AAL3

Authenticator Assurance Level 3, the highest of the three NIST SP 800-63B authenticator assurance levels. AAL3 requires multi-factor authentication using a hardware-based cryptographic authenticator (such as a FIDO2 security key or a PIV smart card) plus verifier impersonation resistance, meaning the protocol is designed so an attacker cannot relay the authentication to a malicious site. OMB Memorandum M-22-09 requires federal civilian executive branch agencies to use phishing-resistant multi-factor authentication for staff, contractors, and partners; AAL3 authenticators satisfy the phishing-resistant requirement, AAL2 with SMS or push notifications does not.

AAL3

Related terms in Federal Zero Trust