Identity risk and authentication strength
The recommended approach for starting business process design is to undertake an identity related risk assessment. This is used to determine which evidence of identity (EOI) process, if any, is required for the customers of the agency online service.
The Department of Internal Affairs has produced Identification Management Standards (external link) and are able to work with agencies to determine the identity related risks through a risk assessment. This is a free service for agencies. The final outcome of the formal identity related risk assessment will be the identification of an identity risk category.
When implementing an online service agencies are also required to examine possible threats from sources such as malicious software (e.g. viruses), hackers, politically motivated groups, criminals, users (accidental and intentional), system administrators (accidental and intentional), natural disasters and local environment problems and hardware failures.
The risk assessment indicates the appropriate corresponding login strength.
Risk | Strength | Login type |
Low risk | Low strength | Username and password |
Medium risk | Medium strength | Username, password, and RealMe code by TXT, or by Authenticator app |
High risk | High strength | This type is currently not supported |