AAL1 permits the use of any of the following authenticator types, which are defined in Section 5:
Memorized Secret Look-up Secret Out of Band Single-factor One-Time Password (OTP) Device Multi-factor OTP Device Single-factor Cryptographic Software Single-factor Cryptographic Device Multi-factor Cryptographic Software Multi-factor Cryptographic Device
Communication between the claimant and verifier (the primary channel in the case of an Out of Band authenticator) SHALL be via an authenticated protected channel to provide confidentiality of the authenticator output and resistance to MitM attacks.
Authenticator Assurance Level 2 When a multi-factor authenticator is used, any of the following may be used:
Multi-factor OTP Device Multi-factor Cryptographic Software Multi-factor Cryptographic Device When a combination of two single-factor authenticators is used, it SHALL include a Memorized Secret authenticator and one possession-based (“something you have”) authenticator from the following list:
Look-up Secret Out of Band Single-factor OTP Device Single-factor Cryptographic Software Single-factor Cryptographic Device