Professional Documents
Culture Documents
Tdif Accreditation Requirements - Release 4.8 Feb 2023 - Finance
Tdif Accreditation Requirements - Release 4.8 Feb 2023 - Finance
Tdif Accreditation Requirements - Release 4.8 Feb 2023 - Finance
>Applicant< Assessment Status (this section is filled out during accreditation by the De
Application Date 30-Dec-99 Anticipated accreditation date:
Status
# OFFICIAL
OFFICIAL #
# OFFICIAL
OFFICIAL #
0 #DIV/0! Accepted
0 #DIV/0! Completed
# OFFICIAL
OFFICIAL #
Date Accreditation
Expected
Email Phone
alid@finance.gov.au 000 000 0000
# OFFICIAL
OFFICIAL #
Who
anding
ance) outstanding
tanding
# OFFICIAL
OFFICIAL #
# OFFICIAL
OFFICIAL #
Finance Link
Finance Link
# OFFICIAL
OFFICIAL #
# OFFICIAL
OFFICIAL #
3.3.2
ACCRED ACCRED-03-01-06 3.3.2
3.3.2.3
# OFFICIAL
OFFICIAL #
3.3.3
ACCRED ACCRED-03-03-01 3.3.3
3.3.4
ACCRED ACCRED-03-04-01 3.3.4
# OFFICIAL
OFFICIAL #
4.2.1
FRAUD FRAUD-02-01-01 4.2.1
# OFFICIAL
OFFICIAL #
4.2.2
FRAUD FRAUD-02-02-01 4.2.2
# OFFICIAL
OFFICIAL #
4.2.3
# OFFICIAL
OFFICIAL #
4.2.4
FRAUD FRAUD-02-04-01 4.2.4
# OFFICIAL
OFFICIAL #
4.2.6
FRAUD FRAUD-02-06-01 4.2.6
4.3.1
PRIV PRIV-03-01-01 4.3.1
# OFFICIAL
OFFICIAL #
4.3.2
PRIV PRIV-03-02-02 4.3.2
# OFFICIAL
OFFICIAL #
# OFFICIAL
OFFICIAL #
4.3.3
PRIV PRIV-03-03-01 4.3.3
# OFFICIAL
OFFICIAL #
4.3.5
PRIV PRIV-03-05-01 4.3.5
PRIV PRIV-03-05-02 4.3.5
4.3.6
PRIV PRIV-03-06-01 4.3.6
# OFFICIAL
OFFICIAL #
4.3.7
PRIV PRIV-03-07-01 4.3.7
# OFFICIAL
OFFICIAL #
4.3.9
PRIV PRIV-03-09-01 4.3.9
# OFFICIAL
OFFICIAL #
4.3.10
PRIV PRIV-03-10-01 4.3.10
4.3.11
PRIV PRIV-03-11-01 4.3.11
4.3.12
PRIV PRIV-03-12-01 4.3.12
# OFFICIAL
OFFICIAL #
4.3.13
PRIV PRIV-03-13-01 4.3.13
4.3.14
PRIV PRIV-03-14-01 4.3.14
4.3.15
PRIV PRIV-03-15-01 4.3.15
4.4.1
4.4.1.1
PROT PROT-04-01-01 4.4.1.1
# OFFICIAL
OFFICIAL #
4.4.1.2
PROT PROT-04-01-04 4.4.1.2
# OFFICIAL
OFFICIAL #
4.4.1.3
PROT PROT-04-01-11 4.4.1.3
# OFFICIAL
OFFICIAL #
4.4.1.4
PROT PROT-04-01-15 4.4.1
4.4.2
4.4.2.1
PROT PROT-04-02-01 4.4.2.1
4.4.2.2
PROT PROT-04-02-03 4.4.2.2
# OFFICIAL
OFFICIAL #
4.4.2.3
PROT PROT-04-02-05 4.4.2.3
4.4.2.4
PROT PROT-04-02-07 4.4.2.4
# OFFICIAL
OFFICIAL #
4.4.2.5
PROT PROT-04-02-15 4.4.2.5
4.4.2.6
PROT PROT-04-02-19 4.4.2.6
# OFFICIAL
OFFICIAL #
# OFFICIAL
OFFICIAL #
4.4.2.8
PROT PROT-04-02-26 4.4.2.8
4.4.4
PROT PROT-04-04-01 4.4.4
# OFFICIAL
OFFICIAL #
4.5.1
UX UX-05-01-01 4.5.1
UX UX-05-01-02 4.5.1
UX UX-05-01-03 4.5.1
UX UX-05-01-04 4.5.1
UX UX-05-01-05 4.5.1
UX UX-05-01-05a 4.5.1
UX UX-05-01-06 4.5.1
UX UX-05-01-07 4.5.1
4.5.2
UX UX-05-02-01 4.5.2
UX UX-05-02-02 4.5.2
UX UX-05-02-03 4.5.2
UX UX-05-02-03 4.5.2
UX UX-05-02-03 4.5.2
UX UX-05-02-04 4.5.2
UX UX-05-02-05 4.5.2
UX UX-05-02-05a 4.5.2
UX UX-05-02-05b 4.5.2
UX UX-05-02-05b 4.5.2
UX UX-05-02-05b 4.5.2
# OFFICIAL
OFFICIAL #
UX UX-05-02-05c 4.5.2
UX UX-05-02-05c 4.5.2
UX UX-05-02-06 4.5.2
UX UX-05-02-07 4.5.2
UX UX-05-02-08 4.5.2
4.5.3
UX UX-05-03-01 4.5.3
4.5.4
UX UX-05-04-01 4.5.4.1
UX UX-05-04-01 4.5.4.1
UX UX-05-04-02 4.5.4.2
UX UX-05-04-02a 4.5.4.2
UX UX-05-04-02a 4.5.4.2
UX UX-05-04-02a 4.5.4.2
# OFFICIAL
OFFICIAL #
UX UX-05-04-02a 4.5.4.2
UX UX-05-04-02a 4.5.4.2
UX UX-05-04-02a 4.5.4.2
UX UX-05-04-02b 4.5.4.2
UX UX-05-04-02b 4.5.4.2
UX UX-05-04-02b 4.5.4.2
UX UX-05-04-02b 4.5.4.2
UX UX-05-04-02b 4.5.4.2
UX UX-05-04-02b 4.5.4.2
UX UX-05-04-02b 4.5.4.2
UX UX-05-04-02b 4.5.4.2
UX UX-05-04-02c 4.5.4.2
4.5.5
UX UX-05-04-03 4.5.4.3
UX UX-05-04-04 4.5.4.3
UX UX-05-04-05 4.5.4.3
UX UX-05-04-06 4.5.4.3
UX UX-05-04-06a 4.5.4.3
UX UX-05-04-06a 4.5.4.3
UX UX-05-04-06b 4.5.4.3
4.5.6
UX UX-05-05-01 4.5.5
4.6.1
# OFFICIAL
OFFICIAL #
4.7.1
# OFFICIAL
OFFICIAL #
4.7.2
ASSESS ASSESS-07-02-01 4.7.2
4.7.3
ASSESS ASSESS-07-03-01 4.7.3
4.7.4
# OFFICIAL
OFFICIAL #
# OFFICIAL
OFFICIAL #
4.7.5
ASSESS ASSESS-07-05-01 4.7.5
4.7.6
# OFFICIAL
OFFICIAL #
4.7.7
ASSESS ASSESS-07-07-01 4.7.7
5.3.2
# OFFICIAL
OFFICIAL #
5.3.3
IDP IDP-03-03-01 5.3.3
5.3.4
IDP IDP-03-04-01 5.3.4
# OFFICIAL
OFFICIAL #
5.3.4.1
IDP IDP-03-04-03 5.3.4.1
5.3.5
IDP IDP-03-05-01 5.3.5
# OFFICIAL
OFFICIAL #
5.3.6
IDP IDP-03-06-01 5.3.6
5.3.7
IDP IDP-03-07-01 5.3.7
5.3.8
5.3.8.1
IDP-03-08-01 5.3.8.1
IDP
IDP IDP-03-08-02 5.3.8.1
IDP IDP-03-08-02 5.3.8.1
IDP-03-08-03 5.3.8.1
IDP
IDP-03-08-03 5.3.8.1
IDP
IDP-03-08-03 5.3.8.1
IDP
IDP-03-08-03 5.3.8.1
IDP
IDP-03-08-03 5.3.8.1
IDP
IDP-03-08-03a 5.3.8.1
IDP
# OFFICIAL
OFFICIAL #
IDP
IDP-03-08-06 5.3.8.1
IDP
IDP-03-08-07 5.3.8.1
IDP
IDP-03-08-07 5.3.8.1
IDP
IDP IDP-03-08-07 5.3.8.1
IDP-03-08-07 5.3.8.1
IDP
IDP-03-08-07 5.3.8.1
IDP
IDP-03-08-07 5.3.8.1
IDP
5.3.8.2
IDP IDP-03-08-08 5.3.8.2
# OFFICIAL
OFFICIAL #
5.3.8.3
IDP IDP-03-08-13 5.3.8.3
# OFFICIAL
OFFICIAL #
5.3.8.4
IDP IDP-03-08-15 5.3.8.4
5.3.8.5
IDP IDP-03-08-19 5.3.8.5
5.3.8.6
IDP IDP-03-08-22 5.3.8.6
# OFFICIAL
OFFICIAL #
5.4.1
CSP CSP-04-01-01 5.4.1
5.4.2.1
CSP CSP-04-02-01 5.4.2.1
# OFFICIAL
OFFICIAL #
5.4.2.2
CSP CSP-04-02-02 5.4.2.2
# OFFICIAL
OFFICIAL #
5.4.2.3
CSP CSP-04-02-03 5.4.2.3
# OFFICIAL
OFFICIAL #
5.4.2.4
CSP CSP-04-02-04 5.4.2.4
# OFFICIAL
OFFICIAL #
5.4.2.5
CSP CSP-04-02-05 5.4.2.5
# OFFICIAL
OFFICIAL #
5.4.2.6
CSP CSP-04-02-06 5.4.2.6
# OFFICIAL
OFFICIAL #
5.4.3.2
CSP CSP-04-03-02 5.4.3.2
CSP CSP-04-03-02a 5.4.3.2
CSP CSP-04-03-02b 5.4.3.2
5.4.3.3
CSP CSP-04-03-03 5.4.3.3
# OFFICIAL
OFFICIAL #
5.4.3.4
CSP CSP-04-03-04 5.4.3.4
5.4.3.5
# OFFICIAL
OFFICIAL #
5.4.3.6
CSP CSP-04-03-06 5.4.3.6
5.4.3.7
CSP CSP-04-03-07 5.4.3.7
5.4.3.8
CSP CSP-04-03-08 5.4.3.8
5.4.3.10
CSP CSP-04-03-09 5.4.3.9
# OFFICIAL
OFFICIAL #
5.4.4
5.4.4.1
CSP CSP-04-04-01 5.4.4.1
5.4.4.2
CSP CSP-04-04-02 5.4.4.2
# OFFICIAL
OFFICIAL #
5.4.4.3
CSP CSP-04-04-03 5.4.4.3
5.4.4.5
CSP CSP-04-04-07 5.4.4.5
5.4.5
CSP CSP-04-05-01 5.4.5
5.4.6
CSP CSP-04-06-01 5.4.6
CSP CSP-04-06-01a 5.4.6
CSP CSP-04-06-01b 5.4.6
5.4.7
# OFFICIAL
OFFICIAL #
5.4.8
CSP CSP-04-08-01 5.4.8
5.4.9
CSP CSP-04-09-01 5.4.9
5.4.10
CSP CSP-04-10-01 5.4.10
5.4.11
CSP CSP-04-11-01 5.4.11
# OFFICIAL
OFFICIAL #
5.5.1
ASP ASP-05-01-01 5.5.1
# OFFICIAL
OFFICIAL #
5.6.2
IDX IDX-06-02-01 5.6.2
# OFFICIAL
OFFICIAL #
5.6.4
IDX IDX-06-04-01 5.6.4
5.6.5
IDX IDX-06-05-01 5.6.5
# OFFICIAL
OFFICIAL #
Requirement Text
The TDIF Application Letter MUST specify all Accredited Roles being sought
The TDIF Application Letter MUST specify the assurance levels supported by their identity
service. For Identity Service Providers this means Identity Proofing Levels. For Credential Service
Providers this means Credential Levels .
The TDIF Application Letter MUST specify whether the Identity Facility supports:
The TDIF Application Letter MUST specify whether the Applicant wants to connect to the
Australian Government’s Digital Identity System
# OFFICIAL
OFFICIAL #
The Application Letter MUST include evidence which describes the architecture of the
Applicant’s Identity System and how it operates.
[This is intended to support Finance in its accreditation activities and assist it in determining the
scope of Functional Assessments. The evidence should explain how the Applicant’s Identity
Facility operates, and provide Finance with a sufficient understanding to enable it to work with
the Applicant to determine whether a requirement has been met.]
The Application Letter MUST include a Statement of Applicability which describes the scope of
the Applicant’s identity system.
At a minimum, the Statement of Applicability MUST:
The Statement of Applicability forms the basis of the Applicant’s Functional Assessments.
The TDIF Application Letter MUST include an accreditation schedule which includes:
The TDIF Application Letter MUST propose a commencement date and a date by which TDIF
accreditation is expected to be completed
The TDIF Application Letter MUST include the names and contact details of people responsible
within the Applicant’s organisation(s) to manage their TDIF accreditation .
3.2.2.2 Exemption Requests
If an Applicant seeks a TDIF Exemption Request against an applicable TDIF
Requirement, then it MUST submit a TDIF Exemption Request in accordance with
ACCRED-03-01-06a and the process set out in Appendix A: TDIF exemption
process.
# OFFICIAL
OFFICIAL #
The Applicant MAY submit an Alternative Assessment Report, which it requests Finance
consider as a substitute for a relevant Functional Assessment or as evidence to meet other TDIF
requirements. If the Applicant submits an Alternative Assessment Report, it MUST do so in
accordance with the following requirements.
The Alternative Assessment Report MUST have been produced no more than 12 months prior
to the date it is assessed by Finance and MUST cover the latest Major Production Release of the
Applicant’s Identity System (if any)
3.3.3.7 Varying Accreditation during Initial Accreditation
If a Provider seeks to vary its accreditation, then it MUST apply for a Variation to Accreditation
and submit an updated TDIF Application Letter, and other required evidence, as per
requirements ACCRED-03-01-01 to ACCRED-03-01-05 and the following requirements.
The Applicant MUST submit a Requirements Traceability Matrix and identify all applicable TDIF
requirements that may be impacted by the variation of accreditation.
The Applicant MUST include and submit to Finance a review of the applicable evidence
required for variation of accreditation, as outlined in Appendix C.
3.3.4.1 Finalisation of Accreditation Requirements
Once the applicant has achieved all applicable requirements, the Applicant MUST
submit a Qualifying Attestation Letter signed by the Applicant’s Accountable
Executive that contains the following information to support its claim that its
operations are in accordance with TDIF requirements:
# OFFICIAL
OFFICIAL #
Once the Applicant has achieved all applicable requirements, it MUST sign a TDIF Agreement
(MOU) with Finance, which sets out the rights, roles and obligations of both parties in relation
to the Accredited Provider’s TDIF accreditation.
TDIF: 04 - Functional Requirements
The Applicant MUST conduct an assessment of the Digital Identity Fraud Risk associated with
the Applicant’s Identity System prior to accreditation and at least once every 12 months
beginning on the date the Applicant was accredited.
The Applicant MUST
# OFFICIAL
OFFICIAL #
# OFFICIAL
OFFICIAL #
The Applicant MUST review and update its Digital Identity Fraud Control Plan:
# OFFICIAL
OFFICIAL #
The Applicant MUST maintain records of instructions it gives its Personnel and contractors and
procedures to assist Personnel to prevent, detect, report and deal with Digital Identity Fraud
Incidents.
The Applicant MUST provide appropriate Digital Identity Fraud Risk information and training to
Personnel whose duties relate to the services for which the Applicant is accredited:
The Applicant MUST provide fraud-control advice to Users on how to safeguard their Digital
Identity and Attributes
If the Applicant is aware of a Digital Identity Fraud Incident or Digital Identity Fraud Risk which
may affect Users, the Applicant MUST:
The Applicant MUST implement and maintain a Digital Identity Fraud control mechanism to flag
actual or suspected Digital Identity Fraud Incidents
The Applicant MUST compare all new registrations and updates to existing records against the
fraud control mechanism used to flag actual or suspected Digital Identity Fraud Incidents
If the Applicant reasonably suspects that a Digital Identity is fraudulent or its use may result in a
Digital Identity Fraud Incident, the Applicant:
In the event of a Digital Identity Fraud Incident, the Applicant MUST take reasonable steps to
# OFFICIAL
OFFICIAL #
The Applicant MUST maintain documented procedures setting out criteria for Digital Identity
Fraud Incident investigation processes and procedures including appropriate criteria for making
timely decisions at critical stages in managing a Digital Identity Fraud Incident
Where an Enforcement Body declines a referral, the Applicant MUST resolve the matter in
accordance with relevant internal and external requirements
The Applicant MUST demonstrate that the Personnel, or any external investigators, engaged to
conduct Fraud investigations are appropriately qualified Personnel with relevant qualifications
or training to effectively carry out their duties
The Applicant MUST:
The Applicant MUST include, at a minimum, the following information when reporting on
Digital Identity Fraud Incidents:
# OFFICIAL
OFFICIAL #
If the Applicant is not an APP Entity, the Applicant MUST NOT take any action or engage in a
practice with respect to Personal Information when providing services using its Identity System
unless:
The Applicant MUST have at least one designated Privacy Officer who is the primary point of
contact for advice on privacy matters and ensure that position is held by a person with relevant
qualifications and experience to effectively carry out the functions specified for the Privacy
Officer in PRIV-03-02-01a
The Applicant MUST demonstrate how the following Privacy Officer functions are carried out:
# OFFICIAL
OFFICIAL #
The Applicant MUST publish a clearly expressed and up to date Privacy Policy about the
management of Personal Information by the Applicant.
The Applicant MUST have a separate Privacy Policy in relation to its Identity System to that of
its other business, organisation functions or Accredited Roles.
Where an Applicant is applying to, or has been, accredited in two or more of the following
Accredited Roles:
a) an Identity Service Provider;
b) an Attribute Service Provider;
c) an Identity Exchange;
the Applicant MUST clearly distinguish between the privacy policy or privacy policies for each
Accredited Role
The Applicant's Privacy Officer MUST develop and maintain a Privacy Management Plan that
identifies measurable privacy goals and targets for its Identity System and the practices,
procedures and systems that will be implemented to achieve these targets and goals
The Applicant’s Privacy Champion MUST measure and document its performance against the
Privacy Management Plan relevant to TDIF at least annually
# OFFICIAL
OFFICIAL #
The Applicant MUST provide appropriate privacy awareness training to Personnel whose duties
relate to the services for which the Applicant is accredited:
(A copy of the training materials will be requested by Finance as part of initial accreditation and
annually thereafter as part of the Annual Assessment under TDIF: 07-Annual Assessment)
The privacy awareness training provided by the Applicant MUST cover the Applicant’s Privacy
Policy, TDIF privacy requirements, and any relevant privacy laws
3.3 Privacy Impact Assessment
The Applicant MUST conduct a Privacy Impact Assessment on all High Risk Projects related to its
Identity System
The Applicant MUST maintain a register of the PIAs it conducts in respect of its Identity System,
including PIAs referred to in PRIV-03-03-01 and PIAs conducted as part of Functional
Assessments
The Applicant MUST publish the register, or a version of the register, on its website.
3.4 Data Breach Response Management
If the Applicant is an APP Entity, the Applicant MUST:
The Applicant MUST develop and maintain a Data Breach Response Plan that:
# OFFICIAL
OFFICIAL #
The Data Breach Response Plan MUST NOT be inconsistent with the Applicant’s Digital Identity
Fraud Control Plan or System Security Plan
3.5 Notification of Collection
The Applicant MUST notify or make people aware as required by APP 5.
The Applicant MUST notify Individuals that the Applicant may use the Individual’s information
to detect, manage and investigate Digital Identity Fraud Incidents.
