What is NIST IAL2 identity verification?
Identity Assurance Level 2 (IAL2) is one of three levels of identity proofing defined by the US Government’s National Institute of Standards and Technology (NIST). At its simplest, IAL2 is a standard for establishing with a high degree of confidence that someone is who they claim to be.
The requirements are laid out in NIST Special Publication 800-63 which defines three levels of identity assurance:
- IAL1: Identity claims are self-asserted and not linked to a specific real-life individual.
- IAL2: Evidence supports the real-world existence of the claimed identity and establishes the applicant as the true owner of this identity.
- IAL3: Identity proofing is supervised by an authorized representative with specialized hardware if appearing remotely.
Of the three standards, IAL2 is the most relevant to businesses and organizations that operate online because federal agencies are increasingly adopting the IAL2 standard in areas under their regulatory purview. For example, the National Highway Traffic Safety Administration requires IAL2 when executing odometer disclosures, the Small Business Administration requires it when executing loan documents and the IRS requires it when accessing tax records.
Moreover, in the absence of alternatives, IAL2 has become the de facto gold standard for identity verification and has been voluntarily adopted by private industry as well as state and local governments.
Why should businesses embrace IAL2?
In an era dominated by digital interactions, establishing a user’s real world identity is an essential prerequisite for granting access to many online services. It’s hard to understate the need: the digital economy in the US is averaging 5x faster growth than the overall economy and reached $3.7 trillion in 2021. In short, doing business online has become the default way of doing business in many industries.
At the same time, the scale and sophistication of fraud grows every year. For example, so far this year (2023), there have been over 700 reported data breaches compromising nearly 700 million records. It has never been easier to purchase a stolen identity, create a synthetic identity or get a convincing fake ID.
The IAL2 standard addresses all of these challenges.
How does IAL2 work?
IAL2 is a framework for confirming an individual’s ownership of a genuine identity. To do this, the service provider collects three types of data from the individual:
- Personal information (e.g. name, address, date of birth)
- Identity evidence (e.g. photo ID)
- A biometric characteristic (e.g. live selfie)
The service provider then confirms that the personal information is consistent with a genuine identity, authenticates the evidence, and verifies the individual is the true owner of the claimed identity.
How this works in practice is easier to understand with a specific example. Let’s say that a business needs to collect an electronic signature from an individual who must be identity proofed to the IAL2 standard. The process would look something like this:
To experience firsthand an example of an IAL2-compliant signing process, click through our demo.
In addition, a robust audit trail must be maintained, documenting each step of the identity-proofing process. This audit trail, when securely coupled with the digital signature process, establishes an immutable digital record, reinforcing the integrity of the identity proofing and e-signature process.
This is necessarily a simplified overview of the IAL2 framework, and each set of capabilities described above has a detailed set of requirements. That said, the net result of the standard is to provide a reliable means of remotely verifying identity for millions of Americans annually. Most organizations do not build IAL2 verification themselves but rather rely on a service provider like Proof to seamlessly integrate the standard into their products and processes.
Industries embracing IAL2
Many industries have embraced the IAL2 standard including:
- Financial Services: Banks, investment firms, and fintech companies frequently implement NIST IAL2 to secure online banking, investment accounts, and financial transactions.
- Healthcare: Given the sensitive nature of patient information, healthcare providers often require IAL2 for accessing electronic health records (EHRs) and other confidential data.
- Government Services: Government agencies employ NIST IAL2 to safeguard citizens' personal information and ensure secure access to services like tax filing, social security, and immigration services.
- E-commerce and Retail: Online retailers use NIST IAL2 to enhance security during payment processing and protect user accounts from unauthorized access.
- Telecommunications: Telecom companies employ IAL2 to secure customer information, especially for services that involve sensitive data like call records and billing information.
- Education: Educational institutions implement IAL2 to secure access to student records, online learning platforms, and other sensitive academic data.
About Proof
Proof is the platform of choice for businesses to digitize their document collection processes. We offer out-of-the-box IAL2 compliance, eSign and online notarization in a single platform, making it easy for businesses to switch from paper to digital in as little as 1 day. With over 34M customer days saved and counting, we are proud to serve innovators who are making it safer and faster to do business online.