The federal government has exposed the long-awaited framework that will govern its digital identity platform Govpass to the public for the first time.
Assistant minister for digital transformation Angus Taylor this morning opened feedback on the framework, following more than 18 months of development and several weeks of consultation with industry.
The trusted digital identity framework consists of 14 documents – four more than it contained in March – covering everything from privacy, security and fraud control to technical integration, service operations and accessibility.
However, the DTA has indicated this won’t be the final number of documents to exist under the framework; other documentation, including the federation governance model and business identity verification standard, will be progressively developed and introduced over time.
The framework underpins what the DTA is calling a national federated identity ‘eco-system’ or ‘identity federation’ – a decentralised identity model that empowers individuals to choose their identity provider and access a range of public and private sector services through a single digital identity credential.
The model was recommended in the Murray Report, released in December 2014.
It provides the structure and controls to ensure all Govpass identity providers are accredited and trustworthy, replacing the traditional “network of bilateral agreements or loosely-coupled service level agreements (SLAs)” that the DTA says “frequently lack transparency and do not readily scale on a national basis”.
The framework sets out how the model will work for identity service providers - such as Australia Post, which has already indicated it intends to be the first to seek accreditation outside of the Commonwealth - service providers, and end users.
iTnews recently revealed the government has not yet chosen who would be the single governmental identity provider.
The framework also details the DTA-built identity exchange at the centre of the model. The exchange employs a ‘double-blind’ to ensure identity providers and service providers can verify identity without revealing an individual's credentials to each other.
It will operate independently from other state and territory government or private sector identity exchanges, one of the numerous core privacy requirements included as part of the framework.
The framework dictates that an end user's experience in verifying their identity must be clear and simple.
Responsive design, plain language, common design patterns, catering for those with low digital skills, simple account recovery, and clear feedback and help channels are stipulated as 'musts' in the framework for identity providers.
A user starts the process of registering for Govpass by selecting an identity provider to verify their identity. They then enter in their identity documentation details, which are processed through the government's document verification service (DVS).
The user will then be directed to use a webcam or mobile device to take a photo of their face so it can be verified through the facial verification service (FVS). Once their details have been verified, the user will have their digital identity created and registered for use.
If the process fails at any point the user will be redirected to an unspecified non-Govpass channel to resolve the issue.
Image credit: DTA
The framework also lays out four 'identity proofing' categories and how the different levels of assurance for each should be met.
The lowest IP1 level covers non-biographical contact details that will typically be used to enrol with an identity provider.
IP2 covers "binding" documents (photo ID like a passport), "use in community" documents (like a marriage certificate or Medicare card), and a "linking" document if different names appear on a person's identity documents.
The third IP level covers the same documents as IP2 but also includes "commencement of identity" documents such as a birth certificate or DFAT-issued certificate of identity.
IP4 involves an individual bringing their supporting documentation to an in-person interview with the identity provider.
The framework sets out the steps that must be taken for each category of identity proofing during the identity verification process for an individual.
The accreditation process
The framework similarly details the accreditation process that will be used to certify all identity service providers and credential service providers – which may be internalised within an identity service provider – that intend to interact with Govpass.
An identity service provider is an entity that can verify someone's identity and "bind an identity to an authentication credential and assert identity to other members of the identity federation", the framework states. Government agencies that fit this bill include the ATO, DFAT for passports, and DHS with Medicare.
The accreditation process will evaluate governance, identity assurance, including both privacy and security, user experience, technical interoperability and service operations, and involve “a combination of documentation, third party evaluations and operational testing”.
A “single representative governance body” also operating as the 'trust framework accreditation authority' will oversee the accreditation process.
The framework doesn’t indicate which agency will provide this service, despite it being similar to the function the DTA has performed to date.
The accreditation process will require applicants to pass through a “series of decision gates”, which the trust framework accreditation authority will use to ensure the process is completed as stipulated.
Applicants are required to perform both a privacy assessment, which the DTA stresses the DTA much not take a ‘tick box’ approach to, and an IRAP assessment.
At the time of the privacy assessment, the applicant is required to provide the trust framework accreditation authority with a privacy management plan and data breach plan.
When the accreditation process is completed, applicants will sign a memorandum of agreement to become accredited and have their identity services connected to Govpass.