NZ govt splits authentication in two

Computerworld New Zealand Online

Decisions on how and even whether to implement online authentication for New Zealand government services are not expected to be through the final stages of Cabinet approval until near the end of the year, says Bethia Gibson, acting director of the SSC’s e-government unit.

This will allow individual agencies to feed their requirement into the overall picture, alongside the unit’s proposed centralized model of authentication, Gibson says. The e-government unit appreciates that some services will need a stronger mode of authentication than the relatively easy-to-use mode (probably of the identifier-and-password type) that is likely to be implemented for centralized authentication.

Authentication proposals split “request for services” from “service delivery”, she says, allowing a separate consideration of centralized authentication (the request) from individual agencies’ authentication for service delivery.

In particular, requiring a PKI digital certificate of every citizen for any application needing authentication is not seen as a likely solution. “At this stage it is very unlikely that we will recommend the introduction of digital certificates for all citizens who opt to use online authentication,” Gibson says, “but the specific use of digital certificates was foreshadowed in the June advice to Cabinet.”

This document says: “Some transactions, such as transferring land title, by their nature require specialist security technology such as digital certificates or biometrics, in order to complete the transaction online. These types of online transactions will use the all-of-government authentication model to authenticate the individual, but at the administering agency’s discretion, the individual may be issued a service-specific token (such as a digital certificate) to further secure the transactions.”

The unit has established a project team that will: design the processes and systems architecture for all-of-government online authentication; identify and resolve related policy issues; commission a detailed privacy impact assessment; and prepare a business case setting out alternative implementation approaches, Gibson says.

“When this work is completed, the government will make a decision on if, how and when to implement online authentication.

“The work of the project team is proceeding at pace but final stages of most aspects of the work commissioned by Cabinet are not due to be made until much closer to Christmas, by which time affected agencies will have had a chance to input into the final decisions.

“However, the project team has produced and published a ‘blueprint’ which consolidates thinking to date.” This is published on the unit’s Web site.