biometric collection, and either in-person or properly supervised remote proofing with CSP-controlled hardware and live operator oversight.
IAL3 and AAL3 are separate, and you need both for a complete high-assurance program. Strong enrollment proofing combined with hardware-backed, phishing-resistant authenticators closes both the front-end and back-end risk vectors that sophisticated identity attacks exploit. Treating one dimension as sufficient is a design gap waiting to be discovered.
If you are scoping an IAL3 deployment, NextgenID’s Kantara-certified platform and nationwide deployment network give federal agencies and enterprise programs a proven path forward, one that does not require building proofing infrastructure from scratch. The standard is demanding, and having an operationally mature partner already certified to it makes the difference between a compliant deployment and one that looks compliant until it is tested.
