Documentation
Start typing to search…

NIST IAL2 Identity Verification

Customer Implementation Guide

Version: 1.1
Last Updated: Feb 18, 2026

Overview

Vouched offers NIST SP 800-63A Identity Assurance Level 2 (IAL2) compliant identity verification for organizations that require a higher level of identity assurance.

IAL2 is commonly required in regulated industries such as healthcare, financial services, and government. It ensures that:

  • Government-issued identity evidence is verified
  • Identity attributes are validated against authoritative sources
  • The verified identity is securely bound to the individual

This guide explains how to integrate and use Vouched IAL2 verification in your application.

What’s Included in IAL2

When IAL2 is enabled for your account, Vouched enforces additional controls and workflow requirements to meet NIST standards.

1. Crosscheck (Phone + Email Validation and Matching)

Crosscheck is Vouched’s authoritative address-validation service that verifies an applicant’s phone number and email address and confirms those addresses are associated with the applicant’s name. Crosscheck implements the two “addresses of record” requirement for IAL2: a validated phone number for delivery of the enrollment link and a validated email address for proofing completion notification.

IAL2 requires two validated “addresses of record”:

  • A validated phone number and matching phone number to end user name (used to deliver the verification link)
  • A validated email address and matching email address to end user name (used to send proofing completion and approved notification)

To meet this requirement:

  • You must run Crosscheck before initiating the VIDV job.
  • You must include the Crosscheck Job ID in the VIDV job request.
  • The Crosscheck Job ID must be programmatically linked to the VIDV job.

If the Crosscheck Job ID is not included in the VIDV request, the job cannot be marked IAL2 compliant.

IAL2 compliance will fail if:

  • Phone number is unable to be validated (e.g. fails)
  • Phone number is not matched to the end user name (e.g. fails)
  • Email address unable to be validated (e.g.fails)
  • Email address is not matched to the end user name (e.g.fails)
  • Crosscheck is not executed before Visual Identity Verification (VIDV) job
  • Crosscheck Job ID is not supplied in the VIDV job
  • Name on Crosscheck job does not match VIDV name

Crosscheck does NOT do

Does NOT authenticate the user for session access. Validation of a phone or email is not the same as ongoing authentication or session management. Customers must implement their own authentication/authorization controls.

Does NOT guarantee continued control of addresses beyond the validation event. Crosscheck validates ownership/association at the time it runs; it does not continuously validate that the phone or email remains controlled by the same person at later times unless re-validated.

Does NOT replace consent or lawful-purpose obligations. Customers must ensure they have the lawful basis or permissible purpose to perform Crosscheck and to process the underlying data (for example, GLBA/DPPA/HIPAA rules where applicable).

Does NOT create an IAL2 result by itself. Crosscheck is a required input to the IAL2 decision, but Crosscheck passing alone does not create IAL2 — VIDV/DLV and other required checks must also pass.

Does NOT permit manual overrides that reinstate IAL2. Any manual approval of an address validation failure will remove IAL2 status for that job.

2. Identity Verification (VIDV + DLV)

Visual ID Verification (VIDV): Automated checks on captured ID images and a live selfie to verify authenticity and the person-to-document binding.

Driver’s License Verification (DLV): Authoritative validation of driver’s license and state ID attributes against issuer data (for example, AAMVA / state DMV data where available).

VIDV and DLV are the two complementary technical capabilities Vouched uses to validate identity evidence submitted by an applicant. Together, they ensure the document is genuine, the attributes on the document are correct, and the person presenting the document is the rightful holder

IAL2 restricts acceptable identity evidence to the following document types:

  • U.S. Driver’s License
  • U.S. State Identification Card
  • U.S. Passport Card
  • U.S. Passport

These categories align with Vouched’s publicly available Credential Policy.

