What does AAL2 mean?

Elizabeth_Williams · 12 November 2025 14:42

What does AAL2 mean? Is AAL2 the same as 2FA?

Elizabeth_Williams · 12 November 2025 14:43

AAL2 requires the use of two authentication factors, either (1) a physical authenticator and a memorized secret, or (2) a physical authenticator and a biometric that has been associated with it. Multi-factor authentication can be performed using either a multi-factor authenticator or through the use of two independent authenticators.

As detailed below, there are restrictions on the use of biometrics, in particular that they must be securely bound to a specific physical authenticator. For this reason, a memorized secret plus a biometric is not an acceptable combination for authentication.

In addition to the requirement for two authentication factors at AAL2, there are additional requirements relating to the authentication and the session. These include:

shorter reauthentication time,
replay resistance,
FIPS 140 Level 1 for authenticators supplied by government agencies, and
authentication intent (recommended).

Multi-factor authenticators use an additional factor, either something you know or something you have, to unlock a secret that is stored in the (physical) authenticator.

Multi-factor authentication (MFA) is widely recognised as one of the most effective ways to protect data and accounts from unauthorised access. Lack of MFA is a common factor involved in cyber attacks, and accordingly the National Cyber Security Centre (NCSC) and the ICO consistently reinforce the need for comprehensive MFA coverage as an essential defence.

Therefore NHS England wants MFA to be used on digital systems throughout the health sector. Requiring AAL2 helps us to meet this goal and ensure authentication processes are strong enough to provide high confidence that a user logging in is who they claim to be. NHSE follows industry best practice guidance regarding the strength of different authentication methods.

For further information on NHS MFA policy and guidance, see https://digital.nhs.uk/cyber-and-data-security/guidance-and-assurance/multi-factor-authentication-mfa-policy

A standard Active Directory login accessed by username and password is single-factor authentication so cannot meet AAL2 on its own. Limiting access to a particular network does not provide a second credential bound to the individual user. An attacker that obtained a user’s password would be able to hijack that user’s identity through any device on that network.

The AAL2 definition originates from here: Authenticator Assurance Levels (see section B.3.2).

Topic		Replies	Views
CIS2 authentication for PDS Care Identity Service (CIS2) pds , spine , cis2	2	32	28 November 2025
About the Care Identity Service (CIS2) category Care Identity Service (CIS2)	1	585	23 June 2025
We are enabling multifactor authentication (MFA) for production applications Announcements authentication , onboarding	9	609	14 November 2023
iOS and Android Native Apps and Authentication with CIS2 Care Identity Service (CIS2)	1	68	10 February 2025
CIS2 Flow with Security key fails Care Identity Service (CIS2) testing , authentication , integration	7	73	20 June 2025

What does AAL2 mean?

Related topics