Your browser currently has JavaScript turned off, which means that Digital.govt.nz might not display properly on your device. It’s easy to turn JavaScript on - find out how to enable JavaScript in your browser.

Implementing the Credential Service Standard

Guidance on the Credential Service Standard and how to conform with the controls.

Help us create the best guidance possible

If you would like anything added to or clarified in this guidance, email the Identification Management team at idmstandards@gdda.govt.nz.

Introduction

Credential services deal with all the aspects of creating and managing Credentials and Authenticators that can be used in multiple contexts.

The Standard applies to any Credential Provider who establishes one or more Credentials.

Credential Service Standard

The scope of the requirements in the Standard explicitly relate to the identification aspects of Credentials. It does not include considerations for security, other implementation matters, or any contractual agreements.

For definitions of key terms used in this guidance, see Identification terminology.

This living guidance will evolve and expand over time to meet the needs of users.

Guidance for Credential Providers establishing Credentials

Credential Provider refers to the party accountable for the controls covered by this standard, even if they’ve delegated or contracted delivery responsibility to other parties.

At a minimum, a Credential consists of an Authenticator and metadata. Most Credentials have additional Entity Information related to their use for specific purposes — for example, to travel or to drive. Information in a Credential has 3 aspects:

Credential subject information — this is information that the Holder of the Credential is overtly aware of making available to a Relying Party for their decision making. This information is usually about the Holder but can include another Entity’s information that the Holder has the authority to use (for example, organisation information).
Presentation information — this is information (including metadata) and associated processes that support the trust, integrity and operation of the Credential (for example, security features, encryption, digital certificates).
Facilitation information — this is information (usually metadata) that’s used when a Credential (usually digital) is connected to and presented by a facilitation mechanism (for example, references, timestamps, transaction identifiers, logs).

This guidance for Credential Providers establishing Credentials applies to the relationship between an Entity, a Credential Provider and the Credential that they establish.

Objective 1: Credential risk is understood

Applying a risk-based approach to Credentials helps to identify the aspects that drive the level of risk. Understanding this enables the development of a wide range of mitigation strategies and helps to determine the strength of an Authenticator for the Credential.

FA1.01 Guidance — risk assessment

Any robust risk assessment process may be used to identify the risk of the Credential. The context for the Credential is the purpose it’s to serve and the environment in which it will exist, including whether it’s a physical or digital credential.

A workbook has been developed to help with undertaking an identification risk assessment of a Credential. For a copy, email idmstandards@gdda.govt.nz.

It’s not the role of the Credential Provider to predict the risk of the services offered by any Relying Party who may accept the Credential. However, it will be useful to understand the levels of assurance required by the Relying Parties and Entities for whom the Credential may be designed.

FA1.02 Guidance — credential information risk

Currently Credentials contain relatively small amounts of information.

Digital Credentials can limit this further by only allowing a subset of attributes from the information, to be accessible by a facilitation mechanism.

When a Holder is provided a management function for their digital Credential, they’ll have visibility of information related to the Credential. As Credentials will potentially gather larger amounts of information in the future, awareness of the risk that this could expose the Holder need to be understood and the appropriate additional authentication requirements implemented.

Objective 2: Credentials have recognised levels of assurance

A key element of trust is being able to recognise a Credential and understand the assurance that it provides.

FA2.01 Guidance — related standards compliance

Prior to establishing a Credential, the Credential Provider enrols the Entity. This is done as a Relying Party as they will be relying on evidence provided by others for establishing the assurance levels of the information collected. Assurance levels for the Credential Subject Information will be based on the application of the:

If the account or record created from the enrolment process needs an Authenticator, then the Authentication Assurance Standard will also be used at that point (for example, access to the account could be an online portal with a password).

When the Credential is established, it will also need an Authenticator, for example, a physical document containing an image. The following standard applies:

Authentication Assurance Standard

Where a Credential is in digital form, there may be two other Authenticators to consider; any temporary one to manage adding the Credential to a facilitation mechanism, then any Authenticator provided by the facilitation mechanism. Where the Credential Provider cannot specify the level of authentication assurance (LoAA) for a facilitation mechanism used by their Credential, it will impact this level for the Credential.

The levels to which assurance has been gained against the above standards will be a contributing element to the levels to be declared in FA2.02.

FA2.02 Guidance — recognised levels of assurance

Declaring the levels of assurance of Credential subject information is a key component to evaluating the strength and reliability of that information. Various methods may be used to make this declaration, for example, posting the information on a website with other material about the Credential. Credentials that are offered digitally can include the levels in metadata.

