Modernized Australian identity proofing guidelines encourage biometrics use

A long-awaited update to identity proofing guidelines from the Australian government has been published, giving organizations advice on how to bind a claimed identity to a credential with biometrics.

Identity binding practices have evolved significantly since the country’s National Identity Proofing Guidelines were originally established in 2016. At that time, selfie biometrics were unfamiliar to most consumers, and identity proofing tended to be either in-person or weak.

They have now been updated under the 2023 National Strategy for Identity Resilience. The guidelines are voluntary, but compliance with them is encouraged, the government says.

The introduction of biometrics is the biggest single change in the modernized guidelines. Biometrics are addressed in the second chapter, immediately following the introduction. Subsequent chapters address identity verification, including types of evidence, alternative identity proofing such as via a trusted referee or for children, risk assessment and monitoring and evaluation.

A risk management framework is included as an appendix.

“Strong identity proofing is critical to help protect Australians from fraudulent activity, strengthen Australia’s identity resilience and ensures our documents and processes are consistent and trusted across private and public sector organisations,” says Attorney-General Michelle Rowland.

“The refreshed and modernised guidelines will further strengthen identity proofing practices, encourage greater national consistency through a principles and risk-based approach and support organisations undertaking identity proofing for both physical identity credentials and digital ID.”

Biometrics and Levels of Assurance

The guidelines also define levels of assurance (LoAs) one through four. LoA 2 requires “evidence of identity through use of identity information or documents from authoritative sources.” LoA 2 Plus substitutes the word “credentials” for “documents” in LoA 2, which the document explains entails biometrics. LoA 3 requires that the identity information be verified with an authoritative source. LoA 4 adds an in-person witness requirement.

The document also sets out how to calculate a “total risk rating” based on consequence and likelihood scores, which is used to assess which LoA is appropriate for a given application.

The ISO/IEC 39794 standard should be followed when capturing biometric data, and biometrically anchored credentials are expected to be issued through identity proofing processes that meet LoA 3.

Article Topics

Australia  |  biometric binding  |  biometrics  |  facial recognition  |  levels of assurance (LoAs)  |  remote identity proofing  |  selfie biometrics