We're developing new standards and guidance
We're developing new standards and guidance to replace the existing Evidence of Identity and Authentication Standards. Read about our approach and how you can be involved.
Have your say on our approach
We are currently seeking feedback on our approach to the redevelopment of identification standards and guidance.
The development principles
The following overarching principles will guide the development:
- risk-based approach - balancing effort with the risks posed by the service being delivered to the incorrect person
- objective-based controls - controls that allow for multiple and evolving ways to meet them
- channel and technology neutral - will enable consistency across delivery channels and robustness where environments and technologies change rapidly
- privacy centric - supporting minimal data collection and consent-based information sharing
- no National ID - supports New Zealanders' position regarding National ID.
Additionally, users of the current standards have asked for:
- one location with links to associated information
- wider focus on attribute verification
- clear distinction between guidance and compliance criteria.
How we will develop a unified language
A key element to both understanding and implementing identification processes is a consistent and clear language to describe all elements. Appropriate terms will be reused where they have been through rigorous development processes and are proven to be used effectively. Preference will be given to using dictionary definitions for terms. Where new terms are required, or existing terms are not yet widely tested and used consistently, they will be stablised through consultation on material which puts them in context.
The identification functions
The material to be developed will focus on the following identification-related functions:
- Risk assessment - assessing services and transactions to identify the level of risk.
- Enrolment - gathering information and linking it to an entity enrolling in a service for the first time.
- Recognition - ensuring the same entity is returning to access the service.
- Federation - using authenticators and/or entity information across multiple contexts.
- Delegation - using the relationships between entities to allow an entity to act on behalf of another.
How each of the functions will be covered
For each of the functions above it is intended material will cover:
- Terminology - how words are defined and used.
- Concepts - the fundamental way things work and fit together.
- Identitification threats - the problems that need to be solved.
- Identification controls - the ways in which the problems can be solved.
- Operation and implementation - information and examples for putting this in to practice in certain ways.
- Tools - tools that help with any of the above.
The benefits of this approach will be wider applicability, resiliance during change and a clear basis for building trust frameworks. They will also be easier and less costly to maintain.
How we will consult
For each piece of general content we develop, we expect to produce:
- First iteration - drafted by a small group of experts, based on existing standards/guidelines (both here and overseas) and what is known about the emerging best practice.
- Consultation and feedback - the draft will be placed in this site and opened (probably via Loomio) for input and feedback, for a specified period of time.
- Update and second iteration - the feedback will be reviewed and an updated version provided.
- Review - depending on the degree of consensus and level understanding established, further consultation and feedback may be sought.
- Maintenance - as other material is developed and/or new information comes to light (especially from other rounds of consultation) the content may require some maintenance to keep it up-to-date and aligned.
Content with compliance aspects
Some of the content developed will help assess conformity. These will be recommended as best practice until they are further advanced, which will include mechanisms for independent assessment and certification.