Map NIST SP 800-63-4 IAL2 and AAL2 requirements to an integrator compliance checklist

Verified steps

1. Obtain the final SP 800-63-4 suite (published July 2025), which supersedes 800-63-3; note it is split into 800-63, 800-63A-4, 800-63B-4, and 800-63C-4 volumes.
2. For IAL2 remote proofing (800-63A-4): collect at minimum one piece of Superior evidence or two pieces of Strong evidence; verify document authenticity with automated forensic checks; perform biometric comparison of the selfie to the document photo.
3. Confirm liveness / presentation attack detection meets the evidence-binding requirement; ISO 30107-3 PAD Level 1 or higher is the common vendor certification reference.
4. For AAL2 (800-63B-4): require a phishing-resistant authenticator (e.g., FIDO2 passkey or hardware security key) or a combination of a memorized secret plus an OTP or push authenticator; syncable passkeys are now explicitly permitted at AAL2.
5. Adopt the Digital Identity Risk Management (DIRM) framework introduced in the final release: document the xAL selection rationale based on potential harms, mission impact, and population considerations rather than a checklist.
6. Audit Knowledge-Based Verification (KBV) usage: KBV is prohibited for authentication at any AAL; for identity proofing it may only be used for resolution or as a single Fair-level evidence supplement, not as the sole verification method.