Identity VerificationCompliance

What Is NIST IAL-2 Identity Assurance?

ID Analyzer TeamJun 7, 20265 min read

If you have ever worked through a government or enterprise identity requirement in the United States, you have probably run into the acronym IAL. It comes from NIST Special Publication 800-63, the standard that defines how digital identity should be established and proven. IAL-2 sits in the middle of that scale, and it is the level most regulated services target.

This post explains what IAL-2 actually requires, how it differs from the levels around it, and what a compliant remote verification flow looks like in practice.

What IAL stands for

Identity Assurance Level (IAL) measures how confident you can be that a claimed identity is real and belongs to the person presenting it. NIST 800-63A defines three levels:

IAL-1 — Identity is self-asserted. No evidence is required, so confidence is low.
IAL-2 — Identity is proven using evidence and validated against authoritative sources, either remotely or in person.
IAL-3 — The strongest level, requiring in-person or supervised remote proofing with trained operators and physical inspection.

IAL is intentionally separate from AAL (Authentication Assurance Level) and FAL (Federation Assurance Level). IAL is about who you are at enrollment; AAL is about proving it again at login. This post focuses on IAL only.

What IAL-2 requires

IAL-2 is built around three steps: collecting evidence, validating it, and binding it to the person in front of you.

1. Identity evidence

The applicant must present acceptable evidence — typically a government-issued document such as a passport, driver's license, or national ID card. NIST grades evidence by strength (weak, fair, strong, superior). IAL-2 generally needs a combination that reaches a defined strength threshold, for example one piece of strong evidence plus a second piece, or one piece of superior evidence.

2. Validation

The evidence must be confirmed as genuine and accurate. That means two checks:

Authenticity — Is the document real, unaltered, and not a forgery?
Accuracy — Does the data on the document match an authoritative or issuing source where available?

3. Verification (binding)

Finally, you must confirm the applicant is the rightful owner of the validated identity. For remote IAL-2 this is usually done with a biometric comparison: matching a live selfie against the photo on the document, paired with a liveness check to defeat photos, masks, and replay attacks.

Note

IAL-2 explicitly permits remote identity proofing. You do not need a physical office or in-person agent, provided your remote process meets the evidence, validation, and binding requirements.

Remote IAL-2 in practice

A compliant remote flow generally moves through four stages. Each maps to a concrete capability.

Capture and read the document

The applicant photographs their ID. Document OCR extracts the printed fields, while MRZ and barcode reading pull the machine-encoded data from the back of the document or the passport zone. Cross-checking the printed text against the MRZ or barcode is a fast first signal that nothing has been tampered with.

Supporting a wide document range matters here, because applicants arrive with whatever they have. Coverage across 3,000+ document formats and 190+ countries reduces the number of legitimate users you reject simply because their document was unfamiliar.

Authenticate the document

Next, the document is checked against forgery and tampering. Document authentication inspects security features, fonts, layout consistency, and signs of digital manipulation. This is the "is it genuine" half of NIST's validation step.

Match the face and check liveness

The applicant takes a selfie. Biometric face match compares it to the document portrait, and a liveness check confirms a real person is present rather than a printed photo, screen, or deepfake. Together these satisfy the binding requirement — the person presenting the evidence is the person it describes.

Screen and record

For regulated use cases you may also run AML, PEP, and criminal records screening as part of onboarding. While screening is a separate compliance obligation from IAL, it commonly runs in the same flow.

NIST also expects you to keep a record of the proofing event. Retaining the evidence, results, and decision in a secure store supports audits and dispute resolution later.

See how DocuPass runs a complete remote identity-proofing flow

Things teams get wrong

A few recurring mistakes are worth flagging.

Skipping liveness. A face match without liveness can be defeated by a printed photo. NIST IAL-2 expects presentation-attack defenses for remote proofing.
Treating OCR as validation. Reading the data is not the same as proving the document is authentic. You need a dedicated authentication step.
Confusing IAL with AAL. Meeting IAL-2 at enrollment says nothing about how strong your login authentication is. Address them separately.
Ignoring data residency and security. Identity proofing handles sensitive personal data. Look for ISO 27001 controls, and consider on-premise deployment with ID Fort if regulation or policy requires data to stay inside your own infrastructure.

Summary

IAL-2 is NIST's mid-tier identity assurance level: prove identity with strong evidence, validate that the evidence is genuine and accurate, and bind it to the live applicant through biometrics. It can be done fully remotely.

In practical terms, a remote IAL-2 flow stacks document OCR and MRZ reading, document authentication, and biometric face match with liveness — backed by secure storage of the proofing record. Get those building blocks right, and you have a defensible, auditable path to IAL-2 that does not force users into a branch office.