Other design considerations for login
Your organisation must provide the service user with the ability to logout from the application, online service, or session following an initial authentication by RealMe service, and this must close the user’s session. This should be in the top right hand header to ensure a consistent user experience.
The label should ideally display “logout”, in order to provide consistency for customers. In some instances, an alternate form such as log out or sign-out may be used, where this is embedded in the underlying application software.
The Password Standard(external link) specifies there must be an inactivity logout from the online service for government agencies and for security purposes, this will apply to all integrated organisations.
Note that some actions, such as filling in forms, may not be detected as activity, so services need to be appropriately designed to avoid users timing out in these circumstances.
Your organisation is responsible for providing appropriate functionality to log out a customer after 15 minutes of inactivity.
Moderate strength login
If your online service uses a moderate strength login, consider if more information should be communicated to users. The idea of extra security and RealMe codes (TXT and Authenticator app) will not be familiar to all users.
When a user is redirected from your agency to the RealMe login service to be authenticated at moderate strength, they will be helped through the process of adding a mobile phone for code by TXT if they only have a basic login with username and password.
The basic information for moderate strength users is:
- The user must have a mobile phone to receive codes by TXT.
- The user should be familiar with how TXT messaging works.
- Whether you will offer an alternative if a login user does not have a mobile phone, and information about how to request this.
Information about RealMe codes is available on the RealMe website at www.realme.govt.nz.
Where an Authenticator application is to be used the user must already have enabled RealMe code by TXT and their mobile device must have the application downloaded. Users should also be familiar with how the application works. More information is available on www.realme.govt.nz.
Activation code (first time user)
Your organisation will need to associate a user with their user record if you register users before they login for the first time, or you may need to ensure that the person who initiated the online application is the person who completed the evidence of identity process.
Your business requirements may allow an activation code to be used; if so, this code must satisfy the relevant sections of the Password Standard.