3.6 Collection and use limitation
The Applicant MUST only collect Personal information that it is permitted to collect under law
and that is reasonably necessary for the Applicant to provide the services for which it is seeking
accreditation
The Applicant MUST only collect Personal information by lawful and fair means.
The Applicant MUST only collect Personal information from the Individual or their
representative, unless it is unreasonable or impractical to do so.
The Applicant MUST NOT use or disclose Personal information for direct marketing purposes,
including:
# OFFICIAL
OFFICIAL #
The Applicant MUST NOT use or disclose Personal information for enforcement related
activities conducted by, or on behalf of, an Enforcement Body unless:
a) the Applicant is satisfied that the enforcement body reasonably suspects that a person has
committed an offence against a law of the Commonwealth or of a State or Territory that is
punishable on conviction by imprisonment for at least 3 years or started proceedings against a
person for such an offence; or
b) the Applicant is satisfied that the enforcement body reasonably suspects that a person has
breached a law imposing a penalty of 180 penalty units or more (for an individual) or 900
penalty units or more (for a body corporate), or has started proceedings against a person in
relation to the breach; or
c) the information is used or disclosed under a warrant issued by a magistrate, judge or
member of a tribunal; or
d) the use or disclosure is otherwise required by a law or TDIF Requirement that applies to
and is binding on the Applicant.
The Applicant MUST publish in an open and accessible manner an Annual Transparency Report.
The Applicant MUST NOT retain Users’ Attributes or Restricted Attributes once they are passed
from an Identity Service Provider to a Relying Party with the exception of:
a) securely storing the Attributes for the duration of an authenticated session.
b) Identity System Metadata listed in table 2 of the TDIF 05 Role Requirements.
The Applicant MUST NOT sell an Individual’s Behavioural information to a third party.
3.8 Collection and disclosure of biometrics
The Applicant MUST ensure Express Consent is obtained from an Individual prior to collecting,
using, or disclosing that Individual’s Biometric Information.
# OFFICIAL
OFFICIAL #
The Applicant MUST NOT collect, use, or disclose an Individual’s Biometric Information unless:
In accordance with PRIV-03-08-02, the Applicant MUST destroy Biometric information unless
the Biometric information is collected or was collected to create a government issued Identity
document and the Applicant is an Identity Document Issuer for that Identity Document
When destroying Biometric Information, the Applicant MUST create and maintain a record that
the destruction of Biometric Information has occurred.
The Applicant MUST NOT use a Biometric Matching algorithm to perform one-to-many
matching.
If the Applicant can collect, use or disclose Biometric Information under PRIV-03-08-01a, the
Applicant MAY disclose that biometric information to the individual to whom the information
relates.
3.9 Express Consent
The Applicant MUST ensure Express Consent is obtained from an Individual prior to disclosing
that individual’s Attributes to a Relying Party or any third party (including an Authoritative
Source).
The Applicant MUST ensure Express Consent is obtained from an Individual prior to disclosing
that individual’s Attributes to a Relying Party or any third party.
The Applicant MUST ensure Express Consent is obtained from an Individual prior to disclosing
that individual’s Attributes to a Relying Party or any third party.
# OFFICIAL
OFFICIAL #
The Applicant MUST ensure Express Consent is obtained from an Individual prior to disclosing
that individual’s Attributes to a Relying Party or any third party.
If the Applicant is obtaining enduring Express Consent from a User, they MUST implement the
following requirements: (PRIV-03-09-02a, PRIV-03-09-02b, PRIV-03-09-02c 02a, and PRIV-03-
09-02d) for the operation of withdrawal of enduring Express Consent
The Applicant MUST allow an Individual to withdraw or vary their Express Consent
The Applicant MUST demonstrate how this Express Consent withdrawal or variation process is
straightforward and easy to use
The Applicant MUST include a clear description of the process to withdraw or vary the Express
Consent in the Applicant’s Privacy Policy
The Applicant MUST, at the time of obtaining enduring consent, notify Individuals
The Applicant MUST inform Individuals of other channels available to verify their Identity and
make clear to the Individual what the consequences are of declining to provide Express Consent
or the required information
3.10 Cross border and contractor disclosure of Personal information
The Applicant MUST demonstrate how it complies with APP 8 - cross border disclosure of
Personal information.
The Applicant MUST take reasonable steps to ensure an overseas recipient of Personal
information used by the Applicant to provide its identity system only uses the Personal
information disclosed to it for purposes directly related to identity verification.
If it discloses Personal information to an overseas recipient that is not the individual, the
Applicant MUST demonstrate to Finance’s reasonable satisfaction it has appropriate
contractual and practical measures to ensure the overseas recipient complies with these TDIF
privacy requirements.
# OFFICIAL
OFFICIAL #
The Applicant MUST provide Individuals with a simple and accessible means to access and
review their Personal information.
The Applicant MUST provide Individuals with clear instructions on how to update their Personal
information
3.13 Quality of personal information
An Applicant MUST take reasonable steps to ensure quality of Personal information as outlined
in APP 10.
The Applicant MUST implement internal practices, procedures and systems (including training
Personnel in these practices, procedures and systems) to audit, monitor, identify and correct
poor-quality Personal information.
The Applicant MUST ensure updated or new Personal information is promptly added to
relevant existing records.
3.14 Handling Privacy Complaints
The Applicant MUST provide a complaints service for handling privacy complaints which:
# OFFICIAL
OFFICIAL #
The Applicant MUST empower the CSO or equivalent role to make and implement decisions
about
The Applicant MUST ensure Personnel are aware of their collective responsibility to foster a
positive security culture.
The Applicant MUST provide appropriate information and training in relation to the prevention
and management of Cyber Security Risks to Personnel whose duties relate to the services for
which the Applicant is accredited:
A copy of the training materials will be requested by Finance as part of initial accreditation and
annually thereafter as part of the Annual Assessment under TDIF: 07-Annual Assessment.
The Applicant MUST maintain records of instructions it gives its Personnel and contractors and
its procedures to assist Personnel and contractors to prevent, detect, report and deal with
Cyber Security Risks
The Applicant MUST provide Personnel in specialist and high-risk positions (including
contractors and security incident investigators) with specific security awareness training
targeted to the scope and nature of the position.
# OFFICIAL
OFFICIAL #
The Applicant MUST provide security advice to users on how to safeguard their Digital Identity,
Credentials, Personal information and Attributes.
4.1.3 System Security Plan
The Applicant MUST have in place a System Security Plan approved by the CSO to manage the
Applicant’s Cyber Security Risks
The System Security Plan MUST include
# OFFICIAL
OFFICIAL #
The Applicant MUST review and update its System Security Plan
The Applicant MUST identify Personnel, information, ICT and assets that are critical to the
ongoing operation of the Applicant’s Identity System and apply appropriate protections to
these resources to support their operation.
4.1.4 Security Maturity Monitoring
The Applicant MUST assess the maturity of its security capability to manage Cyber Security
Risks and risk culture by considering its progress against goals and strategic objectives identified
in its System Security Plan.
The Applicant MUST document and present evidence to Finance of the maturity of the
Applicant’s capability to manage Cyber Security Risks.
4.2 Information security
4.2.1 Sensitive and Classified Information
The Applicant MUST:
The Applicant MUST ensure information it holds is stored, transferred, transmitted and
disposed of securely. This includes ensuring Sensitive information (within the meaning of that
term in PSPF 08) is appropriately destroyed or archived when it has passed minimum retention
requirements or reaches authorised destruction dates
# OFFICIAL
OFFICIAL #
To manage access to information systems holding Sensitive information, the Applicant MUST
implement unique User identification, authentication and authorisation practices on each
occasion where system access is granted.
The Applicant MUST record each occasion where access is authorised, denied, limited or
removed in accordance with PROT-04-02-04, and the identity of the individual on each such
occasion
4.2.3 Safeguarding information from Cyber Threats
The Applicant MUST mitigate common and emerging cyber threats, including, at a minimum, by
implementing and maintaining controls for:
The Applicant MAY consider implementing additional ASD Strategies to Mitigate Cyber Security
Incidents
4.2.4 Incident Management, investigations and reporting
The Applicant MUST implement and maintain a mechanism for detecting Cyber Security
Incidents and suspected Cyber Security Incidents which occur in connection with its Identity
System
The Applicant MUST implement and maintain a process for Personnel, Individuals, Enforcement
Bodies and other entities to report suspected Cyber Security Incidents confidentially
The Applicant MUST implement and maintain a control mechanism to flag Cyber Security
Incidents or suspected Cyber Security Incidents which occur in connection with its Identity
System.
The Applicant MUST compare all new registrations and updates to existing records against the
control mechanism used to flag actual or suspected Cyber Security Incidents
If the Applicant reasonably suspects that the registration or update of a Digital Identity is likely
to create a Cyber Security Incident, the Applicant:
The Applicant MUST maintain documented procedures setting out criteria for Cyber Security
Incident investigation processes and procedures including appropriate criteria for making timely
decisions at critical stages in managing a Cyber Security Incident
The Applicant MUST take responsibility for investigating actual or suspected Cyber Security
Incidents which occur in connection with its Identity System, including investigating disciplinary
matters, unless the matter is referred to and accepted by the Australian Cyber Security Centre
or an Enforcement Body
Where an Enforcement Body declines a referral, the Applicant MUST resolve the matter in
accordance with relevant internal and external requirements.
The Applicant MUST demonstrate that the Personnel, or any external investigators, engaged to
conduct security investigations are appropriately qualified Personnel with relevant
qualifications or training to effectively carry out their duties
In the event of a Cyber Security Incident which impacts the Applicants Identity System, the
Applicant MUST take reasonable steps to:
# OFFICIAL
OFFICIAL #
The Applicant MUST report Cyber Security Incidents which occur in connection with their
Identity System to Finance at least once every quarter.
The Applicant MUST include the following information when reporting Cyber Security Incidents
If the use of a Digital Identity has been blocked by the Applicant in accordance with PROT-04-
02-08b as a result of a Cyber Security Incident, the Applicant MUST ensure that the Digital
Identity is not used on the Applicant’s Identity System unless the Digital Identity has been
reproofed to at least the same Identity Proofing Level that applied to the Digital Identity before
the incident
When establishing new ICT systems or implementing improvements to current ICT systems
(including software development), the Applicant MUST address security in the early phases of
the system’s development life cycle. This includes during the system concept development and
planning phases, and then in the requirements analysis and design phases.
