What's the RealMe Login service?

RealMe login service

RealMe® login service provides a single login, letting citizens use one username and password to access a wide range of services online. It also offers two-factor login where the online service requires a higher level of security.

Agency benefits include:

  • no need to build authentication capability in the online service
  • self-service and help desk login support centrally provided by RealMe
  • remove the need to invest in future authentication technologies such as biometrics

The RealMe login service is available to organisations in the wider government sector, but it is not currently offered to commercial organisations.

If your agency is launching an online service that has returning users and stores any form of personal data, then chances are that you have a need for the RealMe login service.

Key characteristics of the RealMe login service


The RealMe login service IdP was designed to meet the privacy principles(external link) enshrined in NZ's Privacy Act - in particular, principle 13 which limits the unnecessary disclosure of unique identifiers for individuals. After a successful authentication, the login service returns only one element to the agency - the Federated Logon Tag (FLT). The FLT is a unique 35 character string that is specific to an individual user and the agency's online service. This contrasts with social media logins such as Facebook that typically share a range of personal information with each authentication, or cloud authentication services such as Okta, OneLogin and Azure that are designed for enterprise use and release identifiers such as employee name or work email address. Therefore, an agency needs to determine an appropriate registration process to obtain the first time user's personal data - this isn't provided by the login service.

Authentication only

The RealMe login service performs a single function - authenticating the first time and returning user at the strength required by the agency. The login service does not have any information about the user's roles or online service permissions. Therefore an agency is responsible for providing the access control for website users.