We’re developing new standards and guidance
We’re developing new standards and guidance to replace the existing Evidence of Identity and Authentication Standards. Read about our approach and how you can be involved.
Have your say
We are seeking feedback on each part of the new identification standards and guidance, as we develop them.
The development principles
The following overarching principles will guide the development.
- Risk-based approach — balancing effort with the risks posed by the service being delivered to the incorrect person.
- Objective-based controls — controls that allow for multiple and evolving ways to meet them.
- Channel and technology neutral — creating an environment where rules can be applied at a consistent level across delivery channels where environments and technologies change rapidly.
- Privacy centric — supporting minimal data collection and consent-based information sharing.
- No National ID — supports New Zealanders’ position regarding National ID.
Additionally, users of the current standards have asked for:
- one location with links to associated information
- wider focus on attribute verification
- clear distinction between guidance and compliance criteria.
How we will develop a unified language
A key element to both understanding and implementing identification processes is a consistent and clear language to describe all elements. Appropriate terms will be reused where they have been through rigorous development processes and are proven to be used effectively. Preference will be given to using dictionary definitions for terms. Where new terms are required, or existing terms are not yet widely tested and used consistently, they will be stabilised through consultation on material which puts them in context.
The identification functions
The material to be developed will focus on the following identification-related functions.
- Risk assessment — assessing services and transactions to identify the level of identification risk.
- Enrolment — gathering information and linking it to an entity enrolling for the first time.
- Recognition — ensuring the same entity is returning to access the system.
- Federation — using authenticators and/or entity information across multiple contexts.
- Delegation — using the relationships between entities to allow an entity to act on behalf of another.
How each of the functions will be covered
For each of the functions above, it is intended material will cover:
- terminology — how words are defined and used
- concepts — the fundamental way things work and fit together
- identification threats — the problems that need to be solved
- identification controls — the ways the problems can be solved
- operation and implementation — information and examples for putting this in to practice
- tools — tools that help with any of the above.
The benefits of this approach will be wider applicability, resilience during change and a clear basis for building trust frameworks. They will also be easier and less costly to maintain.
How we will consult
We will consult at set stages throughout development of each piece of general content.
- First iteration — drafted by a small group of experts, based on existing standards/guidelines (both here and overseas) and what is known about the emerging best practice.
- Consultation and feedback — the draft will be placed on this site and opened (via Loomio) for input and feedback, for a specified period of time.
- Update and second iteration — the feedback will be reviewed and an updated version provided.
- Review — depending on the degree of consensus and level of understanding established, further consultation and feedback may be sought.
- Maintenance — as other material is developed and/or new information comes to light (especially from other rounds of consultation) the content may require some maintenance to keep it up-to-date and aligned.
Content with compliance aspects
Some of the content developed will help assess conformity. These will be recommended as best practice until they are further advanced, which will include mechanisms for independent assessment and certification.