When a Credential Provider declares levels of information assurance (LoIA) for their Credential, the LoIA levels will be a step below that achieved for levels 3 and 4, unless a synchronised link is maintained with the evidence used in IA3.03.

Examples of reduced levels of assurance

An endorsement on a driver licence for driving forklifts was verified against the driver licence document and LoIA3 is achieved — when the Credential is created, it’s a reference to a copy of the attribute value, so it becomes LoIA2.
The endorsement is verified against the driver licence database, and LoIA4 is achieved — the new Credential value is a copy of the authoritative source at a point in time, so it becomes LoIA3.

Examples of synchronous levels of assurance

A database record is created for a right to fish in a particular river; the angler’s name on the record is checked with the authoritative source at the time of application. The right to fish and the name of the river are LoIA4 and the angler’s name is LoIA3. A Credential is then issued. If the right to fish and the river name could be changed in the database without impacting the Credential, they are LoIA3 in the Credential. But if the angler’s name cannot be changed in the database unless a new Credential is applied for, then both retain the same level of LoIA3.
An endorsement for driving a heavy vehicle is verified against the driver licence database, and LoIA4 is achieved — the new Credential, which is digital, always accesses the driver licence database for the current value every time it’s presented, so this is deemed synchronous and has a level of LoIA4.

When trying to determine if something is synchronous, ask if one source can be changed without changing the other or immediately revoking the Credential. If this is the case, they’re considered synchronous.

Once LoIA2 is reached then the level for copies can drop no further, as LoIA1 is accepting the evidence at ‘face value’.

Where a Credential Provider adds attributes to a Credential that it created, such as an expiry date or a reference number, the Credential Provider is the authoritative source of these values. These attributes can have higher levels of assurance than Credential subject information from other sources.

FA2.03 Guidance — recognisable credential

Recognition of Credentials is related to recognising Credential Providers, as both are integral for trusting the information and processes that they represent. They’re also needed for the ability to query an issue with either a Credential or transaction.

Examples of Credential recognition mechanisms

For physical Credentials: Features that require proprietary knowledge to be able to reproduce it, branding characteristics, fonts, watermarks or references that allow for independent contact with and/or verification with the Credential Provider.

For digital Credentials: Digital certificates, cryptography and other tamper protections that can be systematically identified and/or access only enabled through a pre-established trusted communication channel.

FA2.04 Guidance — recognisable credential provider

In conjunction with the need to have a recognisable Credential, recognition of the Credential Provider contributes to the integrity of a Credential. The Credential Provider is also the party that will hold any confirmation of conformance with this Standard.

Public branding plays a significant part in the recognition of a Credential Provider. Where reputation is concerned, measures outside the context of identification management will be taken to protect the brand from misuse by unauthorised parties.

In the digital world, independently verifiable Credential Provider identifiers and digital certificates or asynchronous keys can be used to aid with recognising and confirming Credential Providers.

Objective 3: Credential is privacy-preserving

A Holder using the same Credential across multiple contexts potentially enables the building of profiles and tracking of the Holder’s transactions across those contexts. Without taking steps to minimise or prevent this, Holders’ privacy could be at risk, and they could be inhibited from adopting reusable services.

FA3.01 Guidance — withholding entity information identifier

Entity Information identifiers include system-generated, assigned or collected identifiers that can uniquely identify a set of Entity Information in a given context, even if other attributes are identical.

The sharing of these identifiers across multiple contexts has the potential to allow the correlation of Entity information from multiple sources, without the subject’s permission or knowledge.

This control does not limit the sharing of an identifier that has a prescribed purpose (usually stated in legislation), providing the sharing is for that purpose only. Information on the limitation of the use of these identifiers and who they can be shared with will be made available to Holders and Facilitation Providers.

Examples of identifiers with prescribed purposes

Tax file number
National Student Index (NSI) number
National Health Index (NHI) number

Where an identifier is essential for administration and maintenance of a Credential, consider using a Credential identifier that’s only valid for the life of the Credential. Digital implementations can also support Credential presentation identifiers that are unique to each presentation of the Credential.

FA3.02 Guidance — partial credentials

Information minimisation is a key principle for preserving privacy.

Limit the number of attributes to those essential for the purpose of the Credential. This could also include consideration of single attribute Credentials.

Digital Credentials have more capability for supporting minimisation if they can allow Holders to select which attributes are made available to a facilitation mechanism.

Objective 4: Participation is inclusive

When deciding to issue a Credential, Credential Providers need to identify who the Holders will be and ensure that those Holders are able to get the Credential.

