||Two-Factor Authentication (v) (AuthN)
||A method of authentication that requires two different authentication factors; typically something you know (username/password) and something that you have (a token or cell-phone) or something that you are (a biometric).
Moderate strength authentication required.
See Authentication Standards.
||“A service requiring a moderate level of assurance requires Two-Factor Authentication (2FA)”.
||Attribute Based Access Control
||A system of access control to (ICT) resources based on whether an individual has one (or possibly does not have) one or more specific attributes.
||“One of the website’s security controls is Attribute-Based Access Control (ABAC)”.
||A person who acts on behalf of another person or group
||One who agrees and is authorised to act on behalf of another, a principal, to legally bind an individual in particular business transactions with third parties.
||“My accountant acts as my agent with Inland Revenue”.
||A computer program that acts for a user or other program.
||In computer science, a software agent is a computer program that acts for a user or other program in a relationship of agency; an agreement to act on one's behalf. Such "action on behalf of" implies the authority to decide which, if any, action is appropriate.
||“Your personal assistant in a smartphone is a type of software agent”.
||A positive declaration intended to give confidence
||The process of giving confidence in the authenticity of an identity such as by asserting details previously established during identification. The strength of verification in the identification process will determine the level of assurance given.
||“The robust process required to establish a verified identity using RealMe provides strong assurance”
||Developing Options for a new Approach to Digital Identity Cabinet Paper - DIA
||See ‘LOA (Level of Assurance) - Authentication’ and ‘LOA (Level of (Assurance) - Identity’
Also see ‘Authentication Standards’ and ‘Evidence of Identity Confidence Levels’.
||A category of identifying information about a User
||A distinct characteristic of a subject. A subject’s attributes are said to describe it. Attributes are often represented as pairs of attribute name and attributes values, often referred to as attribute-pairs or name-value pairs. Attributes are often used to make access control decisions. [edited]. Identity attributes are a subset of a wider set of attributes and most commonly include; name, address, date of birth, place of birth and gender.
See also Claim
||“Date of birth is a commonly used identity attribute”.
||Guide to Authentication Standards
||An authority that asserts one or more attributes about individuals
||An attribute provider is an organization that is responsible for all the processes associated with establishing and maintaining a subject's identity (and other) attributes. They provide assertions of the attributes from an authoritative source to the individuals, other providers, or relying parties.
||"The MyTrove service is considered an Attribute Provider”.
||IT Law Wiki
|Authentication (v) (AuthN)
||The process of confirming a claimed identity or set of information
||The process of confirming a previously established identity, usually to logon and reuse a service, by presenting a credential such as username and password. This demonstrates the person is in control of the digital identity recognised by the service provider.
||“Access to a secure website requires authentication”.
“The RealMe Logon service is an authentication provider”.
||A Developing Options for a new Approach to Digital Identity Cabinet Paper - DIA
||Evidence, which when provided to an Authentication or Identity Provider, identifies an individual, device or entity. The most common Authentication Credential is the username and password, other Authentication Credentials are often provided in conjunction with the username and password to provide higher levels of assurance.
||“Common authentication credentials used are username and password”.
||The minimum authentication keys required for each of the Evidence of Identity (EOI) Service Risk Categories
||Addresses the authentication strength mechanisms, type of authentication key, that may be used and the protections for the online authentication exchange. These requirements are based on the (EOI) Service Risk Categories as follows:
# Nil or Negligible: No requirement. Agencies able to select own authentication solution. If a password is used it should from any password required for services in Low Risk Category.
# Low: Requires a one-factor authentication key in the form of a password conforming to the password standard.
# Moderate: Requires a two-factor authentication key that is at least one of the following:
a one-time password system combined with a password
a one-time password device requiring per-session local activation (with a password or biometric)
a software token requiring per-session local activation (with a password or biometric).
# High: Requires a two-factor authentication key that is at least a hardware token requiring per-session local activation (with a password or biometric).
See LOA (Level of Assurance) - Authentication, LOA (Level of (Assurance) - Identity and Evidence of Identity Confidence Levels
||“A Low level of risk Authentication Standard may be required when someone changes their address details”.
||Guide to Authentication Standards (NZ e-GIF)
|Authorisation (v) (AuthZ)
||The process of determining if a user has the right to access a service or resource, or perform an action
||The process of determining, by evaluating applicable access control information, whether a user is allowed to have the specified types of access to a particular resource. Usually, authorisation is in the context of authentication. Once a user is authenticated, it may be authorised to perform different types of access. A user is most commonly an individual but can be a business entity or device.
||“He could not access that business record because he lacked authorisation”.
||Guide to Authentication Standards
||A source of information that has a creditable level of assurance to deem it reliable and correct
||A managed repository of valid or trusted data that is recognised by an appropriate set of governance entities and supports the governance entity’s business environment.
||”Department of Internal Affairs is the authoritative source for passport data”.
||The power or right to give orders, make decisions, and enforce obedience
||1. Institutionalized and legal power inherent in a particular job, function, or position that is meant to enable its holder to successfully carry out his or her responsibilities. 2. Power that is delegated formally. It includes a right to command a situation, commit resources, give orders and expect them to be obeyed; it is always accompanied by an equal responsibility for one's actions or a failure to act. 3. One that is invested with this power, especially a government or body of government officials
||“She was given authority by a power-of-attorney”.
“The managing director is the company authority.”
||Internet dictionary sites
||Ensuring the right individual is bound to the right credential
||The association of an identifier or credential with an individual’s existing record which lacks such an association.
||“The binding of my logon to my health record was accomplished by matching identity attributes”.
||Metrics related to human characteristics
||Biometrics is the measurement and statistical analysis of people's unique physical and behavioral characteristics. The technology is mainly used for identification and access control, or for identifying individuals who are under surveillance. The basic premise of biometric authentication is that every person can be accurately identified by his or her intrinsic physical or behavioral traits.
||“Biometrics include fingerprints, face recognition, DNA and iris recognition”.
||Providing a service to a client in an encoded form without knowing either the real input or output
||A privacy protocol that allows individuals to easily connect to partnering online services using an existing, trusted log in credential, while limiting the actual amount of data being transmitted for security. There can be three levels of blinding. Triple blinding occurs when there are three participants involved in an ecosystem other than the user to prevent knowledge about other parties.
||“Use of blinding prevents personal information being shared unnecessarily with participants in a digital identity ecosystem”.
||See Identity Hub (Broker)
||An entity that is involved in commercial, industrial, or professional activities
||An organization or economic system where goods and services are exchanged for one another or for money. Businesses can be privately owned, not-for-profit or state-owned.
You're in business if you acquire or supply goods or services, or acquire or dispose of land (but not if you do this as a consumer, employee, or as an individual member of an unincorporated entity). A business can be non-profit and can also be carried on free-of-charge
||“My business has to comply with AML/CFT regulations for banking purposes”.
||Business Dictionary / NZBN Register
||A statement that a person or organisation makes about itself.
See also: Attribute
||A claim is a statement that one subject, such as a person or organization, makes about itself or another subject. For example, the statement can be about a name, group, buying preference, ethnicity, privilege, association or capability. The subject making the claim or claims is the provider.
||"A claim based approach can be used to establish a verified identity”.
||Context Mapping Service
||The RealMe Context Mapping Service provides a relying party an opaque identifier that can be used and understood by a different relying party to uniquely identify an individual, but only with that individual’s consent. The CMS works within the constraints of IPP 12 of the Privacy Act of 1993.
||“The RealMe CMS allows two agencies to collaboratively deliver services to an individual”.
||The permission for something to happen or agreement to do something.
||The compliance in or approval of what is done or proposed by another; specifically : the voluntary agreement or acquiescence by a person of age or with requisite mental capacity who is not under duress or coercion and usually who has knowledge or understanding.
||"An agency must have a user’s consent to access his/her self-asserted attributes”.
||To give permission for something to happen.
||To acquiesce, agree, approve, assent, to voluntarily comply or yield, to give permission to some act or purpose.
||"The user must consent before using the service”.
||Webster’s Law Dictionary
||Form of dynamic, risk-based authentication, which changes the perspective of authentication from an event to a process
||Instead of a user being either logged in or out, your application continually computes an 'authentication score' which measures how certain it is that the account owner is also the one using the device.
||“Continuous authentication can increase corporate security by limiting impact and likelihood of data breaches”
||Okta (a publicly-traded identity management company based in San Francisco. It provides cloud software that helps companies manage their employees' passwords, by providing a “single sign-on” experience.)
