Authenticator Assurance Level 3
AAL3.
NIST SP 800-63's highest assurance tier, requiring multi-factor authentication with at least one hardware-bound cryptographic key and verifier-impersonation resistance.
NIST SP 800-63-4 sharpened the AAL3 requirements in 2024. For most workloads, AAL2 is sufficient; AAL3 is the right target only for federal high-impact, top-secret workforce, or specific regulated scenarios that explicitly require it. Common AAL3-qualifying authenticators in 2026: YubiKey 5 series, Feitian ePass, Apple iPhone Secure Enclave (when used as device-bound), Windows Hello with TPM-bound credentials.
Common questions
Do I need AAL3?
Are passkeys AAL3?
What authenticators clear AAL3?