Skip to content.
|Networking government in New Zealand.
You are here: Home » Standards » Interoperability (e-GIF) » Authentication Standards » Guidance on Multi-factor Authentication » 6. Multi-factor Authentication Solution Selection Issues

6. Multi-factor Authentication Solution Selection Issues

There are many issues to consider once a decision is made to use multi-factor authentication. The authentication key must also comply with the NZ e-GIF authentication standards [2], but many solutions may be available that satisfy these requirements.

The selection of the actual authentication key also needs to be based on a risk assessment for the particular service and also the business requirements. Agencies should use the Australian and New Zealand risk management standard AS/NZ 4360:2004 [8] along with the associated handbooks AS/NZS HB 436:2004 [9] and SAA/SNZ HB 231:2004 [10]. A consideration of privacy risks can benefit from a privacy impact assessment. In this case agencies should refer to the Privacy Impact Assessment Handbook [25]. For an example of business drivers, see the section on trends, which discusses the Land Information New Zealand Landonline service.

Others issues to consider include those listed in Table 3. Further information can be found in [15,16,18, 20, 21].

Table 3 – Solution selection issues

Table 3 – Solution selection issues

Issue

Points to consider

Customer education
  • Do customers have the necessary skills?
  • Are training resources available?
  • Ongoing education and awareness programmes must be in place.

Customer resources
  • Do customers have the necessary basic hardware and software?
  • Will extra special software need to be installed on customers’ computers or does the system rely on the customers having a special hardware?
  • Will the system need to support multiple authentication keys to cover all customers?
  • Is it assumed that customers’ computing environments may be hostile, or that common computer protections will be in place?

Other (customer-related)
  • How difficult will it be to achieve customer acceptance?
  • What are the options for promoting acceptance?
  • Is portability a requirement?

Staff resources
  • What are the staffing requirements for the development and ongoing operation of the system?
  • Will staff need additional training?

Systems operation
  • Does the system need to integrate with existing systems?
  • What would migration of the existing system involve?
  • What reliability metrics need to be met?
  • Can the system scale if necessary?
  • Is interoperability with other systems a requirement? If so, what is required?
  • What mix of proprietary and non-proprietary technology will be used?
  • Systems issues are often complex but priorities should relate to the vision an organisation has for its system.

System costs
  • What are the costs to deploy and run the system? This should include the development and ongoing operational cost. Costs will also be incurred to comply with Security in the Government Sector [4] and other acts, regulations and standards.

Business operation
  • Can the functions of the authentication key be leveraged for the business processes? This may be a driver for selecting one authentication key above others (an example is the Landonline system discussed below).

Deployment timeframes
  • Are there timeframe restrictions for deploying the system? New solutions can take longer to deploy.

[ Previous ] [ Next ]