The Applicant MUST NOT process, store or communicate Sensitive information (within the
meaning of that term in PSPF 08) on its Identity System, unless the residual Cyber Security Risks
to the Identity System and Digital Identity Information have been recognised and accepted by
the CSO or a security advisor on behalf of the CSO
The Applicant MUST ensure their ICT systems (including software) incorporate processes for
generating Audit Logs.
At a minimum, Audit Logs MUST record the following events:
# OFFICIAL
OFFICIAL #
At a minimum, Audit Logs MUST include[1] the following details for each event:
# OFFICIAL
OFFICIAL #
The Applicant MUST test their Disaster Recovery and Business Continuity Plan as part of initial
accreditation and at least once every 12 months thereafter
4.2.8 Cryptography
The Applicant MUST use:
• Australian Signals Directorate Approved Cryptographic Algorithms (AACAs); and
• Australian Signals Directorate Approved Cryptographic Protocols (AACPs),
to protect all Digital Identity Information while in transit and at rest.
The Applicant MUST maintain a Cryptographic Key Management Plan for their identity system
which covers:
The Applicant MUST assess and manage the ongoing suitability of its Personnel.
The Applicant MUST ensure that separating Personnel have their access to the Applicant’s
resources withdrawn, including:
Prior to Personnel separation or transfer, the Applicant MUST ensure the CSO, or relevant
security advisor is advised of any proposed cessation of employment resulting from misconduct
or other adverse reasons.
Where it is not possible to undertake required separation procedures, the Applicant MUST
undertake a risk assessment to identify any security implications and take reasonable steps to
mitigate any identified risks.
4.4 Physical security
The Applicant MUST implement physical security measures that minimise or remove the risk of:
The Applicant MUST protect its resources commensurate with the assessed business impact
level of their compromise, loss or damage.
The Applicant MUST assess security risks and select appropriate containers, cabinets, secure
rooms and strong rooms to protect information and assets.
The Applicant MUST dispose of physical assets securely, including by;
# OFFICIAL
OFFICIAL #
If a code or number is issued by the Applicant to a User as part of the identity proofing process,
the Applicant MUST notify the User in advance that they will receive a digital code or number,
how it will be issued and what to do with it.
The Applicant MUST advise the User on the outcome of the Identity Proofing process.
If proofing is successful, the Applicant MUST send the User confirmation regarding the
successful completion of Identity Proofing and information on next steps.
If proofing is partially complete[1], the Applicant MUST inform the User of:
# OFFICIAL
OFFICIAL #
The Applicant MUST provide support to Users who need assistance during the identity proofing
process.
The Applicant MUST provide support to Users who do not have the technology or capacity to
create a Digital Identity. For example, by providing support via a shopfront, a call centre that is
contactable via the National Relay Service, or through a text-based support such as an online
chat window.
The Applicant MUST provide clear instructions to a User on how they can update their Personal
information collected as part of the identity proofing process
5.3 Requirements for the authentication journey
The Applicant MUST provide Users with relevant information for the use and maintenance of
their Credential. For example, this may include instructions for use, information on Credential
expiry, and what to do if the Credential is forgotten, lost or stolen.
5.4 Usability testing
The Applicant MUST meet the requirements in Section 5.4.2 (Usability Test Plans) and Section
5.4.35 (Conduct Usability Testing) unless it can demonstrate to Finance that the Applicant has
The Applicant MUST document, by way of a Usability Test Plan, how it will conduct usability
testing.
The Applicant’s Usability Test Plan MUST:
# OFFICIAL
OFFICIAL #
The range of representative Individuals MUST be from a diverse range of gender classifications
The Applicant MUST conduct usability testing on its Identity System as part of initial
accreditation and at least once every 12 months thereafter
The Applicant MUST conduct usability testing of its Identity System across all relevant
components of the Applicant’s Identity System, in a production-like environment.
The Applicant MUST ensure that the User Researcher prepares a usability testing report that
documents the outcomes of its usability testing, including test methodology(s), test results,
findings and recommendations
The Applicant’s Accountable Executive must respond in writing to any recommendation
identified in the usability testing report including
The Applicant MUST provide the outcomes of its usability testing to Finance as part of initial
accreditation and annually thereafter as part of the Annual Assessment.
5.6 Accessibility requirements
The Applicant’s Identity System MUST be presented in a clear and concise manner, using plain
language that is easy to understand and accessible across all devices supported by the
Applicant’s Identity System.
Chapter 6 Technical Testing Requirements
6.1 Technical test planning
# OFFICIAL
OFFICIAL #
For the Technical Testing that the Applicant is required to complete under this section, it MUST
provide Finance with the following:
The Applicant MUST develop a Requirements Traceability Matrix (RTM) which maps the tests
completed to the TDIF requirements they are being used to demonstrate compliance with.
The Applicant MUST provide Finance with a technical test report detailing the outcomes of the
Technical Testing done under this section, including:
The Applicant MUST demonstrate through Technical Testing how its Identity System meets the
following TDIF requirements:
The Applicant MUST demonstrate through testing how its Identity System meets the following
TDIF requirements:
The Applicant MUST demonstrate through Technical Testing the functionality of all verification
methods, Identity Proofing Levels, identity lifecycle management processes and any Step-up
processes supported by the Applicant’s Identity System.
The Applicant MUST demonstrate through Technical Testing the functionality of all Credential
Levels, Credentials, Credential lifecycle management processes and any Step-Up processes
supported by the Applicant’s Identity System.
Chapter 7 Functional Assessments
7.1 Functional Assessment Requirements
# OFFICIAL
OFFICIAL #
The Applicant MUST ensure Assessors have access to and consider all relevant evidence
provided by the Applicant to Finance. This includes any responses by Finance to questions
which may have been asked.
The Functional Assessments MUST include:
If required by an Assessor or Finance, the Applicant MUST take reasonable steps to permit the
Assessor to undertake a site visit to the Applicant’s premises or other location where it provides
services in connection with its Identity System.
The Applicant MUST ensure that each Assessor prepares a report on the outcomes of the
relevant Functional Assessment that includes:
# OFFICIAL
OFFICIAL #
The Applicant MUST document the outcomes of each Functional Assessment in a Functional
Assessment Report. The Applicant’s Functional Assessment Report MUST include, for each
Functional Assessment:
The Applicant’s Accountable Executive MUST respond in writing to each recommendation, risk
and non-compliance outlined in the Functional Assessment Report including:
# OFFICIAL
OFFICIAL #
[NOTE : Applicants MUST be aware that a Moderate, High or Extreme risk rating is grounds for
a failed Initial Assessment and that Finance will not grant TDIF accreditation until the items
required in ASSESS-07-04-03b are complete and Finance is satisfied that the risk is sufficiently
mitigated. Appendix A: Risk Ratings in this document contains further details outlining the
conditions of each risk rating.]
If the risk rating meets or exceeds that outlined above in ASSESS-07-04-03a, the Accredited
Provider MUST confirm:
# OFFICIAL
OFFICIAL #
The Applicant MUST commission an Assessor to conduct a Security Assessment of its Identity
System to identify security deficiencies as part of initial accreditation and annually thereafter as
part of the Annual Assessment. The Security Assessment must, at a minimum:
The Applicant MUST NOT have user terms that are inconsistent with the user terms required
under the TDIF.
Chapter 2 Identity Service Provider Requirements
Section 3.2 Identity Proofing
# OFFICIAL
OFFICIAL #
The Applicant MUST support identity proofing at the level of Identity Proofing level 1 Plus or
above as described in Table 1 Identity Proofing Levels
For each supported Identity Proofing Level, the Applicant MUST implement it in accordance
with the requirements for that Identity Proofing Level set out in Table 1 Identity Proofing Levels
The Applicant MUST NOT make a representation, digitally or otherwise, that a Digital Identity
has achieved a particular Identity Proofing Level unless the Applicant is accredited to support
that Identity Proofing Level, and the User has achieved the requirements for that Identity
Proofing Level as set out in Table 1 below.
Before implementing an alternative identity proofing process under IDP-03-03-01, the Applicant
MUST:
# OFFICIAL
OFFICIAL #
The Applicant MUST allow Individuals to update their Attributes held by the Applicant.
The Applicant MUST verify updates to the Individual’s Identity prior to making changes to the
Individual’s Digital Identity. This includes any status changes made to the Individual’s Digital
Identity (e.g. temporary suspension or reactivation).
When requested to do so by an Authorised Representative or a User, the Applicant MUST
either:
a) suspend the use of a Digital Identity for the period requested; or
b) deactivate the digital identity.
The Applicant MUST confirm the legitimacy of any request by a User to prevent the continued
use of their Digital Identity in accordance with IDP-03-04-02, prior to preventing the continued
use of that Digital Identity.
The Applicant MUST notify the User that a Digital Identity can no longer be used in accordance
with IDP-03-04-02 and the reason why it can no longer be used (e.g. deactivated, suspended,
etc).
If a Digital Identity is suspended in accordance with IDP-03-04-02, the Applicant MUST provide
a process for a User to recover that Digital Identity which MUST include a requirement for the
user to be reproofed to the highest Identity Proofing Level as applied to the Digital Identity
before the suspension.
To verify the link between the User and their Digital Identity, the Applicant MUST either:
If a Digital Identity is suspended in accordance with IDP-03-04-03, the Applicant MUST provide
a process for a User to recover that Digital Identity by completing one of the two processes
outlined in IDP-03-04-03a for an appropriate period of time after the Digital Identity has been
suspended.
# OFFICIAL
OFFICIAL #
The Applicant MUST ensure that the User can prove ownership of their existing Digital Identity
by authenticating with their Credential prior to commencing the Identity Proofing Step-Up
process.
When a User completes the Identity Proofing Step-up process, the Applicant MAY send a
notification to the User.
3.6 Attribute collection, verification and validation
The Applicant MUST NOT collect, verify or validate Attributes beyond those listed in Table 2 and
Table 3. [Table 2 and 3 of TDIF: 05 Role Requirements]
3.7 Attribute disclosure
The Applicant MUST limit disclosure of Attributes to an Authoritative Source to Attributes listed
in Table 2 .
