The State Services Commission’s ICT branch in New Zealand has putout for comment a detailed standard for authentication of clientswho use government services.
While a centralized all-of-government authentication mechanism iscurrently under test, the standards document acknowledges that someagencies may wish to go their own way on authentication.
Standards will ensure that whoever implements the authentication,it will provide customer and agency with protection against fraudand deception that is consistent and appropriate to the risk of thetransaction being conducted. It should encourage a “more consistent[user] experience” from one agency to another, as well as improvingfamiliarity and confidence in government standards.
The standards are intended chiefly for use in an onlineenvironment, but procedures for initially establishing a client’sidentity — the Evidence of Identity Standard — “applies to allservices, regardless of the data channel”, says the document.
After a client’s identity has been satisfactorily established theywill be given an authentication token of some kind, typically auser-name and password, to be used on future occasions when dealingwith the agency.
Different scales of authentication apply to different transactions.Some, such as requests for generic information like a brochure,will require no authentication at all.
Beyond this, low, moderate and high identification requirements areset out and a risk analysis procedure provided to evaluate thelikely result of a transaction being compromised and assign it tothe appropriate category.
Low-risk transactions will be handled with an identifier andpassword, and medium ones with two-factor identification involvingexchange of a software token or biometric data for the session inaddition to the initial identification.
High level transactions will be conducted with two-factoridentification using a hardware token.
The document summarizes the kinds of attacks that can be mountedagainst authentication and measures that can minimize the risk,such as encryption of communications.
Comments on the standard are requested, by February 17, 2006.