Deepak Gupta

Authenticator Assurance Level 1

AAL1.

NIST SP 800-63's lowest assurance tier, providing some confidence the user controls the authenticator, typically single-factor password or single OTP.

In 2026, AAL1 is increasingly the floor only for low-risk preference-style apps. Most B2C consumer apps target AAL2 (multi-factor), and most regulated workloads target AAL2 or AAL3. AAL1 in production for any auth surface beyond pure-public-content is mostly a sign the deployment hasn't caught up to current threat models.

Common questions

Is single-factor auth still acceptable?

What's the difference between AAL1 and AAL2?

Do consumer apps need AAL2?

Related terms

In the guides

Multi-Factor Authentication (MFA): A 2026 Practitioner's Guide
How to roll out MFA in CIAM in 2026: factor selection, adoption, recovery design, anti-patterns, and where SMS OTP no longer meets the standard.