Application of this standard

This standard applies to any Credential Provider (CP) that establishes or issues 1 or more Credentials. Credentials can be reused by Entities in identification processes with multiple Relying Parties (RP). The CP is accountable for controls stated in this standard, even if they have employed or contracted aspects to other parties.

Credentials established through this standard can be physical (for example, cards and documents) or digital credentials.

The controls apply to the relationship between an Entity, a Credential Provider and the Credential that they establish. Application of the controls in this standard will contribute to the reduction of identity theft, entitlement fraud, misrepresentation of abilities and the impacts that result.

The scope of the requirements in this standard is explicitly related to the identification aspects of credentials. It does not include controls for security or other implementation matters.

For more information on the interpretation of each control and how it can be applied, see the related implementation guide.

Implementing the Federation Assurance Standard

Effective date and versions

This standard is effective from 1 May 2026 and replaces Part 1 of the Federation Assurance Standard.

Version 1 (current version) — separation from the requirements for Facilitation Providers and some wording refinement.

Historic versions of the Identification Standards — Department of Internal Affairs

Before applying this standard

Credentials

In this standard Credentials contain and make use of 3 aspects of information:

• Credential subject information — this is information that the holder of the Credential is overtly aware of making available to a Relying Party for their decision making.
• Presentation information — this is information (including metadata) and associated processes that support the trust and operation of the Credential (for example, document security features, encryption, certificates).
• Facilitation information — this is information (including metadata) that is made available when the Credential uses a facilitation mechanism in the presentation to the Relying Party (for example, references, timestamps, transaction identifiers, logs).

At a minimum, a Credential consists of an Authenticator and Integrity mechanisms. Most Credentials have additional information that determines its use for specific purposes (for example, to travel or to drive).

A Credential ‘holder’ refers to the individual Entity with whom a Credential was first established — the rightful holder.

A Credential Provider refers to the party accountable for the establishment of a Credential and its availability for presentation.

Credential presentation

Credentials can be presented in a manner that is either facilitated (for example, using a digital service to present a Credential to an RP) or non-facilitated (for example, presenting a physical document directly to an RP). In a non-facilitated presentation, there is no involvement of a party other than the Entity and the Relying Party.

As Credentials (especially digital Credentials) evolve, they are likely to contain larger amounts of Credential subject information that can be made available to Relying Parties. This reflects the need to better serve the individual Entities that hold them, especially as we move to more online service delivery.

To maintain the privacy of the holder, not all the Credential subject information in a Credential needs to be made available to a Relying Party. There are 2 forms of limitation:

• Partial presentation — a subset of the Credential subject information is made available to the Relying Party
• Derived value presentation — 1 or more of the values in the presentation are deduced or inferred from the value in the Credential. For example, age can be inferred from a date of birth.

The facilitated presentation of (predominantly digital) Credentials by a Facilitation Provider, is covered in the Facilitation Service Standard.

Facilitation Service Standard

Requirements for Credential Providers establishing Credentials

Objective 1 — Credential risk is understood

Rationale

For holders to trust their Credential is being adequately protected from unauthorised access and use, the risk the Credential poses when used in multiple contexts needs to be understood by the Credential Provider and mitigated.

Obtaining and using a Credential has the potential to expose holders to additional risks arising from increased collection of information.

As Credentials move from narrow purposes with minimal attributes to ones that can fulfil several identification requirements, care needs to be taken with the accumulation of information. This includes the attributes that are contained in the Credential regardless of any limitation made during presentation.

Credential Providers may also need to achieve specific levels of assurance determined by contracts and/or legislation.

FA1.01 Control

The CP MUST carry out an assessment of the risk posed by the existence of the Credential before offering it.

Additional information – While any risk assessment process can be used, specific guidance is available on assessing identification risk.

FA1.02 Control

The CP MUST evaluate the risk of all information available to a holder viewing or managing their Credential and apply the corresponding level of authentication.

Additional information — Where credentials can be presented in privacy-preserving ways using partial presentation and derived values, the authentication level for presentation may be lower than that needed for Credential management.

Objective 2 — Credentials have recognised levels of assurance

Rationale

Consistent approaches to Credential establishment and an ability for Relying Parties to know the Credential and the Credential Provider are genuine, reduce the likelihood Credentials will be able to be used as avenues for identity theft and fraud.

As more Credentials become able to be used for multiple purposes, Entities can also use assurance levels to select Credentials best suited to the identification needs of the services they most commonly use.

FA2.01 Control

The CP MUST establish the Credential using identification processes that conform with the latest versions of:

• Information Assurance Standard
• Binding Assurance Standard

for the assurance levels of the Credential subject information, and

• Authentication Assurance Standard

for the assurance level of the Authenticator in the Credential.

