NZ Government authentication approach

August 24, 2007 at 8:28 pm 2 comments

Following an earlier post on the Austrian ID system, several people got in touch asking me to blog about the New Zealand Government’s approach to authentication.

That’s not a very appealing thought, that’s my day job. Besides, this is supposed to be a personal blog.

So I thought the best thing was to point interested people to three links:

First, the website of the Authentication Programme. It provides a good overview about what we’re doing.

Secondly, what the media has been saying about the Programme. We maintain the list of links via (which, by the way, I think is a really neat way to manage it). You can go via a link at the website above or directly from here.

Finally, there is a Power Point presentation that was given at the Privacy Commissioner’s office some time back by one of the senior managers. This presentation contains more information about the Identity Verification Service which is the identity component of the authentication service.

Entry filed under: authentication, government, identity, igovt, NZ, personal_info, privacy, security, strategy.

US: data breaches NZ data breach law: quick and light

2 Comments Add your own

  • 1. codetechnology  |  August 30, 2007 at 1:56 am

    I’ve been involved with a large IAM project for four years (in Alberta, Canada) and it was very interesting to read through the powerpoint. You have separated the components right — I wish we had such clear separation when we started (our project launched in 2002, so we didn’t have many proven models to follow…)

    One thing we have implemented, to account for the different types of information being accessed, are Security Levels based on the quality of the the user identity process used to create the ID. Pseudo-anonymous only requires basic, unvalidated registration information, whereas Confidential (e.g. student marks) and Restricted (medical information) require much more extensive processes to be followed. The security level is then mapped to an authentication strength, e.g. anything above Confidential requires two-factor authentication.


  • 2. Vikram  |  August 30, 2007 at 2:11 pm

    Good point Mike.
    In NZ we do have a risk-based authentication strength such as you’ve described. The framework is part of the Authentication Standards.
    A good reference to see the different service risk categories, evidence of identity strengths, and logon (authentication) types is in the Guide at


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Trackback this post  |  Subscribe to the comments via RSS Feed

This blog is no longer updated. See the About page for more info. I'm currently active on Twitter.

Follow me on twitter


%d bloggers like this: