Skip to content.
|Networking government in New Zealand.
 
You are here: Home » Services » Authentication » Library » Key Documents » Government Logon Service Design Overview » Core concepts for NZ online authentication

Core concepts for NZ online authentication

This section:

  • describes the organizational actors of the All-of-government Authentication model
  • describes the generic authentication processes that underpins the model
  • introduces some core concepts like 'keys'
  • outlines the Government Logon Service processes.

Introduction

In April 2004, the Design and Scoping phase of the Authentication project produced several key documents, including:


These deliverables identified two core concepts for the Authentication Project:

  • actors - the specific participants in the authentication process
  • verification and confirmation of identity processes - separating authentication into two discrete components.

These core concepts are detailed below.

actors in the all-of-government authentication model

Figure 1: All-of-government authentication participants

Who are the actors?

These are the actors in the all-of-government authentication model:

  • service user - the person who interacts with agencies to access services via the Internet. A service user is also referred to as an agency's customer.
  • key provider - an organisation accredited to issue and manage client logons; when requested by a legitimate agency, the key provider confirms that a key is valid and current. The key may be referred to a 'logon'.
  • service agency - the agency that delivers the online service to the client after verifying their eligibility
  • government logon service - the web site which acts as an intermediary between the service user and service agency, through which authentication transactions pass
  • identity verification service - manages and holds ID credentials (The exact shape of this service is being designed and will not be operational in this Initial Implementation phase).

What are the generic authentication process steps?

These are the two main steps in the authentication process:

  • Evidence of identity
  • Confirming identity

Evidence of identity

The first step in authentication is a 'one off' process whereby an individual provides evidence to register or establish their identity. Producing a birth certificate and/or having trusted people in the community sign a photo are common examples. Registering an identity may result in the creation of an 'identity (ID) credential' like a passport. A person's ID credential is:

  • a recorded set of verified identity attributes
  • unique to each person
  • only presented to prove one's identity.

For Initial Implementation, the evidence of identity process remains with the service agency.

Confirming identity

The second step in authentication is a repeated process, which involves using an authentication method to confirm identity. An authentication method is commonly called a 'key' or 'logon'. A common online example is using a username and password to verify your identity when accessing your Internet banking service. The service confirms users' identity using a 'key' (or 'logon'), such as a username/password or a digital certificate.

What are Keys?

As noted, the term 'key' is used as a metaphor for an authentication method like a username or digital certificate. A key is used as:

  • a convenient means for a service user to demonstrate ownership of identity
  • presented to access a service that needs to identify its users

The key itself, does not contain any identity details.

For the Government Logon Service, keys are assigned a unique Key Serial Number. The Key Serial Number for a particular key is always the same one.

The Key Serial Number is then extended to create a Modified Key Serial Number. Each Modified Key Serial Number for a particular Key Serial Number is modified to reflect the agency where it will be used. This means that Modified Key Serial Numbers are unique for each key-agency combination. This is explained further in the design section.

What are the Government Logon Processes?

The Government Logon Service design uses the two process steps described above and breaks them out into the following three sub-processes:

1. registration

    a. evidence of identity is established
    b. a key is issued

2. first-time service - service agencies verify identity for users' first access and link identity data and the key details

3. repeat service - service agencies confirm the identity of users' for ongoing accesses.

The Initial Implementation phase for the Government Logon Service is only concerned with steps 1b, 2 and 3.

Later phases will establish an Identity Verification Service to manage and hold electronic identity credentials. This Identity Verification Service will address 1a, but for this phase of the project, identity management will remain the responsibility of the service agency.

It should also be noted that service entitlement and authorisation, the mechanisms for letting people use a particular service or any aspect of a service after verifying their identity, are outside of the scope of the All-of-government Authentication Service. Entitlement and authorisation functions continue to remain with the service agency.

Until the Identity Verification Service is available, agencies are encouraged to consult the following published documents to help standardise the identity management process:


[ Previous | Next ]