New Zealand Digital Identity Services Trust Framework goes live this week

The new rules and accreditation system for digital identity in New Zealand will take effect on Friday, November 8, when the Digital Identity Services Trust Framework (DISTF) takes effect.

A webpage dedicated to the Trust Framework on the Department of Internal Affairs site sets out the benefits of digital ID, how it can be used and the complaints process. It shows the accreditation mark that identifies trusted service providers and lists the key concepts and principles behind the Framework.

The law establishing the Trust Framework was passed last March to regulate the issuance and use of digital IDs for on and offline interactions. That legislation took effect on July 1, and Digital Identity New Zealand Executive Director Colin Wallis said for the scheme to serve New Zealanders it will need “a chunky number of identity service providers.”

Minister for Digitising Government Judith Collins noted in announcing the launch of the Trust Framework that it also sets the stage for future launches of mobile driver’s licenses, bank IDs or trade certifications.

New Zealand’s Digital Identity Services Trust Framework stipulates that digital identity services are offered on an opt-in basis, requires that users consent to any use of their digital ID, and specifies that personal and organizational data are not stored in a central database. Instead, the system uses a decentralized model, with users initiating each transaction with a request for access or to share information.

Applications for digital identity service accreditation are filed with the Trust Framework Authority, and are expected to be available before the end of the year. Assessments consider the provider’s operational capacity, conformance to identification management standards, privacy protections and security. The trust mark the Authority grants would expire after three years under current proposals.

Information is also available on the page for providers interested in going through the accreditation process. Accreditation is not mandatory to sell digital identity services in New Zealand, however.

The Framework’s authentication assurance standard, which took effect on October 1, specifies four levels of authentication assurance (LoAAs) and requirements for each. Relying parties are required to assess the authentication risk posed by their service to determine which level they must meet.

The first two levels have modest requirements, but level three requires multifactor authentication, and level four requires that one of multiple factors be biometric. Whatever authentication method is used, 30 consecutive failures to authenticate must trigger a block on the account and investigation by the relying party. Relying parties must also provide a way for people to report a compromised authenticator, and deregister the user if a biometric was used as an authenticator but not protected with presentation attack detection.

Rules for identity binding, authenticator lifecycles and limits to the knowledge authentication factor are also included in the Framework.

Biometrics must be accompanied by liveness software that complies with the ISO/IEC 30107-3 biometric presentation attack detection standard, and demonstrates effectiveness against 90 percent of attacks.

Biometric authentication systems must also have a false positive rate below 0.01 percent.

The DIA also provides a page for templates and guidance for identity service providers, which are expected to be published soon.

Article Topics

biometric authentication  |  biometrics  |  digital ID  |  digital identity  |  Digital Identity Services Trust Framework (DISTF)  |  ISO/IEC 30107-3  |  New Zealand  |  trust framework