Unless permission has been obtained under IDP-03-07-03, or Attributes are being disclosed to
an Authoritative Source in accordance with IDP-03-07-01, the Applicant MUST limit disclosure
of Attributes to the following Attributes:
• Identity Attributes (verified) listed in Table 2.
• Contact Attributes (validated) listed in Table 2.
• Identity System metadata listed in Table 2.
• Assumed Self-asserted Attributes listed in Table 3.
The Applicant MUST seek permission from Finance to disclose Attributes beyond those listed in
IDP-03-07-02.
3.8 Biometric verification requirements
General Biometric Binding Requirements
If Biometric Binding is supported, then the Applicant MUST implement the following
requirements for the operation of Biometric Binding.
The Applicant MUST complete Biometric Binding by performing either:
The Applicant MUST consider fraud and security risks, and the associated mitigation strategies
and treatments, related to performing Biometric Binding when developing their Fraud Control
Plan and System Security Plan, including the following risks (where applicable):
# OFFICIAL
OFFICIAL #
The Photo ID used in the Biometric Matching Process MUST undergo Source Verification.
Where the Photo ID is a foreign passport, the Applicant MUST perform a DVS check to ensure
that the document and identity attributes of the foreign passport correspond to the document
and identity attributes of a current Australian visa.
The Applicant MUST log information associated with each Biometric Binding transaction, as per
PROT-04-02-22a, including the specific Biometric Matching method utilised
If the Applicant is required to have a Biometric Testing Entity test their Biometric Capability by
either IDP-03-08-12 or IDP-03-08-18, then the Applicant MUST provide evidence that:
NOTE: an entity accredited to perform PAD testing according to ISO/IEC 30107-3 and/or
biometric performance testing according to ISO/IEC 19795-2 under the National Voluntary
Laboratory Accreditation Program (NVLAP) coordinated by National Institute of Standards and
Technology (NIST) would meet the above requirements for each kind of testing respectively.
Further information about Biometric Testing Entities is also available in TDIF 05A Role Guidance.
The Applicant MUST create an Image Quality Profile of the Acquired Image and apply a quality
threshold that this image MUST pass prior to being used for Biometric Matching.
The method for generating the Acquired Image’s Image Quality Profile MUST be informed by
characteristics of biometric image quality described by ISO 29794-5.
The Applicant MUST provide to Finance the characteristics used in generating the Image Quality
Profile as a part of the initial Accreditation.
The Applicant MUST include automated quality controls and appropriate user-interface
instructions that direct a User to provide an image that meets the Acquired Image’s Image
Quality Profile.
When performing Online Biometric Binding, the Applicant MUST incorporate PAD technology at
the point of capture of the Acquired Image.
# OFFICIAL
OFFICIAL #
The Applicant MUST complete the capture of the Acquired Image and PAD processes as part of
the same process before submission of the Acquired Image to Biometric Matching.
The Applicant MUST employ PAD technology based on data captured by both the data capture
subsystem and through system level monitoring, as described by ISO 30107-1
The Applicant MUST include Liveness Detection as part of PAD.
The Applicant MUST ensure their PAD technology is tested according to ISO 30107-3 by a
Biometric Testing Entity .
[NOTE: Applicants who must meet this requirement should be familiar with obligations for
retesting PAD technology as described in TDIF 07 Maintain Accreditation.]
The Applicant MUST provide the Biometric Testing Entity’s report with the results of the testing
conducted under IDP-03-08-12 to Finance .
The PAD testing carried out by the Biometrics Testing Entity MUST include Presentation Attack
Instrument Species to address potential Presentation Attack threats as informed by the risk
assessment completed as part of IDP-03-08-03 and, if applicable, ANNUAL-03-08-03a.
The PAD testing MUST be performed on a system that incorporates all hardware and software
involved in the Biometric Binding process, including the PAD technology and Biometric
Matching (where applicable).
The PAD technology MUST be tested by a Biometric Testing Entity with configurations and
settings that align to the Applicant’s operational environment.
The PAD testing MUST calculate and record the completed PAD evaluation and corresponding
results for each Presentation Attack Species as described in ISO 30107-3.
The PAD testing MUST include at least 6 Level A Presentation Attack Instrument Species and at
least 6 Level B Presentation Attack Instrument Species.
The PAD testing MUST include a minimum of 10 individuals.
For each Presentation Attack Instrument Species, at least one Presentation Attack Instrument
MUST be created for a minimum of 3 individuals.
All utilised Attack Instrument Species (PAI Species) MUST have an attack presentation
classification error rate (APCER) of 0%.
If the Applicant’s reported APCER for any PAI Species does not meet these requirements, then a
risk-based justification for failures MUST be provided to Finance, who will make a qualitative
assessment of whether the PAD technology is fit for purpose.
3.8.3 Local Biometric Binding
If Local Biometric Binding is supported, then the Applicant MUST implement the following
requirements for the operation of Local Biometric Binding
Local Biometric Binding is performed when an Individual is in the physical presence of an
Assessing Officer, and MUST be achieved by the Assessing Officer performing one or more of
the following biometric matching processes:
While performing Local Biometric Binding, the Applicant MUST restrict access to Biometric
Information and any aspects of the Biometric Capability to Assessing Officers.
If an Acquired Image is being captured as part of Local Biometric Binding, then the Applicant
MUST develop and apply an Image Quality Profile in accordance with IDP-03-08-10 to IDP-03-
08-10c.
The Applicant MUST only undertake Local Biometric Binding at a suitable locationas identified
in the Applicant’s Fraud Control Plan and System Security Plan.
# OFFICIAL
OFFICIAL #
The Biometric Matching algorithm MUST be tested by a Biometric Testing Entity with
operational configurations and settings that align to the Applicant’s operating environment.
The Biometric Matching algorithm MUST be tested by a Biometric Testing Entity using
representation from a diverse age, gender, and ethnicity demographics that considers possible
Users of the Applicant’s system.
The Biometric Matching algorithm testing MUST establish, with a minimum 90% confidence
interval, that the Biometric Matching algorithm achieves a false match rate (FMR) of not more
than 0.01% and a false non-match rate (FNMR) of not more than 3%, as described in ISO/IEC
19795-9.
As a part of the initial TDIF Accreditation Process the Applicant MUST provide the report to
Finance from the Biometric Testing Entity outlining that the Applicant’s Biometric Matching
algorithm has been suitably tested as per the testing and reporting specifications described in
ISO/IEC 19795-2.
To perform Source Biometric Matching, the Applicant MUST provide the Acquired Image and
other information about the Photo ID in accordance with the instructions specific to the Photo
ID Authoritative Source capable of performing Biometric Matching to verify the User’s Acquired
Image biometrically matches the corresponding image stored in the Photo ID Authoritative
Source .
The Applicant MUST provide evidence that end-to-end testing has taken place with the Photo
ID Authoritative Source and that their Biometric Capability can meet any operating standards
set by the Photo ID Authoritative Source.
3.8.6 Manual Face Comparison
If Manual Face Comparison is used for any Biometric Binding processes, then the Applicant
MUST implement the following requirements for the operation of Manual Face Comparison.
# OFFICIAL
OFFICIAL #
If Manual Face Comparison is attempted using a Photo ID that can undergo Technical
Verification for authenticity, then Technical Verification MUST be attempted.
The Applicant MUST ensure that Assessing Officers performing Manual Face Comparison
receive awareness training, as part of Initial Accreditation and annually thereafter, in
accordance with the guidance provided by the latest version of the Facial Identification
Scientific Working Group (FISWG), Guide for Facial Comparison Awareness Training of
Assessors.
The Applicant MUST provide Assessing Officers with an up-to-date reference card outlining
practical steps and guidance when performing Manual Face Comparison.
The Applicant MUST provide evidence of the Manual Face Comparison training materia ls and
reference cards received by each Assessing Officer.
[A copy of the training materials will be requested by Finance as part of initial accreditation and
annually thereafter as part of the Annual Assessment under TDIF: 07-Annual Assessment.]
The Applicant MUST design and implement procedures to detect fraudulent activities by
Assessing Officers performing Manual Face Comparison. These procedures MUST be included in
the Fraud Control Plan.
The Applicant MUST design and implement quality control and quality assurance procedures
for Manual Face Comparison decisions made by Assessing Officers as part of initial accreditation
and annually thereafter. The Applicant MUST include these procedures in their risk assessment
for Biometric Binding processes.
The Assessing Officer MUST only perform Manual Face Comparison using an original, physical
Photo ID presented in-person by the Individual.
Chapter 4 Credential Service Provider Requirements
4.1 Credential Levels
The Applicant MUST support at least one of the Credential Levels described in Table 4.. [Table 4
of TDIF: 05 Role Requirements]
For each supported Credential Level, the Applicant MUST ensure that when a credential level is
asserted as a result of an authentication event, that the authentication event met all the
requirements of that credential level as described in Table 4.
The Applicant MUST ensure that Credentials presented are valid or active and that they are not
expired or revoked prior to authenticating the Individual.
Where unusual transactions are detected the Applicant MUST verify the Credential is still under
the control of its legitimate owner.
When requested by the Individual the Applicant MUST prevent the continued use of a
Credential (e.g. temporary suspension while traveling abroad).
The Applicant MUST confirm the legitimacy of the request in accordance with CSP-04-01-05,
prior to preventing the continued use of a Credential.
The Applicant MUST notify the Individual that a Credential can no longer be used in accordance
with CSP-04-01-05 and the reason why it can no longer be used (e.g. deactivated, expired,
revoked, etc).
4.2.1 Memorised Secrets
If Memorised Secrets are supported, then the Applicant MUST implement the following
requirements for the operation of Memorised Secrets.
Memorised secrets MUST be at least 8 characters in length if chosen by the Individual.
# OFFICIAL
OFFICIAL #
Memorised secrets chosen randomly by the Applicant MUST be at least 6 characters in length
and MAY be entirely numeric.
When processing requests from an Individual to establish or change a Memorised Secret, the
Applicant MUST compare the prospective secret against a list that contains secrets known to be
commonly used, expected or compromised.
If the Applicant disallows a chosen Memorised Secret based on its appearance on the list
described in CSP-04-02-01d , the Applicant MUST:
The Applicant MAY offer guidance to the Individual, such as a password-strength meter, to
assist the Individual in choosing a strong memorised secret. This is particularly important
following the rejection of a memorised secret on the above list as it discourages trivial
modification of listed (and likely very weak) memorised secrets.
