Background
3.1 Concepts
‘Authentication’ is the process of initial establishment and ongoing confirmation, to the required level, of the identity of one or more parties to a transaction. Authentication provides confidence, relative to the level of identity-related risk, that appropriate steps have been taken to ensure that identity is correctly attributed.
‘Establishment of identity’ requires verified evidence of a person’s identity, so that the person may be set up as an online service user. ‘Ongoing confirmation of identity’ requires the use of an ‘authentication key’, such as a username and password combination, to authenticate identity across the Internet. In addition, establishment and confirmation both require periodic re-verification to ensure that any misuse and abuse of identity is discovered.
3.2 Misuse and abuse of identity
Misuse and abuse of identity, which may include identity crime, refers to gaining money, goods, services, other benefits or the avoidance of obligations through the use of a false or stolen identity. Incorrect attribution of an individual’s identity as a result of misuse and abuse of identity impacts on numerous parties, including government agencies, individuals whose identities have been stolen, and the public. Impacts arising from misuse and abuse of identity include:
- inconvenience, distress, or damage to standing or reputation
- financial loss or liability
- harm to agency programmes or the public interest
- unauthorised release of sensitive information
- risk to personal safety
- downstream effects external to the agency.
3.3 Internet-related misuse and abuse of identity
The Internet has transformed society in many positive ways. However, the Internet has also transformed the nature of crime, with experiences of cybercrime becoming more common.
The nature and volume of Internet-related misuse and abuse of identity in particular has increased significantly. As well as an increase in small-scale person-to-person identity crime (such as monetary, information or identity theft, or unlawful access to another person's details), there has been a rise in the number of well-planned and orchestrated attacks perpetrated by a small but growing group of professional cyber criminals (AusCERT 2005). In addition, the nature of these attacks has evolved rapidly. Threats often require immediate responses in order to minimise risk and damage to systems, agencies, individuals and levels of trust in the online delivery channel.
All governments have a role to play in keeping the Internet secure for their citizens and in maintaining the integrity of the Internet as a global resource. The New Zealand Government’s e-government goals of convenience and satisfaction, integration and efficiency, and participation can only be achieved by maintaining trust in online systems and by maintaining the integrity of these systems.
Consequently, the State Services Commission has developed a suite of e-GIF authentication standards to reduce the likelihood of misuse and abuse of identity occurring as a result of online service delivery. These standards provide current accepted good practice guidance for the design (or re-design) of services that require confidence in the identity of parties transacting with government agencies.
3.4 Authentication standards
The NZ e-GIF authentication standards provide detailed guidance for agencies to follow when designing their authentication solutions. In particular, the standards enable agencies to determine the level of identity-related risk for each of their services and to identify appropriate evidence of identity requirements and authentication key technologies (refer to section 3.3 of the Evidence of Identity Standard).
Most online services delivered by government agencies are either anonymous (such as when someone downloads a brochure from an agency’s website) or have low levels of identity-related risk (such as when someone changes their address details). Services with low levels of identity-related risk are typically authenticated using minimal levels of evidence of identity requirements and a username and password for ongoing confirmation of identity.
NOTE – Change of address is a generic example. For some services change of address may have a high level of identity-related risk.
To meet the Networked State Services Development Goal (operation of government transformed through the use of the Internet by June 2010), agencies will need to provide online services that have higher levels of identity-related risk. This will require the implementation of authentication solutions with more rigorous evidence of identity requirements and higher strength authentication keys.
Table 1 describes the purpose of each of the authentication standards. The standards and documents are listed in the order in which they are intended to be used by agencies.
Table 1 – Authentication standards and documents
- Guide to Authentication Standards for Online Services
- Provides a high-level overview of the NZ e-GIF authentication standards.
- Evidence of Identity Standard
- Specifies a business process for establishing the identity of government agency customers. Applies to offline as well as online services.
- Authentication Key Strengths Standards
- Specifies the authentication keys to be used for online authentication and protections necessary for the authentication exchange.
- Data Formats for Identity Records Standard
- Specifies data formats for a set of customer information data elements that government agencies may use in customer identity records.
- Password Standard
- Specifies requirements for passwords used for online authentication.
- Other authentication key standards (to be developed) *
- Specify the requirements for two-factor authentication keys used for online authentication.
- New Zealand Security Assertion Messaging Standard (in preparation)
- Specifies messaging standards for communicating authentication assertions.
- Guidance on Multi-factor Authentication
- Provides an overview of multi-factor authentication. May be superseded once other authentication key standards are developed. Not a NZ e-GIF standard.
- Security Assertion Messaging Framework
- Provides a general introduction to security assertion messaging. Not a NZ e-GIF standard.
See section 6 for a more detailed description of each of these standards and documents.
3.5 All-of-government authentication services
As well as supporting the implementation of individual agency authentication solutions, the authentication standards will support the all-of-government authentication services – the Government Logon Service (GLS) and the Identity Verification Service (IVS). These shared services will allow agencies to devolve the management of the authentication component of online services.
The GLS is a website that will allow people to access government online services more conveniently by using a single authentication key, such as a username and password. The IVS will allow people to establish their identity once so that they do not have to establish their identity separately with each agency they transact with. The GLS is currently being built and the IVS is in the design stage. See Appendix A for definitions of GLS and IVS.
Agencies will interact with these shared services as follows:
- Registration – evidence of identity is established (IVS) and an authentication key is associated with the customer (GLS)
- First-time service – agencies verify identity for the customer’s first access (GLS and IVS) and link identity data and authentication key details. Agencies may also link a range of service-specific data
- Repeat service – agencies confirm the identity of customers for ongoing access (GLS).
These interactions are shown in Figure 1 (State Services Commission 2005b).
Figure 1 – Outline of interactions with all-of-government authentication services
Where agencies adopt one or more of these shared services, they must adopt the standards relating to the functions of those services. In some cases, adopting the service automatically adopts and implements the relevant standards. For example, if an agency adopts the GLS, all passwords provided by this service will comply with the Password Standard. The agency would, however, still need to assess its requirements for evidence of identity processes and appropriate key strengths, using the relevant authentication standards.
Agencies not using the shared services will have to comply with all of the authentication standards.
[ Previous ] [ Next ]
