The State Services Commission’s ICT branch has put out for comment a detailed standard for authentication of clients who use government services.
While a centralised all-of-government authentication mechanism is currently under test, the standards document acknowledges that some agencies may wish to go their own way on authentication.
Standards will ensure that whoever implements the authentication, it will provide customer and agency with protection against fraud and deception that is consistent and appropriate to the risk of the transaction being conducted. It should encourage a “more consistent [user] experience” from one agency to another, as well as improving familiarity and confidence in government standards.
The standards are intended chiefly for use in an online environment, but procedures for initially establishing a client’s identity — the Evidence of Identity Standard — “applies to all services, regardless of the data channel”, says the document.
After a client’s identity has been satisfactorily established they will be given an authentication token of some kind, typically a user-name and password, to be used on future occasions when dealing with the agency.
Different scales of authentication apply to different transactions. Some, such as requests for generic information like a brochure, will require no authentication at all.
Beyond this, low, moderate and high identification requirements are set out and a risk analysis procedure provided to evaluate the likely result of a transaction being compromised and assign it to the appropriate category.
Low-risk transactions will be handled with an identifier and password, and medium ones with two-factor identification involving exchange of a software token or biometric data for the session in addition to the initial identification.
High level transactions will be conducted with two-factor identification using a hardware token.
The document summarises the kinds of attacks that can be mounted against authentication and measures that can minimise the risk, such as encryption of communications.
Comments on the standard are requested, by February 17, 2006.