Confidentiality shrouds the New Zealand government’s work with preferred supplier Datacom on an acceptable centralised method of authenticating users of government services. In particular, e-government unit head Laurence Millar declines to say how firm the specification for the authentication scheme is, and how much detail work remains to be done.
While negotiations, expected to take until March, are in progress, “we are saying nothing more than the statement that is on our website,” he says.
This discloses only that the scheme will use “RSA technology”. Millar has confirmed that this means one or more of serveral technologies supplied by US firm RSA Security. From this, some media have made the leap to supposing that the technology may involve two-factor identification through use of a cellphone, as implemented by that company for the ASB Bank. A user is sent a second password by SMS which they use in addition to their regular identifier when transferring large amounts of funds.
RSA Security has a number of other solutions, however; a common implementation of its two-factor SecurID technology involves a purpose-designed handheld instrument which generates passwords with a limited lifetime.
Millar declines to comment on any intention to use two-factor authentication of any kind, although he confirms that the website statement “means that the Datacom proposal included a number of products supplied by RSA Security Inc,” not simply the RSA algorithm, now in the public domain.
Sceptics in the market have already begun to pick holes in the suggested cellphone solution, implying it is open to security breach through keylogging and the use of Trojans. Discussions in online forums (such as Aardvark) suggest improvements to the basic scheme to plug any such holes.
Meanwhile the Australian Federal government has taken a different tack to secure online use of government services, with the trialling of a “document verification” scheme.
Rather than introduce a new identifier for online access, the Australian plan is to develop a database of existing identification documents, such as passports and birth certificates, to help ensure the copies of documents presented as identity are not forged or stolen.
Australian Attorney-General Philip Ruddock is at pains to point out that the scheme does not introduce a feared new “unique identifier”, such as that contemplated with the Australia Card, a proposal shelved in 1987. Nor will it be used, he says, to allow one agency to get access to an individual’s private records in another agency’s database.
As a step to calming similar fears here, New Zealand’s planned system introduces a single “identity credential” for each person, but this may have several identities attached to it which will not be cross-matched except in cases of urgent need.