IAL3 verification involves an attended session with a live agent (at either a kiosk or remote workstation) who collects additional evidence and uses enhanced processes to authenticate identities. Its aim is to protect against highly scalable attacks while limiting fraud losses by linking claimed identities with real identities and attributes.
IAL3 Compliant
IAL3 guidelines address both passwordless authentication and identity verification directly. They call for phishing-resistant multifactor authentication and NIST IAL3 verification across an employee lifecycle; NIST requirements require biometric comparison, document authentication, step-up reproofing by risk level. HYPR’s IAL2-IAL3 compliant passwordless authentication process meets these requirements by requiring users to authenticate on certified devices using biometric/facial recognition systems that boast high pixel count detection with multiple modalities to reduce false positives.
An in-person proofing agent could verify a user’s identity by comparing them against photo ID, passport or other government documents and performing a liveness detection check, similar to how security guards review identification before admitting someone into certain offices. Preferably, this agent would use a Trust Swiftly certified device and record interactions with verified persons – this enables IAL3 compliance at minimal costs and overheads.
IAL3 Step-Up Reproofing
At NIST 800-63A IAL3, individuals must participate in an identity proofing session with a CSP representative to validate their digital identity and limit evidence falsification, theft and repudiation as well as advanced social engineering attacks. This step-up in assurance levels helps limit evidence falsification, theft and repudiation as well as advanced social engineering attacks.
The new DIRM standards take an innovative approach that emphasizes dynamic selection of appropriate IAL, AAL and FAL levels based on security risks, service impacts and user populations to deliver improved customer experiences while decreasing cyber liability insurance costs.
TrustSwiftly is a secure, passwordless authentication and identity verification platform certified by FIDO that helps organizations meet NIST IAL3 guidelines directly. Combining document authentication, liveness detection and cryptographic authentication it offers high assurance of real world identity as well as reduced attack surfaces by eliminating OTPs and SMS-based methods susceptible to compromise. Furthermore it enables CSPs to deliver superior digital processes while cutting operational costs and meeting NIST compliance goals simultaneously.
IAL3 Liveness Detection
NIST Identity Verification Guidelines at Level III (IAL3) mandate more stringent identity and verification processes, including either in-person or remote supervised IAL3 identity proofing, binding an authenticator and matching facial biometrics against claimed digital identities in order to reduce stand-in fraud.
Contrary to IAL2, which uses non-biometric methods for enrollee verification, IAL3 requires live facial capture in order to compare against valid pieces of evidence containing images of enrollees for visual comparison against an enrollee’s facial structure and reduce chances of fraud, presentation or impersonation attacks.
TrustSwiftly provides a secure and high-assurance IAL3 federated authentication solution, featuring face recognition with liveness detection on locked down devices. Our software works together with hardware to host live video sessions which are monitored by trained agents.
Starting the process from either a kiosk or no code page on a Windows, Apple or Android device connects users with agents for live identity proofing sessions under supervision – helping prevent interview fraud and phishing attacks while meeting FedRAMP and NIST requirements for robust authentication journeys.
IAL3 Document Authentication
While IAL3 requires more labor intensive steps, it provides greater assurance against sophisticated fraud. To achieve this result, a kiosk with high quality cameras, Windows or Apple/Android devices with Trust Swiftly installed and an ethernet adapter to reduce injection attacks is utilized – with live person providing assistance when proofing either remotely or on site.
For IAL2 and IAL3, the CSP must conduct physical or biometric comparisons of an applicant with their strongest identity evidence, or any combination thereof, in order to confirm that claimed identity matches actual person presenting identification documents. Furthermore, liveness detection capabilities must also be enabled to ensure that facial images used as comparison are genuine rather than being part of an impersonation or presentation attack scheme.
At these assurance levels, RPs should limit attribute requests to only what’s necessary to complete their transaction, helping prevent unnecessary authentication processes from escalating and also supporting pseudonymity in federated environments.