Additional IAL2 controls include:

  • Expired IDs are automatically rejected
  • Driver’s Licenses and State IDs must pass authoritative Driver’s License Verification (DLV)
  • Visual ID Verification (VIDV) must pass, including:
    • Face match between ID and selfie
    • Liveness detection
    • Fraud and tampering checks

IAL2 compliance will fail if:

  • VIDV fails
  • DLV fails
  • ID is expired
  • Name does not match phone or email address (via our Crosscheck service)
  • Crosscheck name and name on ID do not match

VIDV+DLV does NOT do

Does NOT authenticate users or manage login sessions. VIDV/DLV confirm identity at proofing time; they do not substitute for ongoing authentication controls.

Does NOT guarantee absolute fraud prevention. VIDV/DLV materially reduce risk but do not eliminate all possibility of fraud; they provide signals and authoritative checks that customers should use as part of a broader risk model.

Does NOT validate certain document classes via DLV. DLV is authoritative for driver’s licenses and state IDs via issuer records; passports and passport cards are validated through VIDV and appropriate authoritative crosschecks. If a jurisdiction is not supported by DLV, the ID type may not qualify for IAL2 unless another acceptable authoritative evidence path exists.

Does NOT permit manual overrides to produce an IAL2 result. If VIDV/DLV fail and a customer manually approves, the job will not be IAL2 compliant. (Manual review is permitted for business purposes, but it invalidates IAL2 status.)

3. Successful IAL2 Verification

A job is marked IAL2 compliant only if all required conditions are satisfied.

The following fields must return TRUE:

  • Phone and email match to name in Crosscheck step
  • VIDV passes
  • DLV passes
  • Submitted name (used for Crosscheck) matches the name on the ID submitted in IDV

Additionally:

  • The Crosscheck Job ID must have been supplied in the VIDV job request.

If all conditions are met:

  • The job is IAL2 compliant and proofing completion notification is sent to the validated email address

How to Enable IAL2

IAL2 must be enabled by Vouched.

To activate IAL2 for your account:

  1. Contact your Vouched account representative.
  2. Confirm you will implement the required workflow described in this document.

Once enabled, Vouched enforces:

  • 10-minute invite expiration
  • Required phone and email capture
  • Expired ID rejection
  • Accepted document types are restricted to those listed above
  • DLV enforcement where applicable

These controls cannot be modified while IAL2 is active.

Required Integration Flow

To maintain IAL2 compliance, your application must follow this sequence:

  1. Capture phone number and email address.
  2. Execute Crosscheck.
  3. Initiate IDV and include the Crosscheck Job ID in the request.
  4. Allow the applicant to complete VIDV + DLV.

If this sequence is not followed, the job will not qualify as IAL2 compliant.

Applicable Terms & Conditions

  • Terms of Service
  • This IAL2 Identity Verification Service is subject to the Vouched Terms of Service, and attached Data Processing Agreement which are incorporated herein by reference.
  • In addition, when an Applicant (e.g. End User) is going through the identity verification process, they must agree to (1) End User Privacy Statement (2) Biometric Privacy Notice and (3) End User Terms before proceeding with the ID document and selfie capture.

Privacy and Data Protection

Privacy Statement - see End User Privacy Statement
Biometric Policy - see Biometric Privacy Statement
Data Retention - see End User Privacy Statement: Data Retention
Data Processing - see Data Processing Agreement

Security Controls
Vouched maintains administrative, technical, and physical safeguards designed to protect identity data and proofing systems. Vouched is ISO 27001 and SOC2 certified. Requests for certification documents and policies can be made by submitting a request to http://trust.vouched.id, These safeguards include:

  • Encryption of data in transit using industry-standard TLS
  • Encryption of sensitive data at rest
  • Role-based access controls and least-privilege access policies
  • Secure key management practices
  • Audit logging of proofing transactions
  • Ongoing monitoring and incident response procedures

These controls are designed to align with industry best practices and applicable regulatory expectations for identity verification services.

