Skip to content.
|Networking government in New Zealand.

2. Scope

The purpose of this Guide is to provide a high-level overview of the suite of authentication standards. It explains when agencies should use each of the standards during the design and implementation of their online authentication systems.

In providing this overview the Guide articulates a risk management-based approach for agencies to identify appropriate combinations of evidence of identity processes (establishment of identity) and authentication keys (ongoing confirmation of identity). This approach enables agencies to reduce the identity-related risks inherent in their online services.

The suite of authentication standards and documents comprises:

  • Guide to Authentication Standards for Online Services
  • Evidence of Identity Standard
  • Authentication Key Strengths Standard
  • Data Formats for Identity Records Standard
  • Password Standard
  • Other authentication key standards (to be developed)
  • New Zealand Security Assertion Messaging Standard (in preparation)
  • Guidance on Multi-factor Authentication
  • Security Assertion Messaging Framework.

Although the suite of standards focuses on online services, the Evidence of Identity Standard applies to all services, regardless of delivery channel.

Further information on multi-factor authentication is contained in the document Guidance on Multi-factor Authentication. The Guidance on Multi-factor Authentication may be superseded once other authentication key standards are developed. The Security Assertion Messaging Framework provides a general introduction to security assertion messaging.

For clarity, the scope of the authentication standards extends to all individuals who access government services, regardless of whether they are acting in their capacity as private citizens or as employees of businesses.

The following are outside the scope of this Guide and the authentication standards:

  • authorisation – including role management, user entitlements, and access privileges
  • non-repudiation – although the inability to deny participation in a transaction is supported by authentication processes, services requiring non-repudiation support need to be analysed beyond authentication considerations alone
  • non-identity-related risks when establishing online services – including privacy and consumer confidence.

This Guide and the authentication standards are to be used for services that deliver information classified as UNCLASSIFIED, IN CONFIDENCE, or SENSITIVE only, as specified in the Government's Guidelines for Protection of Official Information.

Agencies should note that adherence to this Guide and the authentication standards does not relieve them of obligations relating to the creation, disclosure and use of personal information. Those obligations include compliance with relevant New Zealand legislation, such as the Privacy Act 1993, the Human Rights Act 1993 and any authorising legislation for a particular service or agency.

[ Previous ] [ Next ]