Skip to content.
|Networking government in New Zealand.
You are here: Home » Standards » Interoperability (e-GIF) » Authentication Standards » Authentication Key Strengths Standard » 6. Online Authentication Minimum Requirements

6. Online Authentication Minimum Requirements

This section sets out the minimum requirements for authentication keys and protections for the authentication exchange. Agencies MUST undertake a risk assessment for those risks associated with the delivery of their services through an interactive online channel. Agencies SHOULD follow the Australian and New Zealand Standard AS/NZS 4360:2004 on risk management for their authentication systems. Further guidance on the application of AS/NZS 4360:2004 is set out in SAA/SNZ HB 436:2004 and SAA/SNZ HB 231:2004.

6.1 Association of authentication keys

The strength of the authentication key associated with a customer by an agency MUST be commensurate with the evidence of identity level that the customer has satisfied. This ensures that authentication key strength is appropriate to the service risk category of the service to which the customer requires access. The acceptable authentication keys for each service risk category are given in 6.7, 6.8, 6.9, and 6.10 of this Standard.

NOTE – The evidence of identity requirements for each service risk category are set out in the Evidence of Identity Standard .

6.2 Using higher-level authentication keys

Agencies SHOULD give customers who have been associated with an authentication key for services in a higher service risk category the choice to use this higher-level authentication key for services in a lower service risk category, on a casual or permanent basis. This can only happen if the agency’s authentication system supports the use of a higher-level authentication key.

NOTE – When a customer chooses to use their higher-level authentication key for services in a lower service risk category on a permanent basis, the agency must give the customer the ability to disassociate these services from the lower-level authentication key.

6.3 Customer identification

6.3.1

Agencies MUST ensure that all customers have unique usernames associated with their authentication key (to identify themselves to the authentication system).

6.3.2

Agencies SHOULD ensure that usernames are not reused within their systems.

6.4 Logon audit

6.4.1

In accordance with NZSIT 400, agencies MUST record logon attempts (refer to part 3, chapter 7 of NZSIT 400). The minimum logon information to be recorded:

  1. MUST include the username, date, time and logon result (whether authentication was successful or not)
  2. SHOULD include the source address (e.g. IP address) and any other relevant information from the logon process.

NOTE –

  1. Audit logs should record relevant authentication information from the logon event that may be used for other purposes such as reporting or as part of an investigation. Relevant information is dependent on the implementation of the authentication solution and information that may be available to be recorded, such as the type of authentication key used.
  2. Source information based on the location or identification of the computer device that is used for the logon can be very difficult to accurately determine. Identifiers such as IP address or MAC address may not represent the logon device but another device anywhere on the communications channel. Identifiers may be intentionally misrepresented as an individual attempts to remain anonymous.
  3. Refer to NZSIT 400 for further information on audit logs and analysis requirements.

6.4.2

Audit logs contain sensitive information. Therefore, access to the raw audit logs and any extracted information MUST be strictly limited and the information protected from modification or unauthorised access.

6.4.3

Agencies MUST audit the log of failed logon attempts periodically.

6.4.4

The audit of 6.4.3 SHOULD be performed at least weekly.

6.4.5

Following successful authentication, agencies MUST provide the customer with online access to details of at least the previous five (5) logon attempts. The minimum logon information to be provided:

  1. MUST include the date, time and logon result (whether authentication was successful or not)
  2. SHOULD include the source address (e.g. IP address) and any other relevant information from the logon process.

6.4.6

Following successful authentication, agencies SHOULD display to the customer the details of at least the last logon attempt against the username.

6.4.7

If 6.4.6 is followed, then the logon details, at a minimum, displayed to the customer:

  1. MUST include the date, time and logon result (whether authentication was successful or not)
  2. SHOULD include the source address (e.g. IP address) and any other relevant information from the logon process.

6.5 Responsibilities and customer advice

6.5.1

Agencies MUST provide the customer with the details of the customer’s liabilities and responsibilities at initial enrolment for online service provision (these details should at least cover the topics in Appendix A).

6.5.2

Agencies MUST provide their online service customers with online access to the details of the customer’s liabilities and responsibilities.

6.5.3

Following authentication, but prior to online service provision, agencies SHOULD require customers to acknowledge that they agree to recognise their liabilities and security responsibilities. (The acknowledgment may contain limited details if detailed materials have been previously provided to a customer.)

6.5.4

Agencies MUST provide customers with access to advice concerning how they can fulfil their security responsibilities (see Appendix A).

6.5.5

Agencies MUST provide customers with information outlining the agency’s responsibilities in regards to their online service customers.

6.6 Agency authentication systems

Agencies MUST ensure their authentication systems are appropriately secured and at least meet current accepted good practice, complying with SIGS, NZSIT 400, AS/NZS ISO/IEC 17799:2006 and AS/NZS ISO/IEC 27001:2006.

6.7 Requirements for online services in the Nil/Negligible Risk Category

When the online service is in the Nil/Negligible Risk Category:

  1. If a password is used by agencies, it SHOULD be different from the Low Risk Category password. (For example, using a password that is a four-digit code avoids confusion with the Low Risk Category password described in 6.8.)
  2. Agencies MUST protect customer authentication information (such as passwords) during transit, using channel encryption that uses GCSB approved encryption technology conforming to the requirements of SIGS and NZSIT 400.

NOTE – Requiring a different password for the Nil/Negligible Risk Category avoids potential degrading of Low Risk Category password. If a password is used, agencies may wish to consider the requirements of the Password Standard .

6.8 Requirements for online services in the Low Risk Category

When the online service is in the Low Risk Category, agencies MUST:

  1. Authenticate the customer using (at least) an authentication key that is a password conforming to the requirements in the Password Standard.
  2. Protect the customer’s username and password during transit, using channel encryption that uses GCSB approved encryption technology conforming to the requirements of SIGS and NZSIT 400.
  3. Ensure the authentication process is resistant to replay, eavesdropper and session hijacking attacks.

6.9 Requirements for online services in the Moderate Risk Category

When the online service is in the Moderate Risk Category, agencies MUST:

  1. Use two-factor authentication to authenticate the customer.
  2. Authenticate the customer using (at least) one of the following authentication keys:
    1. a one-time password system combined with a password
    2. a one-time password device that requires per-session local activation with a password or biometric
    3. a software token that requires per-session local activation with a password or biometric.
  4. Use a proof of possession protocol.
  5. Protect the authentication exchange using GCSB approved encryption technology conforming to the requirements of SIGS and NZSIT 400.
  6. Ensure the authentication process is resistant to replay, eavesdropper and session hijacking attacks.
  7. Ensure the authentication process is resistant to verifier impersonation and man-in-the-middle attacks when the customer uses a software token.

6.10 Requirements for online services in the High Risk Category

When the online service is in the High Risk Category, agencies MUST:

  1. Use two-factor authentication to authenticate the customer.
  2. Authenticate the customer using (at least) a hardware token that requires per-session local activation with a password or biometric.
  3. Use a proof of possession protocol.
  4. Protect the authentication exchange using GCSB approved encryption technology conforming to the requirements of SIGS and NZSIT 400.
  5. Ensure the authentication process is resistant to replay, eavesdropper, man-in-the-middle, session hijacking and verifier impersonation attacks.

[ Previous ][ Next ]