In the cybersecurity industry, security operations centers (SOCs) are a favorite target for advanced attackers. Why bother hacking into client companies one by one, when all you have to do is compromise the computer of their service provider's SOC analyst (MSSP) to obtain the keys to dozens of infrastructures simultaneously?
To counter this systemic threat, protecting the supervision portal with a simple “Username/Password” pair today constitutes professional negligence. Government agencies (such as the American NIST or ANSSI in France) have standardized authentication trust levels under the acronymAAL (Authenticator Assurance Levels). Learn the vital difference between AAL1 and AAL2, and how this standard protects your SOAR platform.
What is the Authenticator Assurance Level (AAL)?
The AAL standard defines the level of certainty that a computer system has regarding the true identity of the person attempting to log in. The higher the level, the more “sure” the system is that the user is who they say they are.
AAL1: The simple proof of control
AAL1 (Level 1) is the default level for the Internet. It requires proof of single-factor control, usuallywhat you know(a password).
In a SOC platform like Akuity, correctly entering an email and a valid password immediately grants an AAL1 level session token (JWT). However, if this password was intercepted via a targeted phishing campaign or stolen by malware of the typeInfostealer, the attacker obtains this AAL1 token without any difficulty. Therefore, this level is considered “incomplete and unsecure” for critical remediation operations.
AAL2: The proof of multi-factor control (MFA)
The AAL2 (Level 2) assurance level requires proof of a second distinct cryptographic factor, i.e.what you own(a smartphone generating a TOTP code or a physical security key).
To achieve this level of trust in Akuity SOC, the AAL1 user must validate a 6-digit code generated by their authentication application. Once this code is validated, the system issues a new JWT token into which the mention (the claim) is injected."aal": "aal2".
Strict application of AAL2 in a SOC orchestrator
Why is this technical distinction fundamental? Because a SOAR (Security Orchestration, Automation, and Response) orchestrator has the power to trigger destructive commands.
If a hacker obtains an analyst's password (AAL1 level), he could theoretically:
- Isolate your customers' production servers via Intune (Denial of Service).
- Revoke the sessions of all cloud administrators in the tenant.
- Inject aberrant blocklists into Defender for Endpoint.
To make this scenario impossible, the Akuity SOC architecture enforces strict privilege segregation based on JWT token claims.
Blocking at the interface and backend level
Any session that remains at the levelaal1(even if the password is correct) is denied access to the operational cockpit. The interface (Frontend) grays out the action buttons, but the real security is on the server side. If an API request attempts to initiate the actionisolateDevicewith an AAL1 token, the backend instantly rejects the call by returning an error403 Forbidden.
The elevation to level AAL2 then becomes the essential security barrier. Only the person physically in possession of the analyst's smartphone can generate the 6-digit code valid for the next 30 seconds.
The impact on compliance audits (SOC 2)
The systematic AAL2 level requirement is not just a defensive measure, it is also proof of compliance. During a SOC 2 Type II audit, you must prove that your privileged access is secure.
In the audit logs generated by Akuity in JSON format, the payload of each remediation explicitly includes the state of the analyst session at the time of firing:"mfa_level": "AAL2". This immutable registration proves to the auditor that your double authentication mechanisms are not optional, but systemic and technically impassable.
Conclusion: Zero trust, absolute control
The Zero Trust paradigm requires verifying every transaction, constantly. A stolen password should never give away the keys to your cyber kingdom. By backing the destructive capabilities of your SOAR with strict AAL2 assurance level verification, you guarantee that only the authentic and sovereign decisions of your analysts will be executed on your customers' infrastructure.
Protect your security team’s operations.> Find out howAkuity SOC MFA AAL2 Security Managementlocks access to your critical remediations.