Additional information — When a Credential Provider is enrolling an Entity and applying these standards, they do so in the role of a Relying Party. They become a Credential Provider at the point they establish the Credential for that Entity. The level to which assurance has been gained against the above standards will determine the levels to be declared in FA2.02.

FA2.02 Control

The CP MUST make level/s of assurance for the Credential subject information available to Holders, Relying Parties and Facilitation Providers.

FA2.03 Control

The CP MUST provide mechanisms, consistent with the intended assurance levels, that enable the Credential to be recognised as bona fide.

FA2.04 Control

The CP MUST provide mechanisms, consistent with the intended assurance levels, that enable the Credential Provider to be recognised as bona fide.

Objective 3 — Credential is privacy-preserving

Rationale

Using a Credential in multiple contexts offers numerous benefits to Entities. However, obtaining and using a Credential this way also has the potential to expose Entities to privacy risks arising from the capability to track and profile.

The availability of correlated volumes of data makes it vulnerable to uses that may not be anticipated or desired by the holder. These unexpected uses could inhibit adoption of some credentials.

FA3.01 Control

The CP MUST reduce the ability for Relying Parties to correlate holders by not including the holder’s unique Entity Information identifier as part of a Credential.

Additional information — A unique Entity Information identifier is an identifier assigned by a context that uniquely identifies the set of Entity Information before a Credential has been established.

FA3.02 Control

The CP MUST support minimisation of information by enabling the use of partial sets of Credential subject information, when possible.

Additional information — Credentials offered digitally can be more flexible. It is possible that when a Credential is connected to a facilitation mechanism, the Credential Provider could supply only some of the attributes contained in the Credential subject Information.

Objective 4 — Participation is inclusive

Rationale

Each Credential will have a purpose and corresponding holders. Credential Providers have obligations including responsibilities under the Treaty of Waitangi and digital inclusion to ensure that Entities can participate on an equal footing. Therefore, consideration of the population of Entities who will use the Credential is essential so as not to contribute to the exclusion of participation by any group.

FA4.01 Control

The CP MUST identify the population of Entities intended to be Credential holders.

FA4.02 Control

The CP MUST support any Entity within the identified population to become a Credential holder.

Objective 5 — Credential is maintained

Rationale

Once a Credential is established there are several activities that maintain its relevance and integrity.

Some of these activities relate to managing the life cycle of the Credential such as updating, suspending and revoking the Credential.

Other activities enable fraud detection, for example, if interactions with Credentials are not logged and monitored, Credential Providers will not be able to appropriately prevent or investigate any misuse or compromise.

FA5.01 Control

The CP MUST provide the means for the Credential subject information contained in the Credential to be updated, by either:

• enabling Credential subject information in the Credential to be changed, or
• replacing the Credential, or
• establishing synchronous links to maintained sources of Credential subject information.

FA5.02 Control

The CP MUST provide the means for the holder to cancel a Credential.

FA5.03 Control

The CP MUST provide the means for the holder to report the loss or compromise of a Credential and receive support.

FA5.04 Control

The CP MUST provide the means for addressing holder complaints or problems arising from Credential establishment and maintenance.

FA5.05 Control

The CP MUST provide the means for addressing holder and Relying Party complaints or problems arising from non-facilitated Credential presentation.

FA5.06 Control

The CP MUST be able to update the Credential status to prevent its use, even if the responses to authentication challenges are successful, and can either:

• suspend the Credential, allowing for recovery in the future, or
• revoke, permanently disable or delete the Credential.

Additional information — If the holder has requested deletion of a Credential, consider suspending it for a period of 1 month before revoking to allow for recovery if needed.

FA5.07 Control

The CP MUST set an expiry on a Credential where the usage and risk indicates this to be appropriate.

FA5.08 Control

The CP MUST log all activity within the system, including but not limited to:

• who did the action
• when the action occurred
• what the action was — create, read, update or delete
• what was changed by the action — before and after.

Additional information — This activity applies to the service that supports Credential establishment.

FA5.09 Control

The CP MUST support additional confidence in the integrity of the Credential by taking preventative measures including but not limited to:

• auditing logs
• monitoring activities for adverse behaviours
• undertaking counter fraud measures.

Additional information – This applies to the service establishing the Credential, not the Credential or its presentation. Refer to guidance on counter fraud measures.

Counter fraud techniques

FA5.10 Control

The CP MUST provide notifications to the holder that allow them to self-detect potential compromise, these can include but are not limited to:

• the last time the holder accessed their Credential (where applicable)
• any change made to the holder’s Credential.

Additional information — If the change is to contact information, notification needs to be sent to the contact information prior to the change or to an alternative contact.

Contact

Government Digital Delivery Agency (GDDA)
Email: idmstandards@gdda.govt.nz