|Networking government in New Zealand.

Tabs

Site map Access Keys Contact us About this site

You are here: Home » Services » SEEMail » S.E.E. PKI: Paper 3 - Authentication Mechanisms » 4 Context

4 Context

4.1.1 The ability for individuals across government to collaborate and share information and services is clearly an essential element of E-government. This requirement is both broad (spanning all agencies) and deep (in the sense that it encompasses all levels of information and security).

4.1.2 The extent of required external access to government systems varies considerably. Some agencies have a substantial requirement to collaborate across agency boundaries (e.g. The Treasury) while others are likely to have a much lower percentage of inter-agency communications. At the other end of the scale, private sector agencies may have only a single consultant needing to use an application on behalf of a government agency. A successful authentication infrastructure should be cost-effective in all these environments.

4.1.3 If systems are to support these goals successfully, it must be possible to authenticate individuals across government, so that appropriate access to systems can be authorised in every case and that all access attempts can be audited. In this context, authentication means the unambiguous identification of an individual.

4.1.4 The most commonly used method of authentication at present is a combination of username and password. This has a number of drawbacks, the most serious of which is the need potentially to remember a different username/password combination for every system that a user wishes to access. There is a general desire to avoid the proliferation of usernames and passwords, and to pursue a goal of 'single sign-on', whereby users authenticate themselves ('log on') once only and are then granted access by some central system to the services they wish to use. In addition, passwords as generally used have a number of insecurities, and many are able to be 'broken' by commonly-available password-cracking programs.

4.1.5 Single sign-on has a number of implications. If it is made too easy, then sensitive systems or information may be at risk from unauthorised access. Conversely, if it is too stringent, then usability suffers. The strength of authentication mechanisms should be set in order to minimise the possibility of unauthorised access to systems, to the extent appropriate for the sensitivity of the information to be protected.

4.1.6 Authentication mechanisms need to be cost-effective and easy to use. They must also be readily implemented by new applications, as it would be self-defeating for them to have to be amended each time a new application is introduced by an agency.

[ Previous | Next ]