The e-government unit is looking for technology and relationships with suppliers for its all-of-government authentication solution, even though Cabinet has not yet approved its implementation. Work on centralised authentication has so far concentrated on policy and process questions, says the unit’s acting head, Bethia Gibson. “Now it is time to start looking at technology and to factor in the next level of detail.”
The government approved the design phase of a centralised authentication mechanism that will hold minimal information about users, following a marked preference for this model from those consulted.
However, the definition of “whole of government” authentication is still flexible, says the e-government unit. It may mean a single central authentication infrastructure or “standards that agencies will use to implement authentication solutions as needed”, says Gibson.
Asked about the apparent move away from the expressed preference of the sampled prospective users, she acknowledges their preference for a centralised solution and says this influenced the design. The final decision on whether to implement a fully centralised or distributed approach to authentication is for Cabinet to make, she notes.
The e-government unit’s request for information (RFI) says a centralised infrastructure represents a potential single point of failure and an additional step in the process of obtaining services, suggesting that an authentication capability at each agency would not present these problems. On the other hand, a centralised infrastructure allows for one-time implementation and cuts agencies’ compliance costs.
The RFI identifies four levels of authentication:
- Anonymous, where no identification is required; for example, browsing information about a government service;
- Pseudonymous, where the user does not provide a key that can be attached to their real identity, but a name to allow the system to recognise the same person on a subsequent occasion;
- Identified, where the user’s identity is verified as a prelude to an entitlement to use certain services, such as internet banking;
- Verified — for applications requiring “strong” authentication, for example, accessing an individual’s medical records.
The RFI, unusually, won’t necessarily be the forerunner to a request for proposal and tender. “The purpose of this RFI is to open a dialogue with industry and other communities of interest, to ensure to the maximum extent possible that industry input and comments are given proper and due consideration in development of the authentication design.”
The RFI is also expected to allow the SSC to complete indicative costings of the final authentication design. Potential providers are asked to comment on a wide range of factors, including protocol and browser weaknesses, and internet risks such as denial-of-service attacks.
Information is requested on the feasibility of a future single sign-on to use several services in one session, and the potential of a government authentication infrastructure for use outside government “to ensure that we allow for future opportunities to scale the solution to meet the needs of all New Zealand”, Gibson says.
Providers are asked to rate the government’s authentication design against those overseas.
Releated News:
Quelle: Computerworld New Zealand,, 11.11.2003
