What is authentication assurance?

The U.S. National Institute of Standards and Technologies (NIST) SP 800-63B recommends that for services where user authentication is required, they must authenticate using methods that provide the highest level of assurance. The robustness of this confidence is described by an AAL categorization.

What is authentication assurance level 3?

The NIST is on version 3 of the Authentication Assurance levels, called Authentication Assurance Level 3 (AAL3). Authentication Assurance relies on examination of the cryptographic modules of an authenticator. Level 3 requirements (AAL3) means that the code is within a tamper-proof container so that keys used in the cryptography are destroyed if the device is physically compromised.

How do I know if I need AAL3?

These guidelines are technical requirements for federal agencies implementing digital identity services to obtain access into systems. The guidelines cover identity proofing and authentication of users (such as employees, contractors, or private individuals) interacting with government IT systems over open networks.

What are the authentication assurance levels?

Level 1

examines the algorithms used in the cryptographic component of the software.

Level 3

specifically, includes FIDO U2F for being involved in the highest level of assurance.

Levels 2-4

builds on the software component by adding different layers of physical security.

Learn More

NIST publishes new authentication standards, FIDO U2F achieves AAL3

Developer Resources

YubiKey PIV tool and NIST