NIST SP 800-63 (IAL2/IAL3)
NIST Special Publication 800-63 Digital Identity Guidelines – Identity Assurance Levels
Federal agencies must use NIST 800-63 IAL2 or IAL3 identity proofing for digital service access. Contractors serving federal agencies must meet the same standard.
What this covers
NIST SP 800-63 defines three Identity Assurance Levels: IAL1 (self-asserted, no verification), IAL2 (remote or in-person identity proofing with document verification and binding to a biometric), and IAL3 (in-person or supervised remote proofing with a trained CSP representative).
Federal agencies must use IAL2 or IAL3 for most sensitive services. If you're building for a government contract or serving VA, IRS, Social Security, or similar programs, your identity verification vendor needs to support 800-63 IAL2 at minimum. IAL3 is required for high-value transactions or access to classified systems.
The 800-63-4 revision is in draft. It tightens biometric performance requirements and adds provisions for continuous authentication. Vendors certified for 800-63-3 should confirm 800-63-4 readiness with their compliance team before the final publication date.
Frequently asked questions
What is the difference between IAL1, IAL2, and IAL3?
IAL1 requires no identity proofing (self-asserted). IAL2 requires remote or in-person identity proofing with document verification and biometric binding. IAL3 requires in-person or supervised remote proofing with a trained CSP representative.
Which federal programs require NIST 800-63 IAL2?
Programs that grant access to sensitive government data or systems. Common examples: healthcare.gov enrollment, IRS e-services, VA.gov, and state-level Medicaid systems. Also required for PIV/CAC credential issuance.
Does NIST SP 800-63-4 change anything for vendors?
The draft 800-63-4 revision strengthens requirements for continuous authentication and biometric performance standards. Vendors currently certified for 800-63-3 IAL2 should confirm 800-63-4 readiness with their compliance team.