Identity risk and authentication strength

The recommended approach for starting business process design is to undertake an identity related risk assessment. This is used to determine which evidence of identity (EOI) process, if any, is required for the customers of the agency online service.

The Department of Internal Affairs has produced Identification Management Standards (external link) and are able to work with agencies to determine the identity related risks through a risk assessment. This is a free service for agencies. The final outcome of the formal identity related  risk assessment will be the identification of an identity risk category.

When implementing an online service agencies are also required to examine possible threats from sources such as malicious software (e.g. viruses), hackers, politically motivated groups, criminals, users (accidental and intentional), system administrators (accidental and intentional), natural disasters and local environment problems and hardware failures.

The risk assessment indicates the appropriate corresponding login strength.

Risk Strength Login type
Low risk Low strength Username and password
Medium risk Medium strength Username, password, and RealMe code by TXT, or by Authenticator app
High risk High strength This type is currently not supported