FA4.01 Guidance — credential entities

Identifying the Entities who will hold the Credential does not usually mean identifying the individual entities. It’s about understanding the nature of the group that will be applying and what may impact the application process.

Examples of questions to understand Credential Holders

Where are the Entities located?
Will they have access to the application process?
Will they be able to understand any communication or messaging?
Will they have the ability to undertake the process, physically and mentally?

In most cases, it will still be optional whether an Entity in the identified group wishes to apply for the Credential.

The Holder in this context does not include where an Entity physically holds a Credential on another’s behalf, for example, a parent holding a child’s passport. When a passport is presented to a Relying Party the authentication process is to the child not the parent. The Relying Party is aware of the Entity the information in the Credential relates to.

If an Entity holds a Credential, for which they control the Authenticator and that Credential contains information about another Entity, then they’re the Holder. For example, a person could hold a Credential that contains information about an organisation they’re authorised to act on behalf of. In this case the information provided to the Relying Party will need to make it clear when the Holder is not the subject of the information.

FA4.02 Guidance — entities able to hold credential

Using the information gathered in FA4.01, design the application process and any exception processes to enable the target group to be able to become a Credential Holder.

Examples of process considerations

Providing communications and messaging in multiple languages
Supporting in-person and remote application processes
Supporting cultural and religious aspects that may impact the application process
Having exception-handling processes in place to support those unable to meet the published requirements for establishing a Credential

Objective 5: Credential is maintained

A Credential is established at a point in time. As time goes by, elements of the Credential can become out of date. Maintenance is needed to ensure that its relevance and integrity continue.

These activities relate to managing the life cycle of the Credential and detecting fraud.

It can be common for Credential Providers to use specialised third parties as the Credential Holder’s contact point for these controls (for example, customer complaint services).

FA5.01 Guidance — updating credential

There are several ways for the information in a Credential to be updated.

The need to update can be triggered by:

a request from the Holder
a specified timeframe or expiry date
an external notification, usually from the authoritative source.

Physical Credentials will need to be reissued to be updated. Including an expiry date that’s reflective of the purpose of the Credential will reduce the risk of it becoming outdated.

Digital Credentials can provide more flexibility, depending on how they’re implemented, potentially providing the ability to replace a value in the Credential with a newer value, with or without reissuing the Credential.

Where a digital Credential offers the ability to link to a maintained source of information, the latest value(s) can be drawn for each presentation.

FA5.02 Guidance — cancelling credential

Providing the means for a Holder to cancel a Credential includes providing them with an automated self-service application or a point of contact to request the Credential Provider to do so on their behalf.

The ability to cancel the Credential can include options to do so permanently or temporarily.

Depending on the reason for cancellation and/or the type of implementation, the action may be applied to the Authenticator or the Credential as a whole.

Physical destruction of a Credential is not enough to ensure that the status of the Credential is cancelled in all cases — for example, a Holder cutting up a membership card does not mean the Credential Provider is aware that the Holder no longer wants the card.

FA5.03 Guidance — loss of credential

Good Holder behaviour can be encouraged and the impact reduced by providing easy and effective means for the Holder to report loss or compromise of a Credential.

A dedicated email or phone number for accessing this service is desirable.

The processes that follow the loss or compromise need to be appropriate for the assurance level of the Credential.

FA5.04 Guidance — credential establishment complaints

Enabling the Holders of Credentials to make complaints or to raise issues about Credential establishment and maintenance contribute to their integrity and trust in their use.

A dedicated email or phone number for accessing this service is desirable.

Implementing a case management approach will help to ensure that the complaint or issue is tracked through diagnosis to solution. It will help the Holder’s experience by reducing the likelihood that they’ll have to provide information multiple times, and it will provide consistency during the process if multiple staff are involved.

FA5.05 Guidance — credential use complaints

Complaints about Credential presentations are highly likely to be the result of identity theft occurring or some other compromise of the Credential. This could be detected by either the Holder of the Credential or a Relying Party who has been presented with the Credential.

The means for making the complaint will be easy to find and use. As with FA5.04, dedicated access points for this purpose are desirable along with a case management approach.

The Credential Provider will assess the mechanisms for their efficacy in achieving resolution of complaints or problems.

If this avenue receives a complaint regarding a facilitated presentation and the Facilitation Provider is not the same as the Credential Provider, strong communication between the Providers is recommended to avoid the Holder or Relying Party feeling that Providers are shifting responsibility.

