Skip to main content

Authenticate identity

Type of countermeasure

This is a prevention countermeasure. Prevention countermeasures are the most common and cost-effective way to stop fraud. They prevent or limit the size of the fraud risk by reducing the likelihood and consequences of fraud.

decorative  prevention countermeasures


Authenticate customer or third-party identities during each interaction to confirm the person owns the identity record they are trying to access.

This control is supported by the National Identity Proofing Guidelines and the Trusted Digital Identity Framework. 

There are 3 ways of authenticating that an individual is the true owner of an identity:

  • something you know, such as a password
  • something you have, such as an ID badge or cryptographic key
  • something you are, such as a fingerprint or other biometric data.

The more factors of authentication you use, the stronger your authentication controls will be.

Why this countermeasure matters

Whole-of-government policies require a high level of confidence in the identity of individuals when providing government services and payments.

Providing services to someone without authenticating their identity can lead to fraudsters:

  • impersonating customers or third parties to receive fraudulent payments or gain access to information
  • providing false or misleading information to support a request or claim
  • using stolen identity documents to support a request or claim.

How you might apply this countermeasure

Some ways to implement this countermeasure include:

  • carrying out identity authentication checks for all clients or providers prior to servicing
  • authenticating identity credentials with the authoritative source via a service such as the Identity Matching Service (IDMS) 
  • staff entering their log-on ID and password to access systems
  • clients or providers passing a two-factor authentication check to access their online account
  • clients entering a unique PIN to access a mobile app
  • using biometrics such as voice or facial to verify identity
  • using myGovID to confirm an individual’s identity online
  • using of Relationship Authorisation Manager to authenticate someone acting on behalf of a business online
  • notifying clients each time their identity is authenticated, such as through an SMS.

How to check if your countermeasures are effective

Here are some ways to measure the effectiveness of this type of countermeasure:

  • confirm that procedural instructions and guidance material exists
  • confirm that staff can easily find and reference procedural instructions and guidance material
  • confirm that staff can easily understand and apply procedural instructions and guidance material
  • confirm that staff use procedural instructions and guidance material
  • check that procedural instructions and guidance material is reviewed regularly and updated as required
  • review statistics on the number of page visits to procedural instructions and guidance material to confirm staff are using it.

Related countermeasures

This type of countermeasure is supported by:

Adequately resourced prevention and compliance areas enable entities to perform effective countermeasures.

Personal and government information is highly sought after by fraudsters and organised criminals. The way data is collected and stored can also change the scale and impact of a potential breach. To better protect personal information, the minimal data required for a transaction should be collected, used and retained. Make sure sensitive or official information cannot leave your entity's network without authority or detection.

Develop clear instructions and guidance for activities and processes, such as instructions for collecting the right information to verify eligibility or entitlements, procedures to help staff apply consistent and correct processes and guidance to help staff make correct and ethical decisions.

Confirm the identity or attribute of the individual. Evidence of identity should be collected and verified using policies, rules, processes and systems to make sure only known, authorised identities can gain access to information stored in networks and systems. This control is supported by the National Identity Proofing Guidelines and the Trusted Digital Identity Framework.

Create lists to quickly compare information to automate or require further actions.

Related Fraudster Personas

Was this page helpful?