Home › Introduction

Introduction

This Authentication Key Strengths Standard is one of the New Zealand E-Government Interoperability Framework (NZ e-GIF) authentication standards. These standards outline current accepted good practice for the design (or re-design) of the authentication component of online services that require confidence in the identity of parties transacting with government agencies.

The authentication process consists of establishing and then confirming the established identity over time. Establishing identity requires verified evidence of a person’s identity, so that he or she can be set up as an online service customer. The ongoing confirmation of identity requires the use of an ‘authentication key’, such as a password, to authenticate identity across the Internet.

The suite of authentication standards and documents comprises:

  • Guide to Authentication Standards for Online Services
  • Evidence of Identity Standard
  • Authentication Key Strengths Standard
  • Data Formats for Identity Records Standard
  • Password Standard
  • Other authentication key standards (to be developed)
  • New Zealand Security Assertion Messaging Standard (in preparation)
  • Guidance on Multi-factor Authentication
  • Security Assertion Messaging Framework.

Further information on multi-factor authentication is contained in the document Guidance on Multi-factor Authentication. The Guidance on Multi-factor Authentication may be superseded once other authentication key standards are developed. The Security Assertion Messaging Framework provides a general introduction to security assertion messaging. The Guide to Authentication Standards for Online Services should be read before reading this Standard, as it provides a high-level overview of the authentication standards.

This Standard addresses the authentication strength mechanisms, namely the type of authentication key that may be used and the protections for the online authentication exchange. These are set out in section 6. Section 5 describes relevant concepts, while the terms used in this Standard are defined in 4.6.

The requirements of this Standard are given in terms of the four service risk categories of the Evidence of Identity Standard. These are based on the identity-related risk of a service. Table 1 summarises the minimum authentication keys required for each of the service risk categories. The details are covered in 6.7, 6.8, 6.9 and 6.10 of this Standard.

Table 1 –­ Minimum authentication keys required for service risk categories

Minimum authentication keys required for service risk categories

Service risk category

Minimum authentication key requirements
Nil or negligible No requirement. Agencies are able to select their own authentication solution. If a password is used, this SHOULD be different from the password required for services in the Low Risk Category.
Low Requires a one-factor authentication key in the form of a password conforming to the Password Standard .
Moderate Requires a two-factor authentication key that is at least one of the following:
  • a one-time password system combined with a password
  • a one-time password device requiring per-session local activation (with a password or biometric)
  • a software token requiring per-session local activation (with a password or biometric).
High Requires a two-factor authentication key that is at least a hardware token requiring per-session local activation (with a password or biometric).

[ Previous ] [ Next ]