||See Authentication Credential
||See Agent, Agent (Software)
||A party that is designated to act for or represent another or others;
||Entrust (a task or responsibility) to another person
||The action or process of delegating or being delegated.
||“I have delegated authority to manage my company affairs to my agent”.
||The assignment of responsibility or authority to another person
||It is the authority a 1st party gives to a 2nd party, to perform specific actions on behalf of the 1st party who retains control and accountability.
||“A delegation allows my accountant to file my taxes at Inland Revenue”.
||An object or machine that has been invented for a particular purpose
||A unit of physical hardware or equipment that provides one or more computing functions within a computer system. It can provide input to the computer, accept output or both. A device can be any electronic element with some computing ability that supports the installation of firmware or third-party software.
||“You can access digital services using your tablet or other mobile device”.
||A digital identity is information on an entity used by computer systems to represent an external agent. That agent may be a person, organization, application, or device. ISO/IEC 24760-1 defines identity as "set of attributes related to an entity".
A version, or facet, of a person's social identity - see also Persona (often used interchangably in common usage).
||Digital Identity is an electronic representation of an individual (or entity or device). Digital Identity allows people to undertake online what they have traditionally completed manually.
The information contained in a digital identity allows for assessment and authentication of a user interacting with a business system on the web, without the involvement of human operators. Digital identities allow our access to computers and the services they provide to be automated, and make it possible for computers to mediate relationships.
The term "digital identity" has also come to denote aspects of civil and personal identity that have resulted from the widespread use of identity information to represent people in computer systems.
“I have many logons, but only one Identity”.
"Digital identity is now often used in ways that require data about persons stored in computer systems to be linked to their civil, or national, identities."
"The use of digital identities is now so widespread that many discussions refer to "digital identity" as the entire collection of information generated by a person’s online activity. This includes usernames and passwords, online search activities, birth date, social security, and purchasing history. Especially where that information is publicly available and not anonymized, and can be used by others to discover that person's civil identity. In this wider sense, a digital identity is a version, or facet, of a person's social identity. This may also be referred to as an online identity."
|Electronic Identity Credential
||A verified identity that has been issued by an identity service provider
||An electronic identity credential is a record kept in electronic form by an identity service provider that—
a) contains authenticated core identity information about an individual; and
b) is assigned a unique code (or identifier) by the Service.
The electronic identity credential may contain as much of the following core identity information about an individual as it is possible to authenticate:
a) the individual’s full name:
b) the individual’s sex:
c) the individual’s date of birth:
d) the individual’s place of birth.
||“The RealMe Verified service can assert your Electronic Identity Credential to participating agencies”.
||From the EIV Act (edited)
||See Evidence of Identity
||The types of evidence that, when combined, provide confidence to a certain level of assurance, that an individual is who they say they are.
||“An anonymous service requires no Evidence of Identity (EOI)”.
||Guide to Authentication Standards
|Evidence of Identity Confidence Levels
||Confidence levels corresponding to Identity Service Risk Categories
||The following outlines the EOI Confidence Levels required for corresponding Service Risk Categories:
Nil or Negligible: No specific EOI process required.
Low: Agency requires evidence that identity claimed is genuine identity, individual is sole claimant, and identity claimed is used in the community. EOI is accepted at ‘face value’ without third party verification unless discrepancies identified.
Moderate: Agency requires evidence that identity claimed is genuine identity, identity is living, the presenting individual links to the identity, individual is sole claimant, and (if required) identity claimed is used in the community. EOI is accepted at ‘face value’ without third party verification unless discrepancies identified.
High: Agency requires evidence that identity claimed is genuine identity, identity is living, the presenting individual links to the identity, individual is sole claimant, and identity claimed is used in the community. EOI, where possible, is verified with a third party to confirm its authenticity.