The Applicant MAY permit Individuals to use the “paste” functionality when entering a
memorised secret. This facilitates the use of password managers, which are widely used and, in
many cases, increase the likelihood that Individuals will choose stronger memorised secrets.
To assist the Individual in successfully entering a memorised secret, the Applicant MAY offer an
option to display the secret — rather than a series of dots or asterisks — until it is entered. This
allows the Individual to verify their entry if they are in a location where their screen is unlikely
to be observed.
The Applicant MAY permit the Individual’s device to display individual entered characters for a
short time after each character is typed to verify correct entry. This is particularly applicable on
mobile devices.
The Applicant MUST use Australian Signals Approved Cryptographic Algorithms (AACAs) and an
authenticated protected channel when requesting memorised secrets to provide resistance to
eavesdropping and Man-in-the-Middle (MitM) attacks.
The Applicant MUST store memorised secrets in a form that is resistant to offline attacks.
Memorised secrets MUST be salted and hashed using a suitable one-way key derivation
function.
The salt MUST be at least 32 bits in length and be chosen arbitrarily so as to minimise salt value
collisions among stored hashes.
Both the salt value and the resulting hash MUST be stored for each Individual who uses
memorised secrets.
4.2.2 Look-up secrets
If Look-up Secrets are supported, then the Applicant MUST implement the following
requirements for the operation of look-up secrets.
A Applicant creating look-up secrets MUST deliver them securely to the subscriber.
W hen an Individual is authenticating, the Applicant MUST prompt the Individual for the next
secret from their Credential (e.g. the next numbered secret) or a specific secret.
A given look-up secret MUST be used successfully only once. If the look-up secret is derived
from a grid card, each cell of the grid MUST be used only once.
The Applicant MUST store Look-up Secrets in a form that is resistant to offline attacks by
ensuring that:
# OFFICIAL
OFFICIAL #
The Applicant MUST store both the salt value and the resulting hash for each look-up secret.
For Look-up Secrets that have less than 64 bits of entropy, the Applicant MUST implement a
Rate-limiting mechanism that effectively limits the number of failed Authentication attempts
that can be made on the Individual’s Digital Identity account.
The Applicant MUST use AACAs and an Authenticated Protected Channel when requesting
Look-up Secrets in order to provide resistance to eavesdropping and MitM attacks.
4.2.3 Out-of-band devices
If Out-of-band Devices are supported, then the Applicant MUST implement the following
requirements for the operation of out-of-band devices.
The out-of-band device MUST establish a separate channel with the Applicant to retrieve the
out-of-band secret or Authentication Request.
The out-of-band device MUST uniquely authenticate itself in one of the following ways when
communicating with the Applicant:
• Establish an authenticated protected channel to the Applicant using approved
cryptography .
• The key used MUST be stored in suitably secure storage available to the credential
application (e.g. keychain storage, secure element etc.).
• Authenticate to a public mobile telephone network using a SIM card or equivalent that
uniquely identifies the device. This method MUST only be used if a secret is being sent from the
Applicant to the out-of-band device via the Public Switched Telephone Network (PSTN) (SMS or
voice).
If the out-of-band device sends an approval message over the secondary communication
channel — rather than by the Individual transferring a received secret to the primary
communication channel — it MUST do one of the following:
# OFFICIAL
OFFICIAL #
Depending on the type of out-of-band device, one of the following options (1, 2, OR 3) MUST
take place:
In all cases, the authentication MUST be considered invalid if not completed within 10 minutes.
To provide replay resistance, the Applicant MUST accept a given authentication secret only
once during the validity period.
The Applicant MUST generate random authentication secrets with at least 20 bits of entropy.
If the authentication secret has less than 64 bits of entropy, the Applicant MUST implement a
rate-limiting mechanism that effectively limits the number of failed authentication attempts
that can be made on the Individual’s digital identity account.
If out-of-band verification is to be made using the PSTN, the Applicant MUST verify that the pre-
registered telephone number being used is associated with a specific physical device.
The Applicant MUST consider risks when developing their Fraud Control Plan and System
Security Plan, associated with device swap, SIM change, number porting or other abnormal
behaviour before using the PSTN to deliver an out-of-band Authentication secret.
# OFFICIAL
OFFICIAL #
When a single-factor OTP Credential is being associated with an Individual’s digital identity
account, the Applicant MUST use AACAs to either generate and exchange or to obtain the
secrets required to duplicate the authentication output.
The Applicant MUST use AACAs and an authenticated protected channel when collecting the
OTP to provide resistance to eavesdropping and MitM attacks.
To provide replay resistance, the Applicant MUST accept a given time-based OTP only once
during the validity period.
Time-based OTPs MUST have a defined lifetime that is determined by the expected clock drift
— in either direction — of the credential over its lifetime, plus allowance for network delay and
user entry of the OTP.
If the authentication output has less than 64 bits of entropy, the Applicant MUST implement a
rate-limiting mechanism that effectively limits the number of failed authentication attempts
that can be made on the Individual’s digital identity account.
4.2.5 Multi-factor one-time password devices
If multi-factor one-time password (MF OTP) devices are supported, then the Applicant MUST
implement the following requirements for the operation of MF OTP devices.
The secret key and its algorithm MUST provide at least the minimum -security strength
specified in the latest edition of the ISM.
The nonce MUST be of sufficient length to ensure that it is unique for each operation of the
device over its lifetime.
OTP authentication MUST NOT facilitate the cloning of the secret key onto multiple devices.
If the nonce used to generate the authentication output is based on a real-time clock, the
nonce MUST be changed at least once every 2 minutes.
Any memorised secret used for activation MUST be a randomly chosen numeric secret at least
6 decimal digits in length.
The unencrypted key and activation secret or biometric sample — and any biometric data
derived from the biometric sample, such as a probe produced through signal processing —
MUST be zeroised immediately after an OTP has been generated.
When a MF OTP Credential is being associated with an Individual’s digital identity account, the
Applicant MUST use AACAs to either generate and exchange, or to obtain the secrets required
to duplicate the authentication output.
The Applicant MUST use AACAs and an authenticated protected channel when collecting the
OTP to provide resistance to eavesdropping and MitM attacks.
The Applicant MUST also establish that the Credential is a MF OTP device.
Time-based OTPs MUST have a defined lifetime that is determined by the expected clock drift
— in either direction — of the credential over its lifetime, plus allowance for network delay and
user entry of the OTP.
To provide replay resistance, the Applicant MUST accept a given time-based OTP only once
during the validity period.
In the event an Individual’s authentication is denied due to duplicate use of an OTP, the
Applicant MAY warn the Individual in case an attacker has been able to authenticate in
advance.
The Applicant MAY also warn the Individual in an existing session of the attempted duplicate
use of an OTP.
If the authentication output has less than 64 bits of entropy, the Applicant MUST implement a
rate-limiting mechanism that effectively limits the number of failed authentication attempts
that can be made on the Individual’s digital identity account.
# OFFICIAL
OFFICIAL #
The key MUST be strongly protected against unauthorised disclosure using access controls that
limit access to the key to only those software components on the device requiring access.
Single-factor cryptographic software credentials MUST NOT facilitate the cloning of the secret
key onto multiple devices.
Keys MUST be protected against modification.
Keys MUST be protected against unauthorised disclosure.
The challenge nonce MUST be at least 64 bits in length.
The challenge nonce MUST either be unique over the credential’s lifetime or be statistically
unique.
The authentication event MUST use approved cryptography (i.e. AACAs and AACPs).
4.2.7 Single-factor cryptographic devices
If single-factor cryptographic devices are supported, then the Applicant MUST implement the
following requirements for the operation of single-factor cryptographic devices.
Single-factor cryptographic devices MUST encapsulate one or more secret keys unique to the
device that MUST NOT be exportable (i.e. cannot be removed from the device).
The secret key and its algorithm MUST provide at least the minimum-security length specified
in the latest edition of the ISM.
The challenge nonce MUST be at least 64 bits in length.
The challenge nonce MUST either be unique over the credential’s lifetime, or be statistically
unique.
Approved cryptography (i.e., AACAs and AACPs) MUST be used.
Keys MUST be protected against modification.
Keys MUST be protected against unauthorised disclosure.
4.2.8 Multi-factor cryptographic software
If multi-factor cryptographic software is supported, then the Applicant MUST implement the
following requirements for the operation of multi-factor cryptographic software.
The key MUST be strongly protected against unauthorised disclosure by the use of access
controls that limit access to the key to only those software components on the device requiring
access.
Authentication events MUST require the input of both factors.
Any memorised secret used for activation MUST be a randomly chosen numeric value at least 6
decimal digits in length.
The unencrypted key, and activation secret or biometric sample — and any biometric data
derived from the biometric sample such as a probe produced through signal processing —
MUST be zeroised immediately after an authentication has taken place.
Keys MUST be protected against modification.
Keys MUST be protected against unauthorised disclosure.
The challenge nonce MUST be at least 64 bits in length.
The challenge nonce MUST either be unique over the credential’s lifetime or, be statistically
unique.
The authentication event MUST use approved cryptography (i.e. AACAs and AACPs).
Truncation MUST NOT be performed on the memorised secret used for activation.
4.2.9 Multi-factor cryptographic devices
# OFFICIAL
OFFICIAL #
If multi-factor cryptographic device is supported, the Applicant MUST implement the following
requirements for the operation of multi-factor cryptographic devices.
The secret key and its algorithm MUST provide at least the minimum-security length specified
in the latest edition of the ISM.
The challenge nonce MUST be at least 64 bits in length.
The challenge nonce MUST either be unique over the Credential’s lifetime or, be statistically
unique.
Approved cryptography (i.e., AACAs and AACPs) MUST be used.
Keys MUST be protected against modification.
Keys MUST be protected against unauthorised disclosure.
4.3 General credential requirements
4.3.1 Physical credentials
If physical Credentials are supported, the Applicant MUST implement the following
requirements to operate physical Credentials.
The Applicant MUST provide the Individual with instructions on how to appropriately protect
the credential against theft or loss.
The Applicant MUST provide a mechanism to revoke or suspend the credential immediately
upon notification from the individual that loss or theft of the credential is suspected.
