Authentication standards

The Authentication standards and related guidelines were created to support the establishment and on-going confirmation of identity; and were used in the development of the Government Logon Service(GLS) and an Identity Verification Service (IVS). RealMe® services from the New Zealand government and New Zealand Post replaced the GLS and IVS. RealMe® is currently mandated for customer to government use.

The Authentication standards provide a framework that promotes consistent authentication of identity by government agencies, regardless of whether agencies use the mandated RealMe® shared services or implement their own solutions.

For each service they provide, agencies must determine the level of identity-related risk. This level corresponds to a level of confidence required to establish an individual's identity and to an authentication key that provides on-going verification of identity. Other standards define data formats for identity-related data and message formats for confirmation of identity. The following standards have been developed:

Guide to Authentication Standards for Online Services
Evidence of Identity Standard [Department of Internal Affairs]
Note that the Evidence of Identity Standard, developed by the Department of Internal Affairs, is applicable to all services, regardless of whether or not they are delivered through an online channel.
Authentication Key Strengths Standard
Guidance on Multi-factor Identification
Data Formats for Identity Records Standard v1.1 [Deprecated - superseded by the New Zealand Government OASIS CIQ Profiles]
Password Standard [Deprecated - refer to the NZISM chapter 16]
New Zealand Security Assertion Messaging Standard v1.0

In accordance with the provisions of the Authentication Standards, the Authentication Standards for Online Services Working Groups may from time to time agree to minor corrections, additional explanations, amendments or revisions of these standards. Such changes will also be included in any subsequent re-printings of the Standards concerned:

Amendments – Authentication Standards

The authentication standards are now managed by Government Enterprise Architecture, Department of Internal Affairs on behalf of the Government Chief Information Officer (GCIO). Email GEA@dia.govt.nz to contact Government Enterprise Architecture.

A set of Frequently Asked Questions (FAQs) provides more information about the authentication standards.

Amendments to Authentication Standards

This section contains amendments to the NZ authentication standards.

More
Updates to the HTML versions of the Authentication Standards

In the HTML versions of the Authentication Standards amendments as detailed in Amendments to Authentications Standards have been made by Government Enterprise Architecture on behalf of the Government Chief Information Officer (GCIO).

More
Review of the Authentication Standards

Since the Authentication Standards were published between 2006 and 2009 there have been a changes to; referenced services, referenced documents, references NZ standards, and referenced international standards. As a result of a review the list below is provided so the reader can check the more recent relevant material:

More
Frequently Asked Questions

FAQs

More
Guide to Authentication Standards for Online Services

This Guide is an entry point and navigation tool for the suite of NZ authentication standards. These standards were created in 2006 using the e-GIF standards creation process and incorporated into the e-GIF body of knowledge.

More
Authentication Key Strengths Standard

This Authentication Key Strengths Standard defines the requirements for the authentication keys and protections for the online authentication exchange. Readers of this Standard should also refer to the Guide to Authentication Standards for Online Services, which provides a high-level overview of the authentication standards.

More
Guidance on Multi-factor Identification

The Guidance to Multi-factor Authentication is part of the Authentications standards.

More
Data Formats for Identity Records Standard - Deprecated

The status of the Data Formats for Identity Records Standard now deprecated.
The Data Formats for Identity Records Standard has been superseded by the New Zealand Government OASIS CIQ Profiles.

More
Password Standard - Deprecated

This Password Standard defined the password requirements for online services in the Low Risk Category.
The status of the Password Standard now deprecated. This was agreed at the August 2017 Government Enterprise Architecture Group (GEAG). Please refer to the New Zealand Information Security Manual (NZISM) chapter 16.

More
New Zealand Security Assertion Messaging Standard

This New Zealand Security Assertion Messaging Standard prescribes messaging standards for communicating a range of security assertions (authentication, identity attributes and authorisation) in New Zealand government online services. The Standard is abbreviated to NZ SAMS. In this release, the NZ SAMS will focus on authentication assertions.

More