See ‘LOA (Level of Assurance) - Authentication’, ‘LOA (Level of (Assurance) - Identity’ and ‘Authentication Standards’.
||“Applying for a passport requires an EOI Confidence Level of high”.
||NZ EOI Standards
|FLT (Real Me)
||Federated Logon Tag
||The Federated Logon Tag is a unique, persistent identifier generated by the RealMe Logon Service which is applicable to a single privacy context or domain; typically a government agency. Each FLT is “federated identifier” or “pairwise identifier” in that each one is unique to a particular logon account in a specific privacy context. That is to say, for a given logon account, there is a unique FLT for each agency or relying party.
||Example: “When I log on with RealMe to different agencies, each agency receives a unique FLT”.
||The action or process of identifying someone or something or the fact of being identified
||The process of establishing or verifying information about an individual, entity or device through proving ownership of official documents (eg. drivers licence, passport), consulting alternative data sources to corroborate the identity being claimed, and collecting biometric data from the individual to link them to source records.
||“The RealMe IVS product provides an identification service”
||Developing Options for a new Approach to Digital Identity Cabinet Paper - DIA
||An attribute, such as name or hair colour that is associated with an identity.
||Small pieces of information that make up a digital identity. Attributes may include name, address, phone number, group affiliation, etc. Core identity attributes most commonly include; name, address, date of birth, place of birth and gender.
||“Your full name is a core identity attribute”.
|Identity Hub (Broker)
||A brokering service that connects service providers (relying parties) with trusted Identity and Authentication providers.
||The Identity Hub (Broker) is a brokering service that connects service providers (relying parties) with trusted Identity and Authentication providers. The hub manages trust levels to ensure appropriate providers are used for Authentication and Identity, and supports interoperability and service integration. The hub also maintains compliance with IPP 12 through the use of federated identifiers.
||“The Identity Hub allows an agency application to use one of many different Authentication Providers”.
||An authority that provides or asserts identity information about an individual or entity.
||A recognised authority that provides Identity related services such as Authentication, Identity Verification or Assertion of Identity Attributes.
||“RealMe is an identity provider as it can provide proof of identity through the IVS service”.
"Gigya is a Customer Identity and Access Management provider (CIAM). Our services facilitate interaction and engagement with consumers of website and app content, complete with a suite of tools for analyses and reports, managing your user databse and extrapolating action steps from the data. Gigya helps companies turn unknown site visitors into known, loyal and engaged customers."
||Relating to one person or thing, rather than to a large group
||A person. A distinct, indivisible entity, often one among many others of a similar kind.
||Example: “Every individual has rights which must never be taken away”.
||Information Privacy Principles
||The Information Privacy Principles of the Privacy Act 1993 establish in law 12 principles which must be adhered to when managing personal information about living individuals. The principles cover:
Purpose of collection of personal information
Source of personal information
Collection of information
Manner of collection of personal information
Storage and security of personal information
Access to personal information
Correction of personal information
Accuracy of personal information
Retention of personal information
Limits on use of personal information
Limits on disclosure of personal information
Of these, IPP 6 and IPP 12 are of particularly relevance to digital identity.
||Privacy Act 1993
||The government is not allowed to assign a single identifier to be used across all of government.
||Information Privacy Principle 12 governs how "unique identifiers" - such as IRD numbers, bank client numbers, driver's licence and passport numbers - can be used.
A unique identifier cannot be assigned to an individual unless this is necessary for an agency to carry out 1 or more of its functions efficiently, and all reasonable steps must be taken to ensure unique identifiers are assigned only to individuals whose identity is clearly established.
A unique identifier can also not be assigned to an individual if it has been assigned to that individual by another agency.
||Example: “RealMe uses a system of IPP 12 compliant federated identifiers which anonymises information being shared”.
||Privacy Act 1993, Part 2, Section 6
||Information Privacy Principle 6
||Information Privacy Principle 6 gives individuals the right to access information about themselves, and be able to request correction of information held by an agency.
||“I requested information from an agency, citing IPP 6 as their requirement to provide it”.
||Privacy Act 1993, Part 2, Section 6
|LOA (Level of (Assurance) - Identity
||The strength of the processes used to identify the user at the time of user registration
||The strength of the processes used to identify the user at the time of user registration. An LOA framework allows an identity provider to indicate to a service provider (relying party) how much trust is behind the authentication event. The relying party determines what levels they require to allow access to their service. The following is a summary of the four levels:
Level 1: No proofing requirement at this level. However, fact that user is able to authenticate to identity provider gives some assurance. The identity provider has some relationship with the user because they have issued them a credential (username and password or cryptographic key).
