New Zealand government standards up for comment

The State Services Commission’s ICT branch in New Zealand has putout for comment a detailed standard for authentication of clientswho use government services.

While a centralized all-of-government authentication mechanism iscurrently under test, the standards document acknowledges that someagencies may wish to go their own way on authentication.

Standards will ensure that whoever implements the authentication,it will provide customer and agency with protection against fraudand deception that is consistent and appropriate to the risk of thetransaction being conducted. It should encourage a “more consistent[user] experience” from one agency to another, as well as improvingfamiliarity and confidence in government standards.

The standards are intended chiefly for use in an onlineenvironment, but procedures for initially establishing a client’sidentity — the Evidence of Identity Standard — “applies to allservices, regardless of the data channel”, says the document.

After a client’s identity has been satisfactorily established theywill be given an authentication token of some kind, typically auser-name and password, to be used on future occasions when dealingwith the agency.

Different scales of authentication apply to different transactions.Some, such as requests for generic information like a brochure,will require no authentication at all.

Beyond this, low, moderate and high identification requirements areset out and a risk analysis procedure provided to evaluate thelikely result of a transaction being compromised and assign it tothe appropriate category.

Low-risk transactions will be handled with an identifier andpassword, and medium ones with two-factor identification involvingexchange of a software token or biometric data for the session inaddition to the initial identification.

High level transactions will be conducted with two-factoridentification using a hardware token.

The document summarizes the kinds of attacks that can be mountedagainst authentication and measures that can minimize the risk,such as encryption of communications.

Comments on the standard are requested, by February 17, 2006.

Would you recommend this article?

Share

Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.


Jim Love, Chief Content Officer, IT World Canada

Featured Download

Previous article
Next article

Featured Articles

Cybersecurity in 2024: Priorities and challenges for Canadian organizations 

By Derek Manky As predictions for 2024 point to the continued expansion...

Survey shows generative AI is a top priority for Canadian corporate leaders.

Leaders are devoting significant budget to generative AI for 2024 Canadian corporate...

Related Tech News

Tech Jobs

Our experienced team of journalists and bloggers bring you engaging in-depth interviews, videos and content targeted to IT professionals and line-of-business executives.

Tech Companies Hiring Right Now