Authentication standards for e-government applications are aimed at providing “a uniform and consistent experience” for New Zealanders accessing government services requiring some measure of security online.
But there will be no progress towards a uniform identifier for all users of such services, the just-published standards make clear. Flexibility will be provided to agencies and some degree of flexibility for users to choose a mode of authentication that best suits users’ circumstances and the sensitivity of the data exchanged during the application.
For example, there are general requirements for passwords to be used to access low-risk applications. These “must be a minimum of seven characters and contain a prescribed mix of upper- and lower-case letters, numbers and special characters” but the actual password, other then that initially provided or provided after a “reset”, should be a free choice for the user.
If a user already has a more secure form of authentication key for a higher-sensitivity application, they should be allowed to use the same key and method of identification for a lower-sensitivity application even though that will not strictly require it.
Certain obvious passwords such as those repeating the user-name, dates or the words “password” or “logon” or trivial variants of these must be disallowed.
A companion guide to the standards advises on choice of multi-factor identification methods. It discusses the basic framework of combining “something you know” (a password) “something you have” (a software or hardware “token”) and/or “something you are” (a biometric characteristic) then summarises the various forms of token and biometric, the kinds of attack that can be mounted against passwords, tokens and biometrics and their advantages and disadvantages in particular situations.
Before a user gets a password or token they must pass through an “evidence of identity” stage, which proves to an appropriate degree of reliability that they are who they say they are.
The evidence of identity (EOI) standard, set out by the Department of Internal Affairs, again provides for flexibility. The guidelines are expressed through two main examples — granting of New Zealand citizenship and admission to university. The standard document emphasises that “there is no ‘one size fits all’ EOI process that can be applied to all services requiring identity to be established.”
“If a uniform approach were taken, it would risk ‘ratcheting up’ EOI processes for all government services to [the highest level]. This would be unduly costly for lower-risk services.” That would require, say, a passport to prove identity to join a library would also be likely to be unduly invasive of the applicant’s privacy, the standard says.
Where the user is concerned “not everyone can access the same identity documentation”, so a set or uniform EIO requirements “may unnecessarily restrict access to certain government services for some people.”
Throughout, procedures are related back to assessments of risk according to already established standards. These commit an agency to consider the abuses of the agency’s services and the user’s life, reputation and future confidence in government services in the event of misidentification. The SSC and DIA are inviting proposals from agencies to devise authentication and EOI procedures.