Authenticate customer or third-party identities during each interaction to confirm the person owns the identity record they are trying to access.
There are 3 ways of authenticating that an individual is the true owner of an identity:
- something you know, such as a password
- something you have, such as an ID badge or cryptographic key
- something you are, such as a fingerprint or other biometric data.
The more factors of authentication you use, the stronger your authentication controls will be.
Why this countermeasure matters
Whole-of-government policies require a high level of confidence in the identity of individuals when providing government services and payments.
Providing services to someone without authenticating their identity can lead to fraudsters:
- impersonating customers or third parties to receive fraudulent payments or gain access to information
- providing false or misleading information to support a request or claim
- using stolen identity documents to support a request or claim.
How you might apply this countermeasure
Some ways to implement this countermeasure include:
- carrying out identity authentication checks for all clients or providers prior to servicing
- authenticating identity credentials with the authoritative source via a service such as the Identity Matching Service (IDMS)
- staff entering their log-on ID and password to access systems
- clients or providers passing a two-factor authentication check to access their online account
- clients entering a unique PIN to access a mobile app
- using biometrics such as voice or facial to verify identity
- using myGovID to confirm an individual’s identity online
- using of Relationship Authorisation Manager to authenticate someone acting on behalf of a business online
- notifying clients each time their identity is authenticated, such as through an SMS.
How to check if your countermeasures are effective
Here are some ways to measure the effectiveness of this type of countermeasure:
- confirm that procedural instructions and guidance material exists
- confirm that staff can easily find and reference procedural instructions and guidance material
- confirm that staff can easily understand and apply procedural instructions and guidance material
- confirm that staff use procedural instructions and guidance material
- check that procedural instructions and guidance material is reviewed regularly and updated as required
- review statistics on the number of page visits to procedural instructions and guidance material to confirm staff are using it.
This type of countermeasure is supported by: