Authenticate identity during each interaction
Summary
Authenticate client or third party identities during each interaction to confirm the person owns the record they are trying to access. This control is supported by the National Identity Proofing Guidelines and the Trusted Digital Identity Framework. The three types of authentication are:
- something you know, such as a password
- something you have, such as an ID badge or cryptographic key
- something you are, such as a fingerprint or other biometric data.
Why this countermeasure matters
Whole-of-Government policies require a high level of confidence in the identity of individuals when providing government services and payments.
Providing services to someone without authenticating their identity can lead to fraudsters:
- impersonating clients or third parties to receive fraudulent payments or gain access to information
- providing false or misleading information to support a request or claim
- using stolen identity documents to support a request or claim.
How to put this countermeasure in place
Some ways to implement this countermeasure include requiring:
- all clients or providers to pass an identity authentication check prior to servicing
- staff to enter their log-on ID and password to access systems
- clients or providers to pass a two-factor authentication to access their online account
- clients to enter a unique PIN to access a mobile app
- verification through voice or facial biometrics
- the use of myGovID to authenticate an individual’s identity online
- the use of Relationship Authorisation Manager to authenticate someone acting on behalf of a business online.
How to measure this countermeasure's effectiveness
Measure the effectiveness of this countermeasure by using the following methods:
- Review authentication controls and policies to see if they conform to national guidelines and frameworks.
- Review the information threshold for authenticating an identity to discover what level of information is publicly available, such as on social media.
- Confirm the existence of reference and guidance material.
- Confirm processes are consistently applied both within channels and across channels.
- Review a sample of completed transactions to confirm correct processes were undertaken.
- Ask staff about the authentication processes to make sure they have a consistent and correct understanding.
- Undertake pressure testing or a process walk-through to confirm that you cannot get around processes.
- Identify how the requirement to authenticate identity is communicated to staff.
- Review identified cases of fraud involving the use of a false or stolen identity.
Related countermeasures
This type of countermeasure is supported by:
Legislation and policy can help prevent, detect and respond to fraud, such as by outlining clear rules, regulations and criteria, allowing entities to collect, use and disclose information and allowing entities to enforce penalties and recover fraud losses.
Develop clear instructions and guidance for activities and processes, such as instructions for collecting the right information to verify eligibility or entitlements, procedures to help staff apply consistent and correct processes and guidance to help staff make correct and ethical decisions.
Provide help and support to customers, staff and third parties to help them follow correct processes and encourage them to comply with rules and processes and meet expectations.
Provide staff with adequate training to increase likelihood that correct and consistent processes and decisions will be applied.
Make sure requests or claims use a specific form, process or system for consistency.
Make sure to confirm the identity (an attribute or set of attributes that uniquely describe a subject within a given context) of the person making the request or claim using evidence.
Make sure forms or system controls require mandatory information to support claims or requests.
Set up system prompts and alerts to warn users when information is inconsistent or irregular, which either requires acceptance or denies further actions.
Escalate non-standard requests or claims for further review or scrutiny. Non-standard requests or claims might include those that are late, do not meet normal conditions, include evidence that is difficult to verify (such as from overseas) or are for amounts that are higher than normal.
Limit access to sensitive information and records.
Verify any requests or claim information you receive with an independent and credible source.
Automatically match data with another internal or external source to obtain or verify relevant details or supporting evidence. This countermeasure is supported by the Office of the Australian Information Commissioner's Guidelines on data matching in Australian government administration.
Have processes in place to prevent, identify and correct duplicate records, identities, requests or claims.
Make sure sensitive or official information cannot leave your entity's network without authority or detection.
Train and support staff to identify red flags to detect fraud, know what to do if they suspect fraud and know how to report it. Fraudsters can take advantage if staff and contractors are not aware of what constitutes fraud and corruption.
Conduct quality assurance activities to confirm that processes are being followed correctly and to a high standard.
Internal or external audits or reviews evaluate the process, purpose and outcome of activities. Clients, public officials or contractors can take advantage of weaknesses in government programs and systems to commit fraud, act corruptly, and avoid exposure.
Automatically notify clients or staff about high-risk events or transactions. This can alert them to potential fraud and avoid delays in investigating and responding to fraud.