Monday, September 25, 2017

​Service NSW to develop multi-factor authentication identity platform as opt-in


Service NSW, New South Wales' centralised organisation for government service delivery, currently uses a relatively simplistic platform for identification.

According to Eddie Smith, Identity Architect at Service NSW, the processes in place "probably don't" meet National Institute of Standards and Technology guidelines for strong authentication, as they still use SMS, and username and password.

However, Service NSW's roadmap includes the ability for citizens to opt-in with different forms of multi-factor authentication, but it will be based on their risk profile, Smith said at the FIDO Alliance Seminar in Sydney on Monday.

"Whether they want that for every login or whether they want that for what we classify as high-risk transactions such as changing licence address -- renewing the licence we don't really care who pays us as it's an anonymous transaction -- so it's really those more sensitive transactions which could result in identity theft or the issuance of an invalid entitlement from a government perspective such as a firearms licence or a working with children check," he explained.

The authentication platform will also underpin the state's digital licence platform, which will store digital versions of licences.

"Obviously the authentication that you tie into that flow becomes very important as you start to introduce high-risk licences," Smith said.

"Where authentication plays a role in this is that obviously as we bring more and more transactions online through a single portal, through micro-site portals ... we have to look at the different authentication that we use across those transactions and dial it up or down based on citizen preference or the risk of the transaction."

Launched in July 2014, Service NSW brought together a number of different NSW government services under the one office, including RMS; Births, Deaths and Marriages; and small business support.

With the remit to be the one-stop-shop for state government interactions, combined with a mandate from government to bring 80 percent of transactions through a digital channel, Smith explained there is also one roadblock in pushing multi-factor across the entire service.

"We have a bit of a challenge in that we have a 'no citizen left behind' mandate, so if we do have a citizen out there on a Nokia 6210 who wants to use a browser in a public library, we can't force or serve the mandated authentication step-up, so we have to very much make it an opt-in approach and we make it opt-in for the digital transactions as well," he explained.

Service NSW fronts some 200 agencies that Smith said also provides its own challenges, as it needs to effectively negotiate the security controls that it puts in place with those agencies as they own the transactions and the system of record data.

"Service NSW is really just the facilitator for the citizen to be able to tell the government once and those transactions flow down into underlying agencies," he added.

"Service NSW has a very strong focus on privacy and we're very much trying to give citizens a single view of government, as opposed to government having a single view of the citizen."

The state government made the first wave of its digital licences available through the new "My Licences" digital wallet in the Service NSW app last November. Residents in the state can download their recreational fishing fee, responsible service of alcohol, and responsible conduct of gambling competency cards on their smartphone or tablet.

Driver's Licence is scheduled for digitisation in 2018, with Minister for Finance, Services and Property, cum Treasurer Dominic Perrottet saying previously NSW is leading the nation in government technology.

However, on Monday, the South Australian government beat its neighbours to finish line, announcing citizens will have the option to hold digital driver's licences as of next month.



from Latest Topic for ZDNet in... http://ift.tt/2htqRXC

No comments:

Post a Comment

Note: Only a member of this blog may post a comment.