4.3.2 Rate limiting (throttling)
The Applicant MUST implement rate limiting (or throttling) for all credentials.
The Applicant MUST implement controls to protect against online guessing attacks.
The Applicant MUST limit consecutive failed authentication attempts on a single account to no
more than 100.
Additional techniques MAY be used to reduce the likelihood that an attacker will lock the
Individual out of their digital identity account out as a result of rate limiting. Following a failed
authentication event, the Applicant MAY require:
• The individual to complete a Completely Automated Public Turing test to tell Computers
and Humans Apart (CAPTCHA) before attempting authentication.
• The Individual to wait for a period of time that increases as the account approaches its
maximum allowance for consecutive failed attempts (e.g. 30 seconds up to an hour).
• Accepting only authentication requests that come from a whitelist of IP addresses from
which the Individual has been successfully authenticated before.
• Leveraging other risk-based or adaptive authentication techniques to identify user
behaviour that falls within or out of typical norms. Examples include: use of IP address,
geolocation, timing of request patterns, or browser metadata.
When the individual successfully authenticates, the Applicant MAY disregard any previous
failed attempts for that user from the same IP address.
4.3.3 biometrics (for authentication use)
If biometrics for authentication use are supported, then the Applicant MUST implement the
following biometrics requirements for the operation of biometrics for authentication use.
Biometrics MUST be used only as part of multi-factor authentication with a physical Credential.
An authenticated protected channel between sensor and Applicant MUST be authenticated
prior to capturing the biometric sample from the Individual.
The biometric system MUST operate with a False-Match-Rate (FMR) of 1 in 1000 or better.
# OFFICIAL
OFFICIAL #
This FMR MUST be achieved under conditions of a conformant attack (i.e., zero-effort impostor
attempt) as defined in ISO/IEC 30107-1.
The biometric system MUST implement Presentation Attack Detection (PAD).
Testing of the biometric system to be deployed MUST demonstrate at least 90% resistance to
presentation attacks for each relevant attack type (i.e. species), where resistance is defined as
the number of thwarted presentation attacks divided by the number of trial presentation
attacks.
Testing of presentation attack resistance MUST be in accordance with Clause 12 of ISO/IEC
30107-3:2017.
The PAD decision MAY be made either locally on the Individual’s device or by the Applicant.
The biometric system MUST allow no more than 5 consecutive failed authentication attempts
or 10 consecutive failed attempts.
Once the limit of consecutive failed attempts has been reached, the biometric system MUST
either:
The Applicant MUST make a determination of sensor and endpoint performance, integrity, and
authenticity. Acceptable methods for making this determination include, but are not limited to:
• Authentication of the sensor or endpoint.
• Certification by an approved accreditation authority
• Runtime interrogation of signed metadata (e.g. attestation).
If supported, Biometric comparison that is performed centrally MUST implement the following:
Information conveyed by credential attestation MAY include, but is not limited to:
• The provenance (e.g. manufacturer or supplier certification), health, and integrity of the
credential and endpoint
• Security features of the credential
• Security and performance characteristics of biometric sensor(s)
• Sensor modality.
If this attestation is signed, it MUST be signed using a digital signature that provides at least the
minimum-security strength specified in the latest version of the ISM.
4.3.5 CSP-impersonation resistance
# OFFICIAL
OFFICIAL #
Credentials that involve the manual entry of an authentication output, such as out-of-band and
OTP Credentials, MUST NOT be considered CSP-impersonation resistant because the manual
entry does not bind the authentication output to the specific session being authenticated.
4.3.6 IdP-CSP communications
In situations where the IdP and CSP are separate entities, communication MUST occur through
a mutually authenticated secure channel (such as a client-authenticated TLS connection) using
approved cryptography (i.e, AACAs and AACPs).
4.3.7 CSP-compromise resistance
# OFFICIAL
OFFICIAL #
When any new Credential is bound to an Individual’s account, the Applicant MUST ensure that
the binding protocol and the protocol for provisioning the associated key(s) are done at a level
of security commensurate with the CL at which the Credential will be used.
4.4.2 Binding at enrolment
For remote transactions where enrolment and binding cannot be completed in a single
electronic transaction (i.e. within a single protected session), the following requirements MUST
be met to ensure that the same party acts as the Individual throughout the process:
For in-person transactions where enrolment and binding cannot be completed in a single
physical encounter (i.e. within a single protected session), the following requirements MUST be
met to ensure that the same party acts as the Individual throughout the process:
# OFFICIAL
OFFICIAL #
# OFFICIAL
OFFICIAL #
The Applicant MUST revoke the binding of a Credential promptly when an account ceases to
exist (e.g. an Individual’s death, discovery of a fraudulent account), when requested by the
Individual, or when the Applicant determines that the Individual no longer meets its eligibility
requirements.
The Applicant MUST require an Individual to surrender or certify destruction of any physical
Credential containing certified attributes signed by the Applicant as soon as practical after
revocation or termination takes place. This is necessary to block the use of the Credential’s
certified attributes in offline situations between revocation or termination and expiration of the
certification.
4.8 Session management
A session MAY be started in response to an authentication event and continue until such time
that it is terminated.
A session MAY be terminated for any number of reasons, including but not limited to an
inactivity timeout, an explicit logout event or other means.
The Session MAY be continued through a re-authentication in accordance with the
requirements in section 4.9.
4.9 Reauthentication
Continuity of authenticated sessions MUST be based upon the possession of a session secret
issued by the Applicant at the time of authentication and optionally refreshed during the
session.
Session secrets MUST be non-persistent.
Session secrets MUST NOT be retained across a restart of the associated application or a reboot
of the host device.
Periodic reauthentication of sessions MUST be performed to confirm the continued presence of
the Individual at an authenticated session (i.e. that the Individual has not walked away without
logging out).
When a session has been terminated, due to a time-out or other action, the Individual MUST be
required to establish a new session by authenticating again.
4.10 Credential Step-Up
If the Applicant supports a User to Step-Up the Credential Level that can be asserted as a result
of an authentication event to a higher Credential Level supported by the Applicant, then it
MUST implement the following requirements for the operation of Step-Up for all Credential
Levels.
The Applicant MUST ensure that an Individual can prove ownership of their existing Digital
Identity by authenticating with their Credential to their account prior to commencing the
Credential Step-Up process.
# OFFICIAL
OFFICIAL #
The Applicant MUST ensure the Root Certification Authority (CA) Private Key is not used to
digitally sign Digital Certificates, except in the following cases:
• Self-signed Digital Certificates to represent the Root CA itself.
• Digital Certificates for Subordinate CAs and Cross Certificates.
• Digital Certificates for infrastructure purposes (for example, administrative role certificates
and OCSP Digital Certificates).
• Digital Certificates issued solely for the purpose of testing software with Digital Certificates
issued by the Root CA.
The Applicant MUST implement a process to allow Individuals to request revocation of their
Digital Certificate.
The Applicant MUST implement revocation procedures for the following situations:
[Evidence of this arrangement will be requested by Finance as part of initial accreditation and
annually thereafter as part of the Annual Assessment.]
# OFFICIAL
OFFICIAL #
The Applicant MUST ensure every Attribute it issues or manages is uniquely identifiable.
The Applicant MUST manage and provide up-to-date, relevant and accurate Attributes.
If the Applicant is an Authoritative Source for an Attribute, the Applicant MUST verify all
requests to update relevant Attributes prior to making changes.
The Applicant MUST take reasonable measures to prevent the continued use of an Attribute
(e.g. suspension, deactivation) when requested to do so by a User, Authorised Representative
or Authoritative Source.
The Applicant MUST confirm the legitimacy of the request from an authorised Individual or
Authoritative Source in accordance with ASP-05-02-05, prior to actioning the request.
The Applicant MAY support issuing or linking multiple Attributes and Attribute Classes to an
Individual.
The Applicant MAY support issuing or linking multiple Attributes relating to the same entity to
an Individual.
The Applicant MAY support issuing or linking multiple Individuals to the same Attribute.
Chapter 6 Identity Exchange Requirements
6.1 Audit Logging Requirements
The Applicant MUST generate a unique audit Id for an Authentication Request from a Relying
Party to be used as the Unique interaction identifier for the interaction.
The Applicant MUST log all related interactions between Relying Parties and Identity Service
Providers using this unique audit id (this includes Attribute Service Providers acting as Relying
Parties).
6.2 Consent Management
In accordance with PRIV-03-09-03, the Applicant MUST maintain the following information as
part of its Audit Logs:
# OFFICIAL
OFFICIAL #
If the Applicant securely caches attributes as per IDX-06-03-03, these attributes MUST NOT be
accessible to the Applicant’s Personnel.
The Applicant MAY restrict the expiration period for an authentication session to manage
security risks.
6.4 User Dashboard
If a User Dashboard is supported, then the Applicant MUST implement the following
requirements for the operation of a User Dashboard.
The Applicant MUST display to the Individual their Consumer History and enable the Individual
to view the Express Consent they have provided to share attributes with a Relying Party or any
third party.
The Applicant MUST NOT store Attributes of the Individual after the Individual’s session at the
User Dashboard has been terminated.
6.5 IdP Selection
If IdP Selection is supported, the Applicant MUST implement the following requirements for the
operation of IdP Selection.
The list of Identity Service Providers presented by the Applicant to the User MUST be capable of
meeting the Credential Level and Identity Proofing Level requested in the Authentication
Request.
The Applicant MAY provide a mechanism for an Individual’s selection of an Identity Service
Provider to be remembered so the Individual does not have to select an Identity Service
Provider (again) when accessing a Relying Party.
Express Consent MUST be obtained from the Individual prior to offering the mechanism
described in IDX-06-05-02.
The Individual MUST have the ability to opt out of using the mechanism described in IDX-06-05-
02.
# OFFICIAL
OFFICIAL #
Sub-Requirement A C I X
A C I X
A C I X
A C I X
A C I X
A C I X
C I
A C I X
# OFFICIAL
OFFICIAL #
A C I X
A C I X
A C I X
A C I X
A C I X
# OFFICIAL
OFFICIAL #
A C I X
A C I X
A C I X
A C I X
A C I X
# OFFICIAL
OFFICIAL #
A C I X
• If the Applicant has risks, recommendations or non-compliances
identified in its Forward Work Plan, then the Qualifying Attestation
Letter MUST contain a summary of these risks, implementation
dates and any further information as per ASSESS-07-04-02 and
ASSESS-07-04-03.
