Identity Assurance Level 1 (IAL1)

Identity Assurance Level 1 (IAL1) originates from NIST Special Publication 800633, issued by the U.S. National Institute of Standards and Technology—a key cybersecurity governing body within the Department of Commerce and a cornerstone of federal cybersecurity policy development. NIST establishes frameworks to guide federal agencies and non-government sectors on digital identity, focusing on identity proofing, authentication, and federation. SP 800633’s contribution was to separate assurance into three distinct dimensions: IAL, Authentication Assurance Level (AAL), and Federation Assurance Level (FAL). This enables organizations to select tailored levels for each rather than a one-size-fits-all model.

The concept of IAL emerged to classify the rigor and accuracy of the identity proofing process, defining how confidently a service can assert that a claimant truly is who they claim to be. SP 800633 outlines three levels: IAL1, IAL2, and IAL3. Where IAL1 involves minimal to no identity proofing, IAL2 introduces evidence-based validation, and IAL3 demands stringent measures, such as in-person or supervised proofing and biometric checks.

At IAL1, there is no requirement to verify the applicant’s identity. Attributes—such as name, email, or other identifiers—are self-asserted, or treated as such by the credential provider, with no proofing process required. This level offers minimal verification and is thus an appropriate starting point for light identity verification use cases, such as general website or forum registration, where false identity claims have limited consequences.

Self-service identity proofing enables easy access with minimal user friction and administrative burden. The guidelines allow for optional techniques like unattended, remote fraud detection, or even facial comparison using weak evidence, but these are discretionary and not required.

In practice, access management systems leverage IAL1 for services where user onboarding must be fast and user-friendly, without exposing the organization to significant risk. For example, social media signups or email provisioning often rely on self-asserted attributes under IAL1. In contrast, IAL2 is chosen when moderate confidence is needed, and IAL3 supports high-risk applications with stringent identity assurance. IAL1 sits at the lowest rung of assurance precisely because it balances convenience and cost against low stakes—anything more would add unnecessary complexity.