Authentication Scope
Vouched IAL2 provides identity proofing and verification services.
Vouched does not provide authentication services (e.g., password management, multi-factor authentication enforcement, or ongoing account authentication).
Customers are responsible for implementing appropriate authentication controls within their own systems following identity proofing. Organizations requiring specific Authenticator Assurance Levels (AAL) should implement authentication mechanisms consistent with their regulatory and risk requirements.

Renewal and Re-Proofing
IAL2 proofing results do not automatically expire unless required by a customer’s internal policy or applicable regulation.
Customers may initiate re-proofing at any time by submitting a new verification request.
Common scenarios for re-proofing include:

  • Regulatory refresh requirements
  • Suspected identity compromise
  • Significant account changes
  • Internal risk policy triggers

Each new proofing transaction is independently evaluated for IAL2 compliance

Revocation of Proofing Results
IAL2 compliance is determined exclusively by the automated controls and validation logic described in this document.
If a job meets all required IAL2 conditions, it is marked ial2Compliant = TRUE. If any required control fails, it is marked ial2Compliant = FALSE.

Customer Review and Overrides
Vouched may provide customers with the ability to review verification results and manually override certain outcomes for business purposes.
However:

  • Any manual override of a failed verification result
  • Any approval that bypasses the required automated controls
  • Any modification of the required IAL2 validation logic

will cause the affected job to no longer qualify as IAL2 compliant.
IAL2 compliance cannot be achieved through manual approval alone. It must result from the successful completion of all required automated validation steps.

Post-Proofing Invalidation (Revocation)
In certain circumstances, a previously successful IAL2 proofing result may need to be invalidated.
Revocation may occur if:

  • Fraud or misrepresentation is discovered after proofing
  • Identity evidence is determined to be compromised
  • Regulatory or legal requirements mandate invalidation

Upon revocation:

  • The affected proofing result may be marked invalid in system records
  • Customers may be notified where appropriate
  • Customers remain responsible for taking appropriate downstream action within their own systems

Revocation of an individual proofing result is distinct from termination of the IAL2 service.

Legal

Country in or legal jurisdiction under which the service is operated: United States (see Terms of Service section 3.3)

Legal jurisdiction under which Subscriber and relying party agreements are entered into: Governing law is State of Washington, unless agreed to otherwise (seeTerms of Service Section 10.4)

Applicable Legislation and Regulatory Alignment
Vouched’s IAL2 Identity Verification service is designed to align with the requirements of:

  • NIST Special Publication 800-63A (Digital Identity Guidelines – Identity Assurance Level 2)

Where applicable, Vouched implements administrative, technical, and procedural controls intended to support compliance obligations commonly associated with regulated industries, including financial services, healthcare, and government use cases.
Customers are responsible for determining whether IAL2 satisfies their specific regulatory, statutory, or contractual obligations.

Roles and Obligations
Obligations of Vouched (Credential Service Provider – CSP)
Vouched is responsible for:

  • Executing the IAL2 identity proofing process in accordance with documented requirements
  • Performing evidence collection, validation, and verification controls described in this guide
  • Enforcing required IAL2 compliance logic
  • Maintaining appropriate security safeguards for identity data
  • Providing audit records of proofing transactions
  • Clearly indicating IAL2 compliance status via system fields (e.g., ial2Compliant)

Vouched determines IAL2 compliance status based solely on successful completion of required automated controls.

Obligations of the Subscriber (Customer)
The Subscriber is responsible for:

  • Implementing the required integration workflow described in this document
  • Supplying the Crosscheck Job ID in the VIDV request
  • Restricting accepted identity document types to those permitted under IAL2
  • Reviewing ial2Compliant status before relying on a proofing result
  • Implementing appropriate authentication and access controls within their own systems
  • Determining whether IAL2 meets its regulatory or risk requirements

Manual overrides that bypass required controls invalidate IAL2 compliance.

