2. Introduction

Purpose

This Guidance on Multi-factor Authentication examines the issues surrounding the use of multi-factor authentication keys by government agencies. It does not prescribe the use of any particular authentication key. Requirements for authentication keys can be found in the New Zealand E-government Interoperability Framework (NZ e-GIF) [2] authentication standards, which are discussed further below.

Audience

This Guidance has been written for those whose responsibilities include the development and management of Information Technology (IT) systems, especially relating to the delivery of secured online services. This includes agency IT custodians such as chief information officers, chief technology officers, and IT managers and administrators. Technical analysts, systems architects and developers and IT security mangers and administrators, should also read this Guidance, in particular the references for more detailed information included in Appendix A.

Relationship to the authentication standards

The NZ e-GIF authentication standards provide detailed guidance for agencies to follow when designing their authentication systems. These standards are introduced in the Guide to Authentication Standards for Online Services [5]. In particular, the Authentication Key Strengths Standard [1] requires a two-factor authentication key to be used for services in the Moderate or High service risk categories. This Guidance does not give recommendations. It has been developed as an information resource to supplement the Authentication Key Strengths Standard.

Document structure

Background material is covered next in this section. The following section discusses the three factors of authentication (one of the major ways of categorising authentication methods) and introduces multi-factor authentication. The authentication attacks considered in this Guidance are then discussed, with other countermeasures briefly touched on. The main section then looks at each of the authentication keys (listed below) outlining their advantages and disadvantages and the attacks they counter. This is followed with a list of some issues that should be considered when selecting a multi-factor authentication key. Brief details on the use of multi-factor authentication keys by governments for the delivery of online services is covered next before the Government Logon Service that is being developed by the New Zealand Government’s Authentication Programme is introduced. The final section looks at trends affecting the use of multi-factor authentication. Most terms and acronyms are included in the Glossary.

Background

To meet the Networked State Services Development Goal [6], agencies will need to provide online services that have higher levels of risk. This will require the use of higher strength authentication keys.

Authentication is the process of establishing, to the required level of confidence, the identity of one or more parties to a transaction. This consists of two processes:

• evidence of identity
• ongoing confirmation of identity, for example using a username and password to logon.

The NZ e-GIF authentication standards cover both of these processes.

This Guidance focuses on the second process above. In particular, this Guidance is interested in the case where someone makes an identity claim and provides some evidence to support this claim, by using their authentication key to provide some level of assurance that they are who they are who they say they are.

The authentication keys discussed in this Guidance are:

1. passwords
2. hardware tokens
3. software tokens
4. one-time passwords
5. biometrics.

These authentication keys represent the major ones used today and are the ones identified in the NZ e-GIF authentication standards. Figure 1 depicts examples of these authentication keys.

The focus of this Guidance is the electronic authentication of people across an unprotected channel, primarily the Internet. In this Guidance, authentication involves two parties:

• customer – a person who claims some identity and who undergoes the authentication process
• verifier – an entity that receives and verifies customers’ online identity claims.

In some cases, the customer will also require confidence in the identity of the verifier. When both parties authenticate to one another, this is called mutual authentication. Usually, the same or very similar methods are used for mutual authentication. Authentication keys differ in their support of mutual authentication.

An authentication exchange is the exchange of information required for the authentication process. The online authentication exchange occurs between the customer and the verifier over an unprotected communication channel, such as the Internet. Such a setting is depicted in Figure 2.

In many situations protections for the communication channel are also used. An example of this is the TLS protocol is often used to protect services delivered online using web browsers. Although this Guidance will refer to such protections, it does not include an analysis of the various protocols.