Credential Providers can utilise a specialist third party to manage complaints processes (FA5.04 and FA5.05) and the reporting of lost or stolen Credentials (FA5.03).

FA5.06 Guidance — credential status

A Credential status change can be initiated by the Holder or as the result of another process, such as investigation into fraud.

The status change may be temporary or permanent depending on the case (for example, suspending a Credential could allow for it to be reactivated in the future), while other statuses could require a completely new Credential to be established.

Determining the reason for permanently disabling or deleting a Credential before doing so, saves time and effort for the Holder and Credential Provider.

Examples of credential status changes

The Credential Provider is notified of fraudulent use of a Credential and immediately sets the status to ‘suspended’ — after investigation the case is found to be true, and the status is changed to ‘revoked’.
The Holder advises the Credential Provider that they’ve mislaid their Credential while shifting house. They’re confident they’ll find it, so the Credential is ‘suspended’ and then ‘reactivated’ when later reported found.

Wherever possible, the status is to be available to Facilitation Providers and Relying Parties.

For digital Credentials, this will be straightforward as the Facilitation Provider will have access to the Credential status during each presentation and can either prevent presentation or provide the status to the Relying Party, depending on the implementation.

Where a Credential does not require a Facilitation Provider, such as Credentials that are physical documents, it’s recommended that the status is published in a register or source that can be independently checked by the Relying Party.

The policies under which the Credential operates will determine if there’s a requirement to notify Relying Parties of any status change after the Credential was used (for example, a Credential that’s found to be fraudulent or incorrect sometime after it was established). The ability to notify Relying Parties and the method for doing so will vary depending on the implementation.

Example of requirement to notify status change

The Electronic Identity Verification Act 2012 outlines how to facilitate secure interactions between individuals and participating agencies (Relying Parties). It is the Act that authorises RealMe to operate. Section 20 of the Act requires RealMe to contact Relying Parties if a credential used with them has been revoked.

Section 20: Effect of change in status of electronic identity credential — Electronic Identity Verification Act 2021 — NZ Legislation

FA5.07 Guidance — credential expiry

Setting expiry dates on Credentials provides an opportunity to check that the information in the Credential is up to date and that it remains in the possession and control of the Holder.

It allows for the inclusion of or compatibility with new technology and to make changes to address new threats.

FA5.08 Guidance — activity logs

Logging activity within a system is a key enabler for investigations and fraud detection. While a list of the minimum items is in the control, additional information is expected to be recorded relative to the purpose and outcomes of the system.

Where the Credential is a physical document, the recording of activity is more likely to be about the reissuing of the Credential.

FA5.09 Guidance — preventative measures

It’s helpful to think of preventative measures in the same way as risk controls. They’re grouped into:

Preventative — those steps that stop a threat to the system altogether
Corrective/Reductive — steps that will not stop a threat but will minimise the impact when it does happen
Detective — steps to identify threat events so that corrective or preventative measures can be put in place
Directive/Disincentive — these measures are the least effective as they rely on education and perception rather than on any real limitation.

For more information refer to guidance on Counter fraud techniques.

FA5.10 Guidance — Holder notifications

The ability to provide notifications to the Holder will be impacted by whether the Credential is facilitated during presentation or not.

In most cases, it’s not possible to notify a Holder of an unfacilitated use of a Credential. However, if a subsequent check against a source or register is undertaken as part of that use, this can be recorded and made available to the Holder on request.

Example of Holder notification

When a change to a Credential is made, the Holder receives a text to a pre-registered mobile phone. The message invites the Holder to contact the Credential Provider immediately if they did not make a change.

When a change is made to any contact information, notifications need to be sent to the previous contact points. Otherwise, where the change was unauthorised the notification would not be seen by the subject.

Digital Credentials

Digital Credentials cannot be used without being attached to a facilitation mechanism, for example, a digital wallet, hub or exchange.

A Credential Provider can run their own facilitation mechanism or use one supplied by another party. The requirements for facilitation mechanisms are covered in the Facilitation Service Standard.

Facilitation Service Standard

Contact

Government Digital Delivery Agency
Email: idmstandards@gdda.govt.nz

JavaScript is currently turned off in your browser — this means you cannot submit the feedback form. It’s easy to turn on JavaScript — Learn how to turn on JavaScript in your web browser.

If you’re unable to turn on JavaScript — email your feedback to info@digital.govt.nz.

Was this page helpful?

Yes No Partly

Thanks, do you want to tell us more?

Do not enter personal information. All fields are optional.

What did you come here to do?

How can we improve this information?

Last updated 23 June 2026