Skip to content.
|Networking government in New Zealand.
You are here: Home » Standards » Interoperability (e-GIF) » Authentication Standards » Guidance on Multi-factor Authentication » 7. Government Use of Multi-factor Authentication

7. Government Use of Multi-factor Authentication

Globally, governments are moving towards offering their services online. Some governments are already employing multi-factor authentication methods to support their online services. Others are aiming to do so in the near future. The following examples are not intended to be comprehensive, but illustrate that up-take of multi-factor authentication in the government sector is occurring. General information has been sourced from [26] and [27]. The New Zealand Government Logon Service is discussed in the next section.

  • Austrian Government – Austria uses the “Citizen Card”, which is any device (smartcard, mobile phone, USB token, etc.) that is capable of creating secure digital signatures and can provide secure storage of personal data. Some functions and data are PIN protected against unauthorised use and/or access. The Austrian system is more technology-neutral than other initiatives: it relies on common functionality rather than a common form factor.
  • Danish Government – The Danish Government is currently in the process of issuing free software tokens (used in conjunction with passwords) to all citizens to promote the uptake of their online services. These are viewed as being secure enough at this stage for most public sector and private sector transactions. There are currently no plans to introduce hardware tokens.
  • Estonian Government – The government of Estonia began distributing ID cards (personalised smartcards) to its citizens in January 2002. The cards contain the individual’s name, address details, demographic information, as well as two PIN protected digital certificates and related cryptographic keys. A special distinction of this initiative is that Estonians can use their ID cards for accessing government services online and e-commerce applications, with both authentication and digital signatures being supported (by the separate certificates). The authentication certificate contains the individual’s email address. The ID cards are mandatory for citizens and permanent residents over the age of 15.
  • Italian Government – The Italian Government system uses their National Services Card and Electronic ID card, both of which are smartcards, for citizen authentication with online government services. The Electronic ID card is a hybrid smartcard that also contains PIN protected personal data including the holder’s blood group and fingerprint scans. The plan is to replace all paper ID documents with these cards.
  • Korean Government – The Korean Government is planning to have banks support one-time password systems for Internet banking. The project is being led by the Ministry of Information and Communication. Use of the one-time password system will not be mandatory but will allow citizens higher transactions amounts than the current one-time password system, which is based on cards that only store 30-35 passwords. It is not clear whether the cards are re-used or if the card is replaced after the passwords have been used [28].
  • Malaysian Government – Malaysian Government issues citizens over 12 years of age with a MyKad or Government Multipurpose Card [29]. This is a tamper-resistant smartcard that performs public key cryptographic operations (including those relating to online authentication), supported by on-card digital certificates and a government Public Key Infrastructure. The MyKad is used for immigration at Malaysian borders, as a driving licence, to access government services online, for making online purchases, as an e-purse, and as an ATM card with participating banks.
  • United Kingdom (UK) Government – The UK Government uses a centralised registration and authentication system called “The Government Gateway” to support secure authenticated e-government transactions over the Internet. Authentication of customers (individuals, organisations, or agents) is based on either a password or digital signatures (software tokens with password protection), depending on the type of transaction. There are plans to have the UK e-ID card support a digital signature function in the future. Refer to [30] which discusses the UK and also the Dutch systems.

So governments are moving to provide two-factor authentication, which supports the provision of their services online. Sometimes this is bundled with other functions. This is the often the case with smartcard-based solutions – the smartcard is also used as an identification card, travel document and e-commerce card. Providing support for a number of functions has motivated the uptake of online service by citizens in these countries.

Other nations have not reported such strong uptake but in some cases are limited in what they can offer by concerns about privacy. Where privacy is not an issue, the main barrier to uptake seems to be cost, usability and functionality. Some countries are addressing this with subsidies for their citizens, or even providing free two-factor authentication keys.

Note that the examples given here are only intended to demonstrate that a number of governments are using a range of two-factor authentication keys for the provision of government services online. Their inclusion is not intended as an endorsement of their appropriateness for the New Zealand Government.

[ Previous ] [ Next ]