Identity Assurance Level 2 (IAL2)

Identity Assurance Level 2 (IAL2) is part of a structured approach to identity proofing, as outlined in the National Institute of Standards and Technology (NIST) guidelines. NIST, a body under the U.S. Department of Commerce, plays a key role in setting cybersecurity and digital identity standards, including the development of NIST Special Publication 800-63A (SP 800-63A). The concept of Identity Assurance Levels (IALs) emerged to help organizations determine the level of rigor needed to establish digital identities based on security risk. While IAL1 involves minimal verification and IAL3 requires in-person proofing, IAL2 offers a middle ground, striking a balance between accessibility and assurance.

Research into digital identity frameworks highlights the growing importance of trustworthy digital identities in a connected world. At the core of IAL2 is the need for stronger identity proofing methods that verify an individual’s real-world existence through evidence such as government-issued IDs, utility records, or similar credentials. Unlike IAL1, which relies on self-asserted attributes, IAL2 mandates formal validation through documentation and/or biometric verification.

Remote identity proofing has become an essential part of IAL2 compliance, enabling organizations to verify user identities without physical presence while maintaining strict security standards. NIST provides specific controls for IAL2 in SP 800-63A, outlining technical and procedural requirements for secure enrollment practices.

For relying parties, IAL2 provides greater confidence in the assertion of attributes, ensuring that a user’s claimed identity is legitimate and won’t lead to fraudulent activity. This is especially important for sectors like healthcare, finance, and government, where secure remote access to systems must be secured against identity theft or misuse. Notably, IAL2 still permits pseudonymous identity in certain contexts, as long as identity proofing verifies the person's existence and meets the required standards. This balance between security and user privacy makes IAL2 suitable for many regulated industries.

By design, IAL2 sits between the lower assurance of IAL1 and the high-assurance, in-person validation of IAL3. It is best suited for digital transactions with moderate to high risk, when full physical verification may not be practical. Organizations aiming for IAL2 compliance must follow NIST’s guidance on identity proofing, adopt secure identity proofing strategies, and adhere to evidence requirements. New technologies like biometric verification and remote identity proofing are helping organizations meet NIST guidelines while still offering a streamlined user experience.

Organizations increasingly leverage solutions such as identity proofing platforms and remote identity proofing to maintain regulatory compliance and ensure secure access. In healthcare, especially, access management systems must meet these standards to safeguard patient data and facilitate electronic prescribing workflows. Imprivata helps organizations align with NIST standards and simplify compliance with IAL2 by providing solutions that integrate secure identity verification with seamless clinical and IT workflows.