Obligations of the Applicant (End User)
The Applicant is responsible for:

  • Providing accurate and truthful identity information
  • Submitting valid, unaltered identity evidence
  • Completing required liveness and verification steps

Submission of fraudulent or altered documentation may result in rejection, revocation, or other appropriate action.

Obligations of the Relying Party
If a party relies on an IAL2 proofing result, that party is responsible for:

  • Independently evaluating whether IAL2 assurance meets their risk tolerance
  • Verifying the ial2Compliant status before accepting a result
  • Implementing appropriate downstream controls (e.g., authentication, authorization, monitoring)

Reliance on an IAL2 proofing result does not eliminate the relying party’s independent risk management obligations.

  • Applicable legislation with which the service complies
  • Obligations broken down by CSP, Subscriber, applicant, and relying party

Guidance for Relying Parties

Relying parties should verify ial2Compliant = TRUE and the associated verification fields (phoneMatch, emailMatch, idvSuccess, dlvSuccess, crosscheckLinked) before accepting an identity at IAL2. Relying parties should also:

  • Confirm that the identity assertion or token is valid and properly signed.
  • Confirm that the proofing event timestamp and other claims match their expected session logic.
  • Ensure the IAL2 proofing result satisfies their regulatory and contractual obligations (for example, GLBA, HIPAA, DPPA, state privacy laws). Vouched maintains a Legal & Regulatory Obligations Inventory (LROI) mapping these obligations to controls; relying parties should consult legal counsel for jurisdictional applicability.

Risk acceptance guidance
IAL2 indicates a high level of identity assurance, but it does not replace a relying party’s risk assessment. Use IAL2 results in the context of:

  • The transaction value and sensitivity of data or actions you allow.
  • Local legal/regulatory obligations (e.g., GLBA, HIPAA, DPPA, GDPR/CCPA).
  • Additional signals you maintain (e.g., device posture, recent account behavior, transaction heuristics).

Practical acceptance suggestions: Accept if ial2Compliant = TRUE, token is valid/signed, the proofing timestamp is recent enough for your policy, AND no conflicting fraud signals exist. If any of these are absent, escalate for manual review — but note manual approval voids IAL2 status (see Revocation / Overrides).

Responsibility and disclaimers
Vouched provides identity proofing services that produce verification results. Relying parties and customers remain responsible for downstream decisions, risk acceptance, and compliance with applicable laws. Vouched’s TOS and Order Form define the contractual allocation of responsibilities and disclaimers; these terms are incorporated by reference.

Independent assessment requirement
Relying parties must independently determine whether IAL2 meets their regulatory, contractual, and operational risk requirements. Vouched provides verification artifacts and guidance, but cannot determine a Relying Party’s risk acceptance. Relying parties should document their acceptance criteria and, where necessary, consult legal or compliance advisors.

Statements

  • Statement of Warranties - provided for under our Terms of Service section 5
  • Statement of Liabilities - provided for under our Terms of Service section 7
  • Procedures for notification of changes to terms and conditions - provided for under our Terms of Service section 10.8

Service Termination

Customer-Initiated Termination

You may discontinue IAL2 services by contacting your Vouched customer service manager or emailing [email protected].

Upon termination:

  • New jobs will no longer be evaluated for IAL2 compliance.
  • Historical IAL2 results remain available in accordance with data retention policies to the extent the monthly maintenance and support fee is paid timely.

Vouched-Initiated Suspension or Termination

Vouched may suspend IAL2 services if required workflow controls are bypassed,integration requirements are not followed, or customers violate their obligation under the Terms of Service as detailed in Section 9

Customers will be notified where practicable.

Availability

Technical Support Service Level Agreement (SLA)

Standard Support: Monday–Friday, 8am–8pmET

Technical Support Commitments. Vouched will use commercially reasonable efforts to adhere to the response times (measured from the time Vouched first becomes aware of the Error) for Errors as set forth in the table below. A Vouched support representative will determine the severity level based on the description provided by the Subscriber contacts.. Subscriber contacts will ensure that each support case submitted will provide contact information for the Subscriber contact most familiar with the issue.

