Background
3.1 Authentication standards
The NZ e-GIF authentication standards provide detailed guidance for agencies to follow when designing their authentication solutions. In particular, the standards enable agencies to determine the level of identity-related risk for each of their services and to identify appropriate evidence of identity requirements (refer to the Evidence of Identity Standard) and authentication key technologies.
Most online services delivered by government agencies are either anonymous (such as when someone downloads a brochure from an agency’s website) or have low levels of identity-related risk (such as when someone changes their address details). Services with low levels of identity-related risk are typically authenticated using minimal levels of evidence of identity requirements and a username and password for ongoing confirmation of identity.
NOTE – Change of address is a generic example. For some services, change of address may have a high level of identity-related risk.
To meet the Networked State Services Development Goals, agencies will need to provide online services that have higher levels of identity-related risk. This will require the implementation of authentication solutions with more rigorous evidence of identity requirements and higher strength authentication keys.
Table 2 describes the purpose of each of the authentication standards and documents.
Table 2 – Authentication standards and documents
- Guide to Authentication Standards for Online Services
- Provides a high-level overview of the NZ e-GIF authentication standards.
- Evidence of Identity Standard
- Specifies a business process for establishing the identity of government agency customers. Applies to offline as well as online services.
- Authentication Key Strengths Standards
- Specifies the authentication keys to be used for online authentication and protections necessary for the authentication exchange.
- Data Formats for Identity Records Standard
- Specifies data formats for a set of customer information data elements that government agencies may use in customer identity records.
- Password Standard
- Specifies requirements for passwords used for online authentication.
- Other authentication key standards (to be developed) *
- Specify the requirements for two-factor authentication keys used for online authentication.
- New Zealand Security Assertion Messaging Standard (in preparation)
- Specifies messaging standards for communicating authentication assertions.
- Guidance on Multi-factor Authentication
- Provides an overview of multi-factor authentication. May be superseded once other authentication key standards are developed. Not a NZ e-GIF standard.
- Security Assertion Messaging Framework
- Provides a general introduction to security assertion messaging. Not a NZ e-GIF standard.
* Other authentication key standards are designated for future work and, until they are published, agencies should consult GCSB and refer to SIGS and NZSIT 400.
3.2 All-of-government authentication services
As well as supporting the implementation of individual agency authentication solutions, the authentication standards will support the all-of-government authentication services – the Government Logon Service (GLS) and the Identity Verification Service (IVS). These shared services will allow agencies to devolve the management of the authentication component of online services.
The GLS is a website that will allow people to access government online services more conveniently by using a single authentication key, such as a password. The IVS will allow people to establish their identity once so that they do not have to establish their identity separately with each agency they transact with. The GLS is currently being built and the IVS is in the design stage. See 4.6 for definitions of GLS and IVS.
Agencies will interact with these shared services as follows:
- Registration – evidence of identity is established (IVS) and an authentication key is associated with the customer (GLS)
- First-time service – agencies verify identity for the customer’s first access (GLS and IVS) and link identity data and authentication key details. Agencies may also link a range of service-specific data
- Repeat service – agencies confirm the identity of customers for ongoing access (GLS).
These interactions are shown in Figure 1 (State Services Commission 2005b).
Figure 1 – Outline of interactions with all-of-government authentication services
Where agencies adopt one or more of these shared services, they must adopt the standards relating to the functions of those services. In some cases, adopting the service automatically adopts and implements the relevant standards. For example, if an agency adopts the GLS, all passwords provided by this service will comply with the Password Standard. The agency would, however, still need to assess its requirements for evidence of identity processes and appropriate key strengths, using the relevant authentication standards.
Agencies not using these shared services will have to comply with all of the authentication standards.
[ Previous ] [ Next ]
