Runs On Your Cloud
No Data Sharing
No Contract Required
Explore Now
Face Verification
Address Verification
Document Verification
Age Verification
VideoIdent
Fast ID
eIDV
NFC Verification
Consent Verification
Business Verification
Due Diligence
Investor Verification
E-Signature
Behavioural Biometrics
Device Fingerprinting
MFA
AML Screening
Business AML Screening
User Risk Assessment
Transaction Screening
Adverse Media Screening
Identity Verification
KYC
KYB
KYI
Bonus Abuse
Fraud Prevention
Deepfakes
Multi-Accounting
Banking
Crypto
Fintech
Forex
Gaming
Gig Economy
Marketplace
Social Networks
Product Managers
Compliance Officers
Fraud Analyst
Global Trust Platform
Journey Builder
Vendor Comparison
Content library
Blogs
News
Reports
Insights
Knowledgebase
ROI calculator
Blind Spot Audit
Deepfake Detection
Liveness Detection
Document Originality
Document Deepfake
Events & Webinar
Podcast Studio
Spotlight Studio
API Documentation
Mobile SDKs
Service Status
Help Center
Contact Us
Technical Support
Compliance
Supported Documents
About
Career
Press Release
Certifications
Partnership
Awards
NIST Digital Identity Guidelines: What Businesses Must Do for IAL2 Compliance
$48 billion is the amount that identity fraud costs businesses every single year. And honestly, most companies are still using identity verification approaches from the 2010s. They follow the outdated process where they collect a couple of documents, maybe throw in some security questions, and call it done. Meanwhile, fraudsters have upgraded and are using deepfakes, stealing credentials, and doing things we couldn’t even imagine five years ago.
Here’s the thing, though. Most businesses are now moving toward a standard called NIST SP 800-63 that’s actually been around for quite some time. But now companies across industries, including fintechs, healthcare, and marketplaces, are all adopting it.
For most online businesses, however, the Identity Assurance Level 2 (IAL2) standard is the one that matters the most.
The Reality Check
So what is IAL2, and why is it so important? It’s basically the middle ground. Not “trust me, I’m the right person” level. And not “I’ll come meet a government agent in person” level. It’s the sweet spot where you actually verify identity without killing your user experience.
It requires you to collect the official documents and check them against the people who issued them. Then you confirm the person in front of you actually owns those documents.
As compared to IAL1, it’s more secure and thorough, as IAL1 is just self-assertion and is good for free accounts and low-risk customers. And then there’s the strictest method, IAL3, which requires in-person meetings with trained agents.
IAL2 works because it’s practical and provides a great balance between customer experience and security with real evidence, verification, and an audit trail.
How This Actually Works (The Three Steps)
First step: the first step would be figuring out who your customers are. You can do this using the information they provide you, like names, birthdays, addresses, phone numbers, emails, etc. You have to cross-verify these with the official upload and maybe ask a few questions sometimes to figure out which one is which. This can be done with the help of KBV (security questions).
Second step: In the second step, you have to verify if the submitted documents are actually real. For that, you’ll have to check if they have the security features like holograms. You can also use AI to analyze the documents and check if they were manipulated in any way. Another thing you can do is call the utility company or the issuing agencies to verify the information with them. These steps would further help ensure that you only accept real customers with real identities.
Third step: it’s actually them. The person applying is the actual person on the documents. You have two options here. Physical comparison, where a human looks at the applicant’s face and compares it to the photo on the ID. For remote, that’s high-resolution video or photos. Or you can use facial recognition software that matches the ID photo to a live capture. Either way, you will need strong liveness detection capabilities. Without it, someone would just hold up a photo of the person, and you would approve them. With deepfakes getting better every month, this is something that should be non-negotiable.
The Documents You’ll Accept
NIST has three levels, and they’re called SUPERIOR, STRONG, and FAIR. SUPERIOR, as the name suggests, is the most reliable of them all, which requires passports and government IDs through serious vetting. STRONG would include using documents like licenses, utility bills, and other official documents. FAIR, the easiest of them all, requires checking school IDs, membership cards, and other lower-security docs
For IAL2, you need one of three combinations:
- One SUPERIOR or STRONG document (validated with the issuer)
- Two STRONG documents
- One STRONG plus two FAIR
Remote Proofing Changes Everything
More and more people are now wanting remote identity proofing. They would rather apply at 11 PM using their phone instead of coming to an office. This means that if you don’t offer this method of verification, you are losing customers.
However, remote identification and verification have many challenges. Some of them include not being able to see the security features of the docs up close. Not being able to easily confirm that the live person matches their ID. Not being able to inspect documents in person, and so on.
Due to these challenges, there’s one thing that gets missed constantly, and that is address confirmation. After someone completes facial verification, the normal workflow would be to send them an enrollment code. The customers have to enter it again. This proves they control that address. Even if someone steals their passport, they can’t access your customer’s email or mailbox.
Identity Verification Is No Longer Optional—Whether You’re Regulated or Not
There was a time when only highly regulated businesses needed to think about it. But now it’s a must for almost all types of businesses, regardless of which industry they fall in. Now, the common question among businesses and people in the market is, ‘Is our process good enough that a regulator or an auditor would consider it to be reliable?’
You’ll have to have an answer for that because you’ll be asked about it by regulators. The financial institutions you’ll be dealing with would expect it. And in some cases, your customers would expect it too. So, make sure you follow the NIST 2025 recommendations and have an answer ready for any question.
Building It
Start by looking at what you actually do now. Are you collecting documents? Do you validate them? Do you check with issuing sources? Do you confirm the person is who they say they are? Write all of it down.
Then pick your approach. Do you need to check just one document? Or do you need to verify two or more?
What about integrated facial recognition or manual comparison? Based on what we’ve seen, most businesses would benefit from implementing a hybrid setup where document validation handles 80-90% of the cases, while manual review handles the rest (edge cases where human involvement is necessary).
Why This Matters?
This isn’t just compliance theater. Companies running IAL2 have lower fraud, customers trust them more, and they’re defensible in court. On the flip side, companies ignoring it are hoping they don’t get sued.
It surely costs businesses in terms of technology, integration, and training. But the payoff beats the cost. Moreover, you probably don’t need to implement everything tomorrow. But you need to start assessing it as soon as possible. Look at your current process, see where the gaps are, and then plan how you’re going to fix them.
Ready to close the gap in your identity verification? See how Shufti’s IDV Solution adapts to your compliance needs; request a demo today.
