Deepak Gupta

Authenticator Assurance Level 2

AAL2.

NIST SP 800-63's middle assurance tier, requiring two-factor authentication with at least one phishing-resistant or cryptographic factor in the SP 800-63-4 update.

NIST SP 800-63-4 was finalized in 2024 and is the current US federal baseline for digital identity assurance. The most-cited 2026 implication: SMS OTP is no longer adequate for AAL2, which is the practical baseline for most regulated workloads. Synced passkeys clear AAL2 as a single factor; hardware-bound FIDO2 keys clear AAL3.

Common questions

What's the difference between AAL1, AAL2, and AAL3?

Does my CIAM need to be AAL2-compliant?

Are passkeys AAL2 or AAL3?

Related terms

In the guides

Multi-Factor Authentication (MFA): A 2026 Practitioner's Guide
How to roll out MFA in CIAM in 2026: factor selection, adoption, recovery design, anti-patterns, and where SMS OTP no longer meets the standard.