Guides

NIST IAL2

Overview

Certified NIST Identity Assurance Level 2 (IAL2) workflow combining PII Validation corroboration with Government ID and Selfie Match document capture and biometric selfie. Meets NIST SP 800-63A requirements for remote identity proofing at the highest non-in-person assurance level.

Level of Assurance

IAL2 — NIST SP 800-63A certified. Carrier-corroborated PII + phone possession + government document + biometric liveness.

User Friction Level

Medium — PII form + SMS Link + document capture + selfie. Most users complete in 2–4 minutes.

End User Requirements

Mobile phone registered in user's name; government-issued photo ID; mobile device with camera

Speed

2–4 minutes

Supported Countries

MobileMatch: US, UK, CA. Government ID and Selfie Match: 180+ countries.

Use Cases & Fraud Prevention

  • Federal and regulated industry onboarding requiring NIST IAL2 certification.
  • High-value financial services, healthcare, or government identity proofing.
  • Any use case requiring documented compliance with NIST SP 800-63A.
  • Cross-channel re-verification where a certified identity record is required.

How It Works

flowchart LR
    Start([User begins]) --> CS[Country Selection<br/>+ Passive Risk]
    CS -->|High risk| Deny([Denied])
    CS -->|Passes| PII[PII Validation<br/>Carrier + authoritative DB]
    PII -->|Not corroborated| Deny
    PII -->|Corroborated| FT[SMS Link<br/>Possession check]
    FT -->|Not confirmed| Deny
    FT -->|Confirmed| Bio[Government ID and Selfie Match<br/>Document + Selfie]
    Bio -->|Fail| Deny
    Bio -->|Pass| Approve([Approved — IAL2 Certified])

The IAL2 workflow requires successful completion of all three verification layers: carrier-corroborated PII, phone possession vian SMS Link, and government document + biometric selfie. No single-step approval is possible — all layers must pass.

Step 0 — Country Selection + Passive Risk: Passive risk assessed. High-risk sessions denied.

Step 1 — PII Validation: Carrier + authoritative database corroboration. Must pass to proceed.

Step 2 — SMS Link Possession: Device possession confirmed via SMS link.

Step 3 — Government ID and Selfie Match: Document authentication + biometric selfie match. All layers must pass for IAL2 certification.

Configuration Options

Template Variations

  • MobileMatch + SMS Link → Government ID and Selfie Match (default, required for IAL2 certification)
  • Customization should be reviewed against NIST SP 800-63A requirements before deployment

Optional Add-ons

  • SIM Swap checker on PII key
  • Persistent ID (LexID)
  • Contact your ID Dataweb team before modifying default policy components

Integration: Gateway (OIDC)

Standard OIDC flow. See Gateway (OIDC) Integration. Configure asyncUIRedirect for the Government ID and Selfie Match capture step.

Step-by-step Setup

  • Navigate to the Workflow page in the Admin Console.
  • Click Add Workflow, select NIST IAL2, name it, and deploy.
  • Configure asyncUIRedirect (required).
  • Do not modify default policy components without review against NIST SP 800-63A requirements.

Configuration Options — Gateway-specific

📝

Content coming soon.

Integration: ID Dataweb API

See the PII Validation Step, SMS Link Step, and Government ID and Selfie Match Step pages for detailed API reference. All three steps must complete successfully.

sequenceDiagram
    participant App as Your Application
    participant IDW as ID Dataweb API
    participant User as End User

    App->>IDW: POST /token (apiKey:secret)
    IDW-->>App: access_token

    App->>IDW: POST /slverify (Country)
    IDW-->>App: forwardApiKey₁

    App->>IDW: POST /slverify (PII Validation)
    IDW-->>App: forwardApiKey₂

    App->>IDW: GET /doccapture/sendlink (SMS Link)
    IDW->>User: SMS Link
    User->>IDW: Taps link on mobile
    App->>IDW: POST /slverify (SMS Link result)
    IDW-->>App: forwardApiKey₃

    App->>IDW: GET /doccapture/sendlink (Government ID and Selfie Match)
    IDW->>User: Document capture link
    User->>IDW: Document + selfie
    App->>IDW: POST /slverify (Government ID and Selfie Match result)
    IDW-->>App: policyDecision — IAL2 certified (approve / deny)

Step-by-step Setup

Three sequential /slverify calls are required, each chained via forwardApiKey. All three must return a passing result for the final policyDecision to be approve. See each step page for code samples.

Configuration Options — API-specific

📝

Content coming soon.

Best Practices, Error Handling & Troubleshooting

  • Do not modify default policy components without reviewing against NIST SP 800-63A requirements.
  • Contact your ID Dataweb team before customizing this workflow for compliance review.
  • SIM Swap checker is strongly recommended on the PII Validation key.

Testing in Preproduction

Testing Options

  • Gateway (Try Now): Admin Console. Andrew Roshell + Passport across all steps.
  • API: Postman with preproduction IAL2 endpoint.

Test Credentials and Values

ScenarioInputExpected Result
Full approveAndrew Roshell + tap SMS Link + Passportapprove — IAL2
Deny — Government ID and Selfie MatchAndrew Roshell + SMS Link + Driver's License (Andrea)deny at Government ID and Selfie Match

Step-by-step How to Test

  • Full IAL2 approve: Andrew Roshell, tap SMS Link on mobile, then complete Government ID and Selfie Match with Passport.
  • Deny at Government ID and Selfie Match: Use Andrea Roshell for the Government ID and Selfie Match step with Driver's License.

Interpreting Results

policyDecision = approve only when all three layers pass. The response confirms IAL2 certification. See individual step pages for assertion-level detail.

Related Resources

PII Validation Step | → SMS Link Step | → Government ID and Selfie Match Step | → Identity Verification | → Gateway (OIDC) Integration

Updated 2 days ago