- 23rd June, 2026
- By Rob Wallace
What IP3 and Assurance Level 3 Accreditation Actually Means for Digital Identity
As more businesses move critical processes online, proving someone’s identity securely has become more important than ever. But choosing an identity verification provider is not always straightforward; many providers claim to be secure, yet few can demonstrate compliance against a government-recognised standard.
As more businesses move critical processes online, proving someone’s identity securely has become more important than ever. But choosing an identity verification provider is not always straightforward; many providers claim to be secure, yet few can demonstrate compliance against a government-recognised standard.
Achieving IP3 and AL3 accreditation is not simply a compliance checkbox. It demonstrates that a provider can accurately verify a person’s identity and securely authenticate the same person over time. This article explains what IP3 and AL3 accreditation means, why it matters for digital identity verification, and how it changes what businesses should expect from their identity verification providers.
Digital Accreditation Under the Digital ID Act Is Not a Rubber Stamp
The Digital ID Act establishes a trusted, government-backed framework for verifying and authenticating identity across Australia. Getting accredited under it is not a formality.
IP3 Identity Proofing Level 3 means a provider has demonstrated it can bind a real, verified person to a digital ID with a level of rigour that satisfies federal standards. The process requires structured governance, independent testing, and a compliance investment that most organisations significantly underestimate going in.
Assurance Level 3 takes it further. Where IP3 covers the creation of a verified identity, AL3 governs how that person is authenticated every time they return to use it. Together, they represent the ceiling of what certified digital identity verification in Australia currently offers.
For businesses evaluating ID verification services, the distinction matters. Accreditation at this level signals that a provider has been tested, not just inspected. Independent parties have verified the system performs as claimed, consistently, under scrutiny, at scale. General industry experience shows that a significant portion of identity verification providers operate without formal accreditation, indicating that the accountability gap between certified and uncertified services is real and widening.
AL3 Makes Liveness Detection the New Authentication Standard
One of the most consequential shifts that comes with Assurance Level 3 accreditation is what it does to authentication, specifically, what it allows to replace the one-time password. OTPs have been a default fallback for business verification services for years. They're familiar, easy to implement, and increasingly inadequate. Here's what an OTP actually confirms and what it doesn't:
It confirms device access if someone has the phone in their hand at that moment
It cannot confirm identity; it has no way of knowing who is holding the device
It cannot detect a handoff if a digital ID is created by one person and the phone is passed to another; an OTP will not catch it
It authenticates a SIM card, not a human, which is a fundamental flaw for any high-stakes verification scenario.
Liveness detection at AL3 closes every one of those gaps. The technology authenticates the person, not the device. Each time verification is required, the liveness detector confirms that the individual presenting themselves is the same person who originally created the digital ID. For organisations that need certainty, not just probability, that the right person is on the other end of a transaction, this is the standard that digital identity verification now needs to meet.
For business verification services operating in regulated environments, this shift is significant. Device access is no longer sufficient proof of identity when the stakes are high enough. AL3 accreditation formally recognises liveness-based authentication as the benchmark and OTPs as the floor, not the ceiling.
How Accreditation at This Level Gets Done
Digital accreditation at IP3 and AL3 doesn't happen through a single audit or a product submission. It's a sustained, structured compliance process and understanding what it involves helps explain why so few providers have achieved it.
The process requires a dedicated compliance function, external oversight from the accreditation authority, independent system testing, and a development team capable of building to government-level technical specifications without cutting corners. Every layer of the system, from how identity is captured and bound to how authentication is handled at each subsequent interaction, has to be verified by parties outside the organisation.
Third-party testing is particularly critical. It's what separates a system that claims to meet the standard from one that demonstrably does. Under the Digital ID Act framework, testing has to be conducted at defined levels of rigour, documented, and reviewed before accreditation is granted. For organisations evaluating digital identity verification providers, asking whether third-party testing was conducted and by whom is one of the most useful due diligence questions available.
The investment required is also not trivial. Both in capital and in the organisational bandwidth needed to carry a compliance process of this scale across the finish line. That context matters when comparing accredited and non-accredited ID verification services on price alone.
Ratify ID's IP3 and AL3 Achievement: What It Unlocks
Achieving IP3 and AL3 accreditation means Ratify ID’s liveness detection technology is now recognised under Australia’s Digital ID Act as meeting the highest available identity verification and authentication standards.
The accreditation creates new possibilities for businesses that require stronger identity assurance. Processes that previously depended on manual verification or physical presence can now be completed through a certified digital identity verification platform, providing a more secure and efficient way to verify individuals.
This opens the door for use cases where identity accuracy is critical, including regulated access, accredited criminal history checks, and high-security environments such as defence facilities. In these situations, knowing that the person accessing a service is the same person whose identity was originally verified is essential.
The achievement followed an 18-month compliance and testing process involving internal governance teams, independent system testing, accreditation oversight, and technical delivery from Ratify ID’s development team. With IP3 and AL3 accreditation confirmed, Ratify ID’s platform is now positioned to support higher-assurance identity verification scenarios where trust, security, and compliance are non-negotiable.
What Businesses Should Now Expect From Identity Verification Services
IP3 and AL3 accreditation raise the floor for what serious digital identity verification looks like. If your organisation handles regulated access, sensitive transactions, or any scenario where the legal weight of identity verification matters, your provider's accreditation tier is no longer a secondary consideration.
IP3 confirms the identity was bound correctly at creation. AL3 confirms the same person keeps showing up. Together, under the Digital ID Act, they represent a verified chain of identity that one-time passwords and unaccredited business verification services simply cannot replicate
If your organisation needs identity verification that meets the Digital ID Act's highest standards for regulated access, criminal history checks, or high-security environments, reach out to Ratify ID to see what their IP3- and AL3-accredited platform can do for your use case.