While IAL3 has been around for numerous years, it will eventually be replaced with more advanced assurance levels. NIST may keep the structure the same, with 1–3 levels, and use SP 800-63, Revision 4, as the reference order. But as an industry, companies should not wait for an institution to advance their own security posture and remain in parity; instead, it may require more innovative solutions. Eventually, technology will outpace many written guidelines, and businesses will need to be prepared for even more rapid changes.
IAL3 is a highly secure publication from NIST and is likely to remain in place for many years. The level of checks required has placed it as the strongest foundation and identity verification that many companies can achieve. The other assurance levels are higher than at the top-secret level and above for government bodies that consider more than a single in-time verification and years of identity data, along with many other factors.
Just-in-time identity verification will continue to grow exponentially, as it offers greater scalability and faces a much more immediate threat from new AI attacks. We will focus more on in-time verifications, as the other types typically infringe on privacy and become overly burdensome for large populations to complete.
The Constraints of Current IAL3 Models
To better understand the evolution of identity verification, it is helpful to examine forward-looking options that may become viable in the coming decades. Specifically, these are proof-of-concept ideas that are projected to become practical solutions within the next 10–20 years.
To begin this exploration, it is important to identify a major constraint and shortcoming associated with current IAL3 options. In particular, the fixed kiosk model appears unlikely to be sustainable in the long term. As a stationary system, it remains susceptible to significant security vulnerabilities and fails to incorporate the security enhancements offered by more flexible, mobile alternatives.
Notably, dynamic solutions have consistently outperformed static models, suggesting that fixed kiosks will remain relevant only in limited use cases in the foreseeable future. Additionally, their confinement to one location and insufficient integrity checks represent persistent weaknesses, leaving them vulnerable to increasingly sophisticated, targeted attacks.
IAL4: Drone-Based Identity Verification
We will define hypothetical future identity assurance levels 4 and 5, as there is no agreed-upon definition for them in 2026.
For the first option for dynamic IAL4 verifications, we can look to deploy drones at specific locations. While in its infancy today, solutions like drone delivery to a home would provide immediate verification for many workers without requiring any travel. These are already being tested by companies like Amazon to deliver in less than an hour. Verifying the home residence and legal address already provides troves of intelligence over a public fixed location.
Next, the user could simply be requested to complete the IAL4 verification by stepping out their front door and using an extremely high-definition camera to capture their biometrics and identity documents. Again, this solution would need to be expandable and offer options for additional identity checks, such as reading a PIV card or performing cryptographic verifications, which require near-device communication.
There are many ways around this in the future, with longer-distance readers and even temporarily delivered devices that are returned once the verification session is complete. A person could simply place their passport in a secure, tethered container on the drone, and the drone verifies the passport's authenticity seamlessly while keeping the data private from others. Again, many factors would need to be considered, as drones require more stringent regulatory oversight and must deal with multiple issues, such as weather.
IAL4: Autonomous Ground Bots for Identity Proofing
A complementary solution with drones would be robot delivery bots, very similar to the autonomous ones currently delivering food directly to homes, such as DoorDash's Dot. Again, this solution could be adjusted to support a high level of identity assurance. It can operate in a wider range of locations and is quick to deploy through safe mechanisms. The deployment would face many other limitations, with coverage restricted to where the bots can reach.
The bot would operate similarly to a drone, with the ability to even enter a home to complete the IAL4 session. With this type of system, legal, liability, and privacy concerns will be paramount to address before deployment. While this may seem dystopian with an army of bots entering homes and verifying people, there would have to be countless controls and checks in place to ensure the privacy and security of people who request this type of verification.
Instead of delivering a meal on wheels, it is identity on wheels with a quick biometric scan and a tap of your identity document to the bot, and it's off to the next verification delivery. The coverage area could be greatly expanded, too, with a combination of drones and on-ground deployments: a dropship could house the smaller ground kits and deploy them rapidly to on-site locations, bypassing roads.
Air-based solutions will be the priority, but their size and safety will be the critical limiting factors. A flying drone is much more dangerous than a ground bot, which pushes this overall solution farther into the future.
IAL5 and Beyond: Humanoid Robot Verification
IAL5 and beyond start to delve into the humanoid aspect of bots. Many companies are developing full-on humanoid robots to interact with people and environments. While initial interactions will remain robot-like and easily distinguishable from a human, they will eventually become more advanced.
In the future, a humanoid bot could be on standby to verify identities at any time if they are again in multiple locations. Again, it's not unforeseeable that one day a robot could be sitting next to you on a flight, traveling to verify another human. This experience would make it an interview process that is like that performed by a human today during a supervised in-person identity verification session. A person can either meet the robot at a specific destination or have it travel to their home.
In the far future, humanoid robots will become visually indistinguishable from humans and will be even harder to identify as robots. Only through new tools and techniques will people be able to differentiate the identities. This scenario then opens up even more opportunities for passive verification by humanoid robots as people interact with others day to day.
The amount of data and the scalability of using these robots will be immense, dramatically reducing identity assurance costs while increasing security levels. To most people, this type of surveillance and oversight should be draconian and avoided. Companies and governments will need to be extremely careful with the technology they deploy, as it will become easily abused by good and bad actors.
Conclusion
We reviewed some forward-thinking identity verification options that are likely to emerge, in one form or another. A key to any high-assurance identity solution is a separate party that controls the entire proofing process from software to hardware, as the days of BYOD have long been exploited and are untrustworthy. The existing problems posed by advanced AI and bad actors require novel techniques to address them. Current-day verifications are already seamless for most to complete, and these more extensive verifications will be reserved for limited subsets of groups when sensitive information must be protected.