What Is IAL2?
Identity Assurance Level 2 (IAL2) is the federal standard for identity proofing defined by the National Institute of Standards and Technology (NIST) in their Digital Identity Guidelines. For guidance on whether IAL2 is right for your application, please see our article on assurance levels.
As of 2024, Login.gov’s Enhanced identity verification service has been assessed against the Kantara Initiative as conforming to NIST SP 800-63 Revision 3 guidelines for Identity Assurance Level 2. Partners can review Login.gov’s status on Kantara’s Trust Status List.
What is biometric facial matching?
Login.gov’s Enhanced IdV adds a one-to-one facial matching step. After uploading their ID, users take a selfie. The system compares the selfie against the photo on the ID and analyzes physical characteristics to determine whether a biometric sample is captured from a living subject who is present at the point of capture.
Configuration Options
Partners configure their desired level of service in two places: the Partner Portal (set “Level of Service” to “Identity verification permitted”) and the authentication request (specify the IAL ACR value). Two IAL2-related values are available:
- urn:acr.login.gov:verified-facial-match-required – Requires identity verification with facial match for all users. Even users who were previously verified without facial matching must go through the IAL2 process. Meets NIST IAL2 standard.
- urn:acr.login.gov:verified-facial-match-preferred – Requires identity verification. Users who are not yet verified will go through facial matching. Users who are already verified (even without facial matching) can use their existing verification. Useful for gradual rollouts.
See the OIDC developer documentation and SAML developer documentation for how to specify these values in your authentication request.
Partners can also configure for:
- Basic identity verification (non-IAL2): No facial matching required.
- Authentication only: No identity verification.
Image Storage
See Login.gov’s Privacy Impact Assessment for details about how Login.gov retains image data.
Upgrading Existing Users to Enhanced / IAL2
Partners requiring IAL2 can configure their application in two ways:
- Require Enhanced/IAL2 verification: All users who are not already verified at the IAL2 level must complete the entire IAL2 verification process from beginning to end.
- Gradual rollout: Allow users verified at the Basic IdV level to continue accessing the application while requiring unverified users to go through Enhanced/IAL2.
Users cannot be “grandfathered” into IAL2 — they must complete the entire Enhanced /IAL2 verification process, even if they were previously verified through another provider’s facial matching process. Login.gov needs oversight on the quality and process of every credential it issues.
Partners with Internal Step-Up Logic
Partners who have built internal logic to manage the end-user experience (e.g., requesting authentication first, then using response attributes to decide whether to send a second request for identity verification) can maintain this setup with the IAL2 workflow. The identity verification with facial matching option coexists with the non-IAL2 option and the authentication-only option, preserving flexibility. We recommend a working session to review your step-up logic and mitigate any unknown complexities.
Testing IAL2 in the Sandbox
Login.gov provides a full sandbox environment for testing identity verification, including the IAL2 facial matching flow:
- Developer guide: Testing your integration covers sandbox setup and identity proofing simulation.
- Identity proofing testing: Testing identity proofing explains how to test with sample data, either via the in-person flow (no Post Office visit needed in sandbox) or by uploading YAML files with user attributes.
- IAL2-specific testing: Testing the IAL2-compliant process provides tips on document types that work in the sandbox.
- Sample application: Use the Login.gov sample service provider to simulate different scenarios. Select “Facial Match Required” from the “Level of Service” dropdown and click “Sign in” to walk through the full IAL2 flow.
Note: The file upload option for testing is only available in the sandbox. Users in production will not see it.