A C I X
# OFFICIAL
OFFICIAL #
A C I X
# OFFICIAL
OFFICIAL #
A C I X
h) Procedures and mechanisms for Digital Identity Fraud Incident
management, fraud investigations and reporting Digital Identity
Fraud Incidents.
i) An outline of key roles and responsibilities for Digital Identity A C I X
Fraud Control within the Applicant’s organisation
A C I X
# OFFICIAL
OFFICIAL #
A C I X
A C I X
A C I X
A C I X
A C I
# OFFICIAL
OFFICIAL #
A C I X
A C I
A C I
A C I
A C I X
# OFFICIAL
OFFICIAL #
neither (a) nor (b) apply and the Applicant has entered an A C I X
agreement with Finance, and the agreement requires the Applicant
to comply with the Privacy Act and the APPs in relation to that
action or practice as if the Applicant were an APP Entity.
A C I X
A C I X
A C I X
# OFFICIAL
OFFICIAL #
A C I X
A C I X
A C I X
A C I X
# OFFICIAL
OFFICIAL #
A C I X
A C I X
A C I X
# OFFICIAL
OFFICIAL #
A C I X
A C I X
A C I X
A C I X
A C I X
A C I X
A C I X
# OFFICIAL
OFFICIAL #
A C I X
C I
# OFFICIAL
OFFICIAL #
A C I X
a) The Applicant is seeking accreditation, or is accredited, as an
Identity Service Provider or Credential Service Provider and the
Biometric Information is being collected, used or disclosed for the
purposes of conducting Biometric Binding as part of an Identity
Proofing Process or authenticating the Individual to their Digital
Identity; or
A C I X
b) The Biometric Information is being collected, used or disclosed
for the purposes of creating a government issued Identity
document.
a) if collected by an Identity Service Provider for the purpose of C I
conducting Biometric Binding as part of an Identity Proofing
Process, immediately after the Biometric Binding process is
complete; or
C I
A C I X
C I
A C I X
# OFFICIAL
OFFICIAL #
A C I X
A C I X
A C I X
A C I X
A C I X
A C I X
A C I X
A C I X
A C I X
A C I X
A C I X
A C I X
A C I X
A C I X
# OFFICIAL
OFFICIAL #
A C I
A C I
A C I X
A C I
A C I
A C I X
A C I X
# OFFICIAL
OFFICIAL #
A C I X
# OFFICIAL
OFFICIAL #
A C I X
# OFFICIAL
OFFICIAL #
A C I X
A C I X
# OFFICIAL
OFFICIAL #
A C I X
a) application control A C I X
b) patching applications A C I X
c) restricting administrative privileges; and A C I X
d)patching operating systems; A C I X
A C I X
A C I X
A C I X
A C I X
A C I X
A C I X
A C I X
A C I X
# OFFICIAL
OFFICIAL #
A C I X
A C I X
A C I X
A C I
A C I X
A C I X
A C I X
A C I X
# OFFICIAL
OFFICIAL #
A C I X
a) Business continuity governance.
b) Training requirements for recovery team members. A C I X
# OFFICIAL
OFFICIAL #
A C I X
A C I X
A C I X
A C I X
a) Harm to Individuals
A C I X
b) Information and physical assets and resources being made
inoperable or inaccessible, or being accessed, used or removed
without appropriate authorisation.
A C I X
A C I X
# OFFICIAL
OFFICIAL #
A C I
A C I
A C I X
A C I X
A C I X
A C I X
A C I X
I
I
# OFFICIAL
OFFICIAL #
a) an option to either: I
i. continue with the proofing process using one or more
alternative channels; or
ii. not continue with the proofing process; and
A C I X
# OFFICIAL
OFFICIAL #
A C I X
A C I X
A C I X
A C I X
A C I X
# OFFICIAL
OFFICIAL #
# OFFICIAL
OFFICIAL #
A C I X
A C I X
a)Documentation reviews. A C I X
b)Interviews with key personnel. A C I X
c)A run through of the Applicant’s Identity System. A C I X
A C I X
# OFFICIAL
OFFICIAL #
# OFFICIAL
OFFICIAL #
A C I X
A C I X
# OFFICIAL
OFFICIAL #
b) The scope of the User’s right to access and use the Identity A C I X
System must be consistent with the TDIF.
c) That the User is responsible for providing accurate Identity A C I X
Documents and Attributes to the Applicant.
d) That the User is responsible for reporting unauthorised use of A C I X
their Digital Identity or Credential to the Applicant as soon as they
become aware of it.
e) That the Applicant may suspend, cancel or terminate the User’s A C I X
access to the Identity System at any time.
f) That the Applicant may make changes to the User terms at any A C I X
time without prior notice and if the User terms are changed, the
User’s continued use of the Identity System will be subject to their
acceptance of the updated User terms.
# OFFICIAL
OFFICIAL #
# OFFICIAL
OFFICIAL #
I
I
# OFFICIAL
OFFICIAL #
# OFFICIAL
OFFICIAL #
I
I
# OFFICIAL
OFFICIAL #
I
I
I
I
# OFFICIAL
OFFICIAL #
I
I
# OFFICIAL
OFFICIAL #
C
C
# OFFICIAL
OFFICIAL #
C
C
C
C
C
C
# OFFICIAL
OFFICIAL #
b) Look-Up Secrets that have less than 112 bits of entropy are C
salted and hashed using an AACA with a salt value of at least 32 bits
in length which is arbitrarily chosen.
C
C
C
C
C
# OFFICIAL
OFFICIAL #
1.
Transfer of secret to primary channel: o The Applicant MUST signal
the device containing the Individual’s Credential to indicate
readiness to authenticate
o It MUST then transmit a random secret to the out-of-band device
o The Applicant MUST then wait for the secret to be returned on
the primary communication channel.
C
2.
Transfer of secret to secondary channel:
o The Applicant MUST display a random Authentication secret to
the Individual via the primary channel
o It MUST then wait for the secret to be returned on the secondary
channel from the Individual’s out-of-band device.
C
3.
Verification of secrets by the Individual:
o The Applicant MUST display a random Authentication secret to
the Individual via the primary channel and MUST send the same
secret to the out-of-band device via the secondary channel for
presentation to the Individual.
o It MUST then wait for an approval (or disapproval) message via
the secondary channel.
C
C
C
C
C
# OFFICIAL
OFFICIAL #
C
C
C
C
C
C
# OFFICIAL
OFFICIAL #
C
C
C
C
C
C
C
C
C
C
C
C
C
C
C
C
C
C
C
C
C
C
C
C
C
# OFFICIAL
OFFICIAL #
C
C
C
C
C
C
C
C
C
C
C
C
C
C
# OFFICIAL
OFFICIAL #
C
C
C
C
C
• Impose a delay of at least 30 seconds before the next attempt,
increasing exponentially with each successive attempt (e.g. 1
minute before the following failed attempt, 2 minutes before the
second following attempt), or
C
• Disable the biometric User Authentication and offer another
factor (e.g. a different biometric modality or a PIN/Passcode if it is
not already a required factor) if such an alternative method is
already available.
C
C
• Use of the biometric as an Authentication factor MUST be limited
to one or more specific devices that are identified using approved
cryptography (i.e. AACAs and AACPs)
•a separate Key MUST be used for identifying the device C
• Biometric revocation, referred to as ‘biometric template C
protection’ in ISO/IEC 24745, MUST be implemented
• All transmission of biometrics MUST be over the Authenticated C
Protected Channel.
C
C
# OFFICIAL
OFFICIAL #
C
C
C
C
C
C
C
C
C
C
C
C
# OFFICIAL
OFFICIAL #
C
2. Provide meaningful notice to Individuals regarding the security
risks of the Restricted Credential and availability of alternative(s)
that are not restricted
3. Address any additional risk to Individuals in its security Risk C
Assessment
4. Develop a migration plan for the possibility that the Restricted C
Credential is no longer acceptable at some point in the future.
C
C
C
C
C
• The Individual MUST identify themselves in each new binding
transaction by presenting a temporary secret which was either
established during a prior transaction or sent to the Individual’s
mobile phone number or email address
• Long-term Authentication secrets MUST only be issued to the C
Individual within a protected Session.
C
# OFFICIAL
OFFICIAL #
C
• If the Applicant issues long-term Authentication secrets during a
physical transaction, then they MUST be loaded locally onto a
physical device that is issued in-person to the individual or delivered
in a manner that confirms the individual’s email address or mobile
phone number.
C
C
C
C
C
C
C
C
C
C
C
C
C
# OFFICIAL
OFFICIAL #
C
C
C
C
C
C
C
C
C
a) is capable of meeting all the applicable requirements of the C
higher credential level
C
C
# OFFICIAL
OFFICIAL #
# OFFICIAL
OFFICIAL #
A
A
A
A
X
X
X
X
•Timestamp X
# OFFICIAL
OFFICIAL #
X
X
X
X
# OFFICIAL
OFFICIAL #
# OFFICIAL
OFFICIAL #
# OFFICIAL
OFFICIAL #
# OFFICIAL
OFFICIAL #
# OFFICIAL
OFFICIAL #
# OFFICIAL
OFFICIAL #
# OFFICIAL
OFFICIAL #
# OFFICIAL
OFFICIAL #
# OFFICIAL
OFFICIAL #
# OFFICIAL
OFFICIAL #
# OFFICIAL
OFFICIAL #
# OFFICIAL
OFFICIAL #
# OFFICIAL
OFFICIAL #
# OFFICIAL
OFFICIAL #
# OFFICIAL
OFFICIAL #
# OFFICIAL
OFFICIAL #
# OFFICIAL
OFFICIAL #
# OFFICIAL
OFFICIAL #
# OFFICIAL
OFFICIAL #
# OFFICIAL
OFFICIAL #
# OFFICIAL
OFFICIAL #
# OFFICIAL
OFFICIAL #
# OFFICIAL
OFFICIAL #
# OFFICIAL
OFFICIAL #
# OFFICIAL
OFFICIAL #
# OFFICIAL
OFFICIAL #
# OFFICIAL
OFFICIAL #
# OFFICIAