Identification management is the creation and ongoing maintenance of the relationships between entities, their information and any authenticators that may represent them in 1 or more contexts.
> Detailed description of diagram
A diagram shows a triangle representing the connection between Entities, Entity Information and Authenticators. At the top of the triangle is a box containing Entity (e.g. person), lower left has a box containing Authenticator and the lower right a box containing Entity Information. The connection between Entity and Entity Information is labelled Entity Binding, the connection between Entity Information and Authenticator is labelled Authenticator Registration and between Authenticator and Entity is Authenticator Binding.
Definitions of the elements and their relationships
An Entity can be anything with a distinct existence, though the material in this site will focus mainly on people. Within the context of identification management they will be those who enrol with organisations for various services.
Authenticators are things known and/or possessed and controlled by an Entity that they will use to be recognised when they return to an organisation's service. They act as shortcuts to avoid having to repeat all the identification steps carried out during the enrolment process.
Information related to an Entity, which is collected and stored by an organisation in order to provide a service.
Entity Binding is the process of ensuring the Entity Information belongs to the Entity that is using it.
Authenticator Binding is a process of ensuring the user of the Authenticator is the same Entity to which the Entity Information relates.
Authenticator Registration is the process of creating and/or linking an Authenticator to the information about an Entity.
How does identification management differ from identity management?
Identity and identity management tend to focus on attributes and their management rather than the wider processes and human behaviours essential to prevent identity theft and the impacts of this. The material in this site intends to take a slightly different approach to the area, in an attempt to solve some of the problems that have been hampering understanding.
Why do we need identification management standards and guidance?
In September 2015, DIA commissioned work to produce a vision for digital identity in New Zealand. A key finding was:
Agencies overwhelmingly conveyed the message that, while identity plays an important role in service delivery, it is not the end goal. Rather, identity should be treated as an enabler to ensure that the right service is delivered to the right person, in as seamless a manner as possible.
When asked to describe the attributes of an optimal identity solution, agencies most commonly described a solution that is:
- multi-channel, so that citizens can have the same experience whether they are interacting with the agency digitally, over the phone, or in person
- mobile-friendly, acknowledging that citizens are using their mobile devices for an increasing number of digital interactions
- able to handle multiple levels of identity assurance, since requiring a passport-grade identity credential is not appropriate for every transaction.
Currently our identification management standards do not support agencies or organisations to achieve this vision.
We need effective identification management standards to reduce and/or prevent identity theft during the processes of initial enrolment and on-going recognition of an individual. The standards and guidance being developed will support systems where:
- people can access their information and are able to update it and share it with organisations when they choose
- organisations are able to get the right information about the right people and can recognise them when they return.
There is no ‘one-size fits all’ when it comes to identification management processes that can be applied across an organisation. Finding the right balance between ease of access and the risks of providing a service to an incorrect entity is the challenge this material seeks to address. It will do this by providing a risk-based approach to determine the level of assurance appropriate to the service being delivered.