Skip to content.
|Networking government in New Zealand.
Archive

Archived articles:

See archives for this section
 

3. Background

[ Table of Contents ]

3.1 Concepts

In the New Zealand government context 'authentication' is the process of initial establishment and ongoing confirmation, to the required level of confidence, of the identity of one or more parties to a transaction. Authentication provides confidence, relative to the level of identity-related risk, that appropriate steps have been taken to ensure that identity is correctly attributed.

'Establishment of identity' requires verified evidence of a person's identity, so that the person may be set up as an online service user. 'Ongoing confirmation of identity' requires the use of an 'authentication key,' such as a username and password combination, to authenticate identity across the Internet. In addition, establishment and confirmation both require periodic re-verification to ensure that any misuse or abuse of identity is discovered. Any subsequent authorisation to services or provisioning of services remains the responsibility of agencies.

3.2 Authentication standards

The NZ e-GIF authentication standards provide detailed guidance for agencies to follow when designing their authentication solutions. In particular, the standards enable agencies to determine the level of identity-related risk for each of their services and to identify appropriate evidence of identity requirements and authentication key technologies (refer to 3.3 of the Evidence of Identity Standard).

Most online services delivered by government agencies are either anonymous (such as when someone downloads a brochure from an agency's website) or have low levels of identity-related risk (such as when someone changes their address details). Services with low levels of identity-related risk are typically authenticated using minimal levels of evidence of identity requirements and a username and password for ongoing confirmation of identity.

NOTE – Change of address is a generic example. For some services change of address may have a high level of identity-related risk.

To meet the Networked State Services Development Goal (operation of government transformed through the use of the Internet by June 2010), agencies will need to provide online services that have higher levels of identity-related risk. This will necessarily require the implementation of authentication solutions with more rigorous evidence of identity requirements and higher strength authentication keys.

Table 1 - Authentication standards and documents

The purpose of each of the authentication standards is described below. The standards and documents are listed in the order in which they are intended to be used by agencies.

  1. Guide to Authentication Standards for Online Services

    Provides a high-level overview of the NZ e-GIF authentication standards.

  2. Evidence of Identity Standard

    Specifies a business process for establishing the identity of government agency customers. Applies to offline as well as online services.

  3. Authentication Key Strengths Standard

    Specifies the authentication keys to be used for online authentication and protections necessary for the authentication exchange.

  4. Data Formats for Identity Records Standard

    Specifies data formats for a set of customer information data elements that government agencies may use in customer identity records.

  5. Password Standard

    Specifies requirements for passwords used for online authentication.

  6. Other authentication key standards (to be developed, see Footnote)

    Specify the requirements for two-factor authentication keys used for online authentication.

  7. New Zealand Security Assertion Messaging Standard

    Specifies messaging standards for communicating authentication assertions.

  8. Guidance on Multi-factor Authentication

    Provides an overview of multi-factor authentication. May be superseded once other authentication key standards are developed. Not a NZ e-GIF standard.

  9. Security Assertion Messaging Framework

    Provides a general introduction to security assertion messaging. Not a NZ e-GIF standard.

3.3 All-of-government authentication services

As well as supporting the implementation of individual agency authentication solutions, the authentication standards will also support the all-of-government authentication services - the GLS and the proposed IVS. These shared or joined-up services will allow agencies to devolve the management of the authentication component of online services.

The GLS is a service that allows people to access government online services more conveniently by using a common authentication mechanism appropriate to the service risk category established for the service. The IVS will allow people to establish their identity once so that they do not have to establish their identity separately with each agency that uses the IVS they transact with. See 4.6 for definitions of the GLS and IVS.

Agencies will interact with these shared or joined-up services as follows:

  • Registration – evidence of identity is established (enabling the proposed IVS) and an authentication key is associated with the customer (GLS).
  • First-time service – agencies verify identity for the customer's first access (GLS and IVS) and link identity data and authentication key details. Agencies may also link a range of service-specific data.
  • Repeat service – agencies confirm the identity of customers for ongoing access (GLS).

These interactions are shown in Figure 1(from [AEG]).

Figure 1 - Outline of interactions with all-of-government authentication services

Outline of interactions with all-of-government authentication services

Where agencies adopt one or more of these shared services, they must adopt the standards relating to the functions of those services. Adopting the service relieves agencies of some (but not all) obligations regarding standards adoption, since the service itself implements the standards applicable to its area of responsibility. However significant areas of the standards under the responsibility of the agency remain, such as risk assessments and agency website controls. Agencies not using these services will still have to comply with all of the authentication standards. See 4.5 for further detail on compliance and conformance.

Footnote

[i. Other authentication key standards are designated for future work and, until they are published, agencies should consult GCSB and refer to [SIGS] and [NZSIT402].]


[ Previous | Contents | Next ]