The Australian Government Information Management Office Archive
The content on this page and other AGIMO archive pages is provided to assist research and may contain references to activities or policies that have no current application. See the full archive disclaimer.
Guide to Minimum Website Standards - Authentication
|
This guidance has been superseded by the Australian Government Web Publishing Guide and should be used for reference purposes only. |
April 2003 edition. Contact details updated August 2006.
Chapter Headings: A business decision - What to do - Further Assistance
Authentication
Authentication is the solution to the need for certainty in the identity of the other party to a transaction.
Where services are provided via traditional, non-electronic systems, various authentication mechanisms are used. Clients are required to sign forms or letters or other types of correspondence as proof that they supplied the information contained in those documents. Clients may be required to supply an identification number or a case number, and they may be required to provide evidence that they are who they say they are, such as a driver's licence or a birth certificate. In some cases, clients may need to attend the relevant government office in person.
Most of these methods will not work online. Where services are provided online, agencies will need to reassess how they authenticate users. Notably, the use of existing methods of authentication requiring physical presence may reduce or eliminate the convenience of the online service.
Failure to properly authenticate a transacting party may lead to situations such as the illegal transfer of funds, unauthorised ordering of goods or the mischievous alteration of data. Authentication therefore underpins confidence in electronic transactions and is a vital component of e-commerce, which depends upon transactions being accepted as valid and binding.
Broadly speaking, authentication relies on one or more of the following:
- something you know, such as a password or PIN number;
- something you have, such as a smart card or hardware token; or
- something you are, such as a fingerprint or iris scan.
It is important to note that authentication is not the same as security. Authentication must operate in conjunction with an organisation's overall security framework.
A Business Decision
An effective approach to authentication is to understand that technology is not the sole solution. Authentication is as much about management and cultural issues as it is about technical solutions. One of the early issues for consideration is that online authentication may be a costly exercise in comparison to a manual authentication process. Agencies will need to consider cost in relation to an identified level of risk associated with failure to properly authenticate a party to an online transaction.
The likelihood and consequences of such a failure, set against the cost of implementing authentication, should be fully analysed. The consequences may be measured in a number of ways including financial, legal/liability and political outcomes. If managed as a business issue rather than a technical issue, agency authentication needs can be effectively addressed implemented in a cost-effective manner as the benefits of transacting online are realised.
What to do
Agencies must firstly consider whether or not their online services require authentication solutions. Some online services may only require simple authentication techniques such as the use of logins and passwords. For more complex online services that involve data interchange or financial transactions, agencies may choose to use digital certificates. The authentication solution adopted should be determined by the outcome of a risk assessment and subject to the preparation of an associated business case. Agencies should also consider the needs and expectations of their customers.
It is expected that authentication will be implemented progressively by agencies as authentication solutions are required for new services or upgrades to existing services. NOIE developed the document Online Authentication a guide for government managers which provides agencies with an understanding of authentication issues to be considered when delivering government services online.
Further Assistance
Website:
www.agimo.gov.au/infrastructure/gatekeeper
For Authentication issues
Tony Halberg
(02) 6215 1529
Email anthony.halberg@finance.gov.au
For Gatekeeper (digital certificate) issues
Drew Andison
(02) 6215 1544
Email drew.andison@finance.gov.au
Fax - (02) 6215 1659
Address - Australian Government Information Management Office, Department of Finance and Administration, John Gorton Building, King Edward Terrace, Parkes ACT 2600.