2. Scope

This Standard considers the strength mechanisms employed in terms of the authentication key and the protections for the authentication exchange between a customer and a verifier through an interactive online channel. Some management issues for authentication are covered in this Standard (for example, 6.4 covers logon audit).

The Government Logon Service (see 3.2) is a centralised authentication service and not a service agency. Consequently, the requirements 6.1 and 6.2 of this Standard do not apply to the Government Logon Service.

The authentication standards are to be used for services that deliver information classified as UNCLASSIFIED, IN CONFIDENCE, or SENSITIVE only, as specified in the Government's Guidelines for Protection of Official Information.

Authentication is only one aspect of an agency’s security posture. Agencies are reminded that they are required to comply with the Government’s security policies and instructions as defined in:

• Security in the Government Sector (SIGS)
• New Zealand Government Information Technology Security Manual – NZSIT 400 (NZSIT 400).

2.1 Other online service risks

This Standard does not cover all aspects affecting the strength of authentication. The following are outside the scope of this Standard:

• Authentication other than the online authentication of persons wishing to access agency services through an interactive online channel. For example, this Standard does not cover the authentication of one machine to another.
• Authorisation including role management, entitlements and access privileges.
• Authentication key management including verification of authentication keys and life cycle issues, such as establishment (registration, generation and distribution), storage, replacement, compromise, revocation, expiration and destruction. Contact the Government Communications Security Bureau (GCSB) for details and assistance in this area.
• Non-repudiation. Services that need non-repudiation support have to be analysed beyond their identity-related risk alone. Other measures need to be in place to support non-repudiation.
• Biometrics. Currently, authentication solutions that incorporate the exchange of biometric data between a customer and verifier have been excluded. Review of biometric technologies is continuing and extending their use in future versions of this Standard will be considered.

NOTE – Some aspects of authentication key management are covered in the NZ e-GIF authentication standards. Agencies need to consider those aspects not covered in the NZ e-GIF authentication standards. For advice, refer to SIGS, NZSIT 400, AS/NZS ISO/IEC 17799:2006, AS/NZS ISO/IEC 27001:2006 and SAA/SNZ HB 231:2004.

Agencies MUST undertake a risk assessment for those risks associated with the delivery of their services through an interactive online channel. Agencies SHOULD follow the Australian and New Zealand Standard AS/NZS 4360:2004 on risk management for their authentication systems. Further guidance on the application of AS/NZS 4360:2004 is set out in SAA/SNZ HB 436:2004 and SAA/SNZ HB 231:2004. Agencies also need to ensure there is adequate business continuity planning for their online services.

Many authentication risks may be addressed by ensuring that the authentication system is properly protected. The NZ e-GIF authentication standards do not give general advice for securing authentication systems. Agencies should comply with SIGS, NZSIT 400, AS/NZS ISO/IEC 17799:2006 and AS/NZS ISO/IEC 27001:2006.

Risks also arise from the computing environments of customers. In general, these risks are beyond the scope of the NZ e-GIF authentication standards and any recommendations are limited in their enforcement. Agencies need to consider these risks when they perform the risk assessment for an online service. Agencies should inform potential online service customers of the related risks and provide access to material concerning customer responsibilities and security education (see Appendix A for further advice).

Additionally, the NZ e-GIF authentication standards only consider the identity-related risk of a service. Other risks to government services should also be analysed and addressed as appropriate.