Priority LevelPriority DefinitionInitial Response Times
P0-Critical A critical failure in the operational activity of the Services, or an Error that causes the Services to be severely impacted or completely shut down, or Subscriber use of the Services is impossible, where no workaround is available.1 Business hour
P1-High Errors include high-impact issues in which the Services are inoperative or seriously degraded where a short-term workaround is available.4 Business hours
P2-Medium The Error limits the functionality or usefulness of the Services, but the condition is not critical to the continued operation of the Services. A workaround is readily available and can be applied or used with little or no operational impact.2 Business days
P3-LowMinimal problems in the Services arising from a misleading or unsatisfactory component or feature. The problem can be circumvented with no operational impact and there are no data integrity issues.5 Business days

Uptime SLA:

Definitions. The following defined terms apply to this Service Level Agreement for the Services APIs (as defined below) (“SLA”).

Actual Quarterly Availability Percentage” = (A-B)/A, where:

  • A = Total Quarterly Time (as defined below), and
  • B = Unavailable Quarterly Time (as defined below).

Quarterly Availability Percentage Threshold” means the applicable percentage set forth in the table in Service Commitments, “Quarterly Availability Percentage Threshold.”

Services APIs” means, collectively, the Vouched Services APIs (as defined below).

Service Credit” means the credit that Subscriber is eligible to request if (a) the Actual Quarterly Availability Percentage is less than the applicable Quarterly Availability Percentage Threshold. A Service Credit is calculated by multiplying the applicable percentage set forth in Service Commitments by the fees Subscriber actually incurs for the affected Vouched Services APIs for the applicable calendar month.

Start Time” means the time at which Vouched first becomes aware of an Error.

Total Quarterly Time” means the total number of minutes in the applicable calendar quarter.

Unavailable Quarterly Time” means the number of minutes in the applicable calendar quarter during which the Vouched Services APIs were unavailable for use. Unavailable Quarterly Time does not include Excluded Quarterly Times (as defined below).

Vouched Services APIs means the application programming interfaces.

API Service Commitment

ServiceQuarterly Uptime Percentage ThresholdService Credit
Services APIs99.9%10% credit equivalent

Subscriber will be notified of status updates at https://status.vouched.id/ for the Vouched Services APIs. Subscriber will be notified of technical service requests through a support email.

Services APIs Exclusions. Notwithstanding anything to the contrary in this Agreement, no Unavailable Quarterly Time will be deemed to have occurred if it: (a) is caused by factors outside of Vouched’s reasonable control, including, without limitation, data provider-related problems or issues, Internet access or related problems occurring beyond the point in the network where Vouched maintains access and control over the Services APIs; (b) results from any actions or inactions of You or any third party (except for Vouched’s agents and subcontractors); (c) results from any Your Application(s), Your equipment, software, or other technology, add-on services, or third-party equipment, software, or other technology (except for equipment within Vouched’s direct control); (d) occurs during Vouched’s scheduled maintenance for which Vouched will provide at least twenty-four (24) hours prior notice; (e) occurs during Vouched’s emergency maintenance (maintenance that is necessary for purposes of maintaining the integrity or operation of the Services APIs), regardless of the notice provided by Vouched; (f) results from any Services APIs that are identified as alpha, beta, not generally available, limited release, developer preview, or any similar Services APIs offered by Vouched; or (g) is less than five (5) minutes of continuous unavailability in duration (collectively, “Excluded Quarterly Times”). This SLA does not apply to any products and services, or versions thereof, that are (i) no longer available or supported.

Support contact: [email protected]

Applicable Fees

  • Pricing is provided upon request as pricing is based on volume and commitment levels. Standard pricing for this service is $3.00 per transaction.

Questions?

If you are planning an IAL2 integration or need implementation guidance, contact your Vouched representative or [email protected].

Updated about 23 hours ago