Skip to main content
U.S. flag

An official website of the United States government

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Secure .gov websites use HTTPS
A lock or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

Login.gov | Developers.login.gov

Determining your assurance level

About assurance levels

Assurance levels (also called “Service levels,” or “Levels of Assurance”) is a general term referring to the trustworthiness of a given transaction. Assurance levels are considered essential components of identity systems, due to the underlying complexity of identity verification processes. Generally, the higher the Service Levels, the greater the trustworthiness of the authentication and verification processes that occurred for a specific transaction and identity.

Assurance levels can be general or specific. NIST’s 800-63 publication previously was a monolithic Level of Assurance (LOA) in revisions 1 and 2. Revision 3, the current version, distinguishes between the level of confidence in an identity proofing process (IAL), authentication assurance level (AAL), and federation assurance level (FAL).

Examples:

Assurance Level Type Authentication Assurance Level (AAL) Identity Assurance Level (IAL)
Focus Verifying the user is associated with an existing account Verifying the legitimacy of the identity information when creating an account
Techniques Passwords, MFA Credential issuance, document verification, data validation, biometrics
NIST Standards NIST SP 800-63B NIST SP 800-63A
Levels of Assurance AAL1, AAL2, AAL3 IAL1, IAL2, IAL3

Guidance on assurance levels from OMB and NIST

Determining the right level of identity assurance is an important consideration when integrating your use case with Login.gov. This ensures you strike the appropriate balance between usability and identity fraud mitigation. It also ensures you are compliant. OMB Memo 19-17 requires agencies to incorporate Digital Identity Risk Management (DIRA) as defined in NIST Special Publication 800-63 into their processes. The ICAM Subcommittee developed a playbook that outlines a Digital Identity Risk Assessment (DIRA) process to help federal agency Chief Information Officer (CIO) and Chief Information Security Officer (CISO) teams and business application owners:

  1. Update and maintain consistent processes;
  2. Determine whether an agency application requires a DIRA;
  3. Integrate DIRA into agency Risk Management Framework (RMF) processes; and
  4. Learn practices to implement DIRA processes.

What Identity Assurance Level (IAL) does your application need?

If your application has an account, we recommend you complete the Digital Identity Risk Management (DIRA) process to determine IAL-level according to NIST 800-63 revision 3. We’ve extrapolated the following from the DIRA shortcut guide:

Login.gov’s Authentication-only service (IAL1 in 800-63 rev 3) may be the appropriate service if ALL of the following are true:

  • Your application does not provide Controlled Unclassified Information (CUI) to the public.
  • Your application does not allow users to complete a financial transaction or provide banking information.
  • Your application does not allow users to request records
  • Your application does not require users to verify their Personally Identifiable Information (PII) or Protected Health Information (PHI) of other people.

Login.gov’s IAL2 Identity Verification (IdV) services may be the appropriate service if ANY of the following are true:

  • Your application provides access to Controlled Unclassified Information (CUI)
  • Your application allows users to complete a financial transaction or provide banking information
  • Your application allows users to request records
  • Your application requires users to verify their PII or PHI

Login.gov also offers a IdV service without a facial matching step.

We encourage agencies to leverage our IAL2 workflow from a compliance and anti-fraud perspective. For agencies that do not need IAL2 compliance, but desire document verification in addition to a username and password, we offer a version of identity verification that does not include a facial matching step. There is no cost difference between this and our IAL2 service.

NIST is in the process of drafting a fourth revision of 800-63 that includes an updated set of assurance levels. We plan to support these assurance levels, but will not be able to provide guidance on them until the final version is published.