Level 2: Identity proofing requirements are introduced, requiring presentation of identifying materials and information. Both in-person and remote registration are permitted. For in-person registration the applicant must be in possession of a primary government photo ID (e.g. driver’s licence or passport). For remote registration, the applicant submits the references of and attests to current possession of at least one primary government photo ID and a second form of identification. The applicant must provide at a minimum their name, date of birth, and current address or personal telephone number.
Level 3: Identity proofing procedures require verification of identifying materials and information. Both in-person and remote registration are permitted. Requires the same evidence for issuing credentials as Level 2; however, verification of the documents or references through record checks is required.
Level 4: Remote registration is not permitted at this level. The applicant must appear in person. Presentation and verification of two independent ID documents or accounts is required, meeting the requirements of Level 3, one of which must be a current primary government photo ID that contains the applicant’s picture, and either address of record or nationality (e.g. driver’s license or passport). A new recording of a biometric of the applicant at the time of application is also required to ensure the applicant cannot repudiate the application.
See ‘Authentication Standards’ and ‘Evidence of Identity Confidence Levels’.
||"A RealMe verified identity is established at a Level 4 (high) Level of Assurance”.
|LOA (Level of Assurance) - Authentication
||The strength of the authentication method(s) used in a particular authentication instance
||The strength of the authentication method(s) used in a particular authentication instance. An LOA framework allows an identity provider to indicate to a service provider (relying party) how much trust is behind the authentication event. The relying party determines what levels they require to allow access to their service. The following is a summary of the four levels:
Level 1: Allows wide range of authentication technologies. Requires the user to prove through a secure authentication protocol that he/she controls the token (password). Does not require use of cryptographic methods. All authentication methods accepted for other levels satisfy Level 1.
Level 2: Provides single factor network authentication. A wide range of authentication technologies can be employed. It allows any of the token methods of Levels 3 or 4, as well as passwords and PINs. Successful authentication requires that the claimant prove through a secure authentication protocol that he or she controls the token. Passwords must be strong.
Level 3: Based on proof of possession of a cryptographic key using a cryptographic protocol. Three kinds of tokens may be used to meet Level 3 requirements: “soft” cryptographic token, “hard” token, or “one-time password” device token. Requires two factor authentication; in addition to the key, the user must employ a password or biometric to activate the key.
Level 4: Intended to provide the highest practical remote network authentication assurance, and is based on proof of possession of a key through a cryptographic protocol. Similar to Level 3 except only ‘hard’ cryptographic tokens are allowed.
See ‘Authentication Standards’ and ‘Evidence of Identity Confidence Levels’.
||Example: “RealMe logon requires Level 2 Level of Assurance”.
|Log on (v),
||The act of presenting Authentication Credentials.
Also Log in, Sign in
||In computer security, logging on (or logging in or signing) is the process by which an individual gains access to a computer system by identifying and authenticating themselves. The user presents credentials are typically some form of "username" and a matching "password" and for higher levels of assurance another factor such as a one-time-password or biometric.
||“In order for me to file taxes online, you must first log on to MyIR”.
||An account used to access a service.
Also Login, Logon Account or Login Account
||A user account, typically comprised of a user identifier and a password, that an individual uses to authenticate themselves, typically to on online service. A logon can optionally have additional authentication factors (a PIN, one-time-password, SMS message or biometric) for higher levels of assurance.
||Example: “I have many Logons for business activities and a bunch of other Logons for personal activities”.
||A method of authentication that requires at least two different authentication factors; typically something you know (username/password) and something that you have (a token or cell-phone) or something that you are (a biometric). Moderate strength authentication required.
See ‘Authentication Standards’.
||”Multi-Factor Authentication (MFA) is usually required for services in the high risk category”.
||OAuth 2.0 is the industry-standard protocol for authorization (as of October 2018).
||Version 2 of the OAuth protocol which allows third party applications to grant limited access to an HTTP service, either on behalf of a resource owner or by allowing the third party application to obtain access on its behalf.
Published 2012 - supported by Facebook, Google, Microsoft etc.
||"Oauth allows access tokens to be issued to third party clients by an authorisation server, with approval of the resource owner”.
||An authentication layer on top of OAuth 2.0, an authorisation framework
||OpenID Connect 1.0 is a simple identity layer on top of the OAuth 2.0 protocol. It allows Clients to verify the identity of the End-User based on the authentication performed by an Authorization Server, as well as to obtain basic profile information about the End-User in an interoperable manner.
||The aspect of someone's character that is presented to or perceived by others.
A role or character adopted by someone (this could be in a virtual or digital context).
||An application/aspect of my character/identity to a particular situation - my office persona, my Twitter persona, my LinkedIn persona, my parenting persona...
Also refers to the User Experience concept of a persona - see General - Persona.
||“I access the school’s portal in teacher persona during the day and my parent persona in the evening”.
"We work with organizations of all sizes, big and small. I have coached many business leaders and executives on how to build their Twitter persona and how to use Twitter and other social networks for business."
"Thanks to the proliferation of these identity providers, we have come to a point that when visitors login to websites, they’re not just choosing to do so with an identity provider – they’re choosing a persona. This is a dramatic shift on the Web when we consider that just a few years ago there were no scaled identity providers. Personas exist naturally because the Web mirrors real life. In real life, in any given week I may go out with coworkers, family, conference attendees, basketball friends, or old college buddies and I’m sharing different parts of my life with all of them."
"Website visitors literally have multiple online personalities – a concept with major implications for online businesses... And as social login becomes standard on the Web, some publishers are clearly cognizant of their users’ chameleon-like nature and some are surprisingly not."
||Role Based Access Control
||A system of managing the access to (typically ICT) resources by allocating one or more roles to individuals and granting permissions to resources based on an individual’s role memberships.
||“The Document Management System uses Role Based Access Control (RBAC) to control user privileges”.
||The entity that consumes authentication, identities or attributes from any type of Identity Provider and trusts that information to make business or service delivery decisions, or enable access to digital services.
||”A bank is a relying party for proof of identity information to ensure compliance with AML/CFT regulations”.
|Risk Based Authentication (RBA)
||Emerging technology using range of user factors to determine whether this user is potentially dangerous
||RBA is a form of strong authentication that calculates a risk score for any given access attempt in real time, based on a predefined set of rules. Users are then presented with authentication options appropriate to that risk level.
||“Risk Based Authentication can reduce an organisation’s exposure to costly, reputation-damaging information security breaches”.
||Job function or title which bestows specific authorities.
||An identity attribute that gives users privileges when assigned. Roles often take the form of groups wherein the members of a group have on or more authorities or privileges.
||“You can only access the HRMS if you have the role of HR Advisor”.
||An attribute, asserted by the subject.
||An attribute, asserted by the subject without verification by any third party authority.
||“My cell phone number is a self-asserted attribute”.
||An agency or private sector company that offers services.
||A government agency, private sector business or individual that provides services of value. The services are typically delivered, requested or otherwise augmented via Internet transactions. Can also be a Relying Party.
||"Some service providers require verified identity to enable access to some of their services online”.
||Single Sign On
||A property of access control of multiple related, yet independent, software systems, which allows users to log in with a single ID and password to gain access to a connected system or systems without using different usernames or passwords, or in some configurations seamlessly sign on at each system.
||"With OneLogin’s single sign-on portal users only have to enter one set of credentials to access to their web apps in the cloud and behind the firewall – via desktops, smartphones and tablets. This greatly increases productivity while keeping data secure."
“Okta is one provider that offers Single Sign On (SS0) solutions which allows end users access to all their applications”.
||Wikipedia, OneLogin, Okta
||The process of establishing the truth, accuracy, or validity of something.
||In the online context, verification is the process of establishing, to a required level of assurance, the authenticity of information about a subject such as their identity or other attributes.
See ‘LOA (Level of (Assurance) - Identity’
||“The verification of her residency status was required before ACC would reimburse her medical expenses”.
||An Attribute that has been verified by a 3rd party authority.
||An attribute of a subject which has been verified to an agreed level of assurance by a recognised third party authority.
||“Third party visa applications must be made by someone with the verified attribute of being a licensed immigration advisor”.
||An Identity which has been recognised by an Authority.
||A verified identity means you can prove who you are with any organisation that uses an identity verification service (such as RealMe).
||“The RealMe service can be used to give your verified identity to a bank”.
||Where Are You From
||WAYF is a service to guide a user to his/her Authentication Provider, or to assist in selecting an appropriate Identity Provider. A WAYF service may be context aware to offer only appropriate Identity Providers.
||“To help the user nominate an Authentication Provider, the Identity Hub provides a WAYF service”.