NIST’s Digital Identity Guidelines have become a cornerstone of modern security, emphasizing identity proofing and phishing-resistant authentication with extensive and rigorous identity proofing, and they play a critical role in driving secure federated identities.
Accomplishing compliance with NIST SP 800-63 is no simple matter, however. Buyers should first assess business risk before selecting assurance levels that can help mitigate it. Levels don’t have to match perfectly – lightweight identity proofing may coexist alongside strong authentication.
Authentication
NIST Special Publication 800-63 is one of the industry’s most influential digital identity standards, providing guidance for organizations on how to verify identities, authenticate users and safely share data in federated systems. Unfortunately, many find its complex language hard to grasp in practice.
NIST 800-63A IAL3, released as final in 2025, marks an important shift away from checklist-based requirements and towards risk-based DIRM framework. Organizations must now evaluate threats, service impacts and user populations to select an IAL, AAL or FAL assurance level dynamically.
The new NIST IAL3 verification requirement aims to prevent impersonation attacks by employing an on-site attended session with applicants that requires direct observation and collection of at least one biometric characteristic. TrustSwiftly’s compliant solution employs remote yet supervised identity proofing, document validation against authoritative sources, biometric comparison with claimed digital identities and biometric matching against claimed digital identities to combat impersonation attempts, SIM swaps and MFA bypasses while supporting phishing-resistant authentication protocols and syncable passkeys to protect against man-in-middle attacks.
Document Verification
The IAL3 Identity Proofing Process involves attending an in-person attended session with a trained CSP representative and collecting biometrics. Its purpose is to prevent impersonation attacks by verifying evidence is authentic and has real world existence based on information provided from its issuing source. Furthermore, special consideration must be given when engaging minors while additional security measures may be implemented to comply with laws such as COPPA.
TrustSwiftly’s certified passwordless authentication and ID&V technology directly meets these guidelines by offering remote yet supervised identity proofing alongside document, biometric, and liveness detection verification methods – this helps organizations meet NIST 800-63A levels of assurance with FAL levels of certainty.
Biometric Comparisons
NIST defines Identity Assurance Levels (IALs) as indicators of certainty that an online identity matches real world identities, and range from IAL1 to IAL3, with the latter requiring in-person verification. Standards set out at this tier require either in-person attendance at an attended session with an applicant, or remote interaction that includes reviewing his/her identification documents and biometrics for verification.
Leading IAL3 compliant solutions employ advanced document inspection methods such as multispectral UV light analysis and facial recognition with liveness detection to verify claimed documents in the real world. In addition, biometric comparison capabilities enable CSPs to perform strong or superior strength identity verification services for their applicants. NIST SP 800-63-4 maintains the tripartite model while expanding requirements to support modern identity technologies like mobile driver’s licenses, user-controlled wallets and advanced authentication methods.
Liveness Detection
As fraudsters can easily pose as real people using photographs, video footage and masks, liveness detection is an integral component of identity proofing. Challenge-response tests prompt individuals to perform specific actions such as blinking, nodding their head or speaking in order to ensure they’re real human beings rather than impostors.
Passive liveness detection continuously monitors an individual’s behavior and facial features to assess how similar they are to real people, and compare this against data stored within the system. The scores generated from passive liveness detection can then be used for identity verification during login-in or KYC processes such as account opening/re-verification processes.
Authentication solutions that adhere to NIST 800-63A IAL3 guidelines offer users a higher level of trust while simultaneously decreasing cyber liability insurance premiums and operational costs by decreasing password reset requests. TrustSwiftly is a reliable IAL3 provider with chat, video, facial recognition with liveness detection and document authentication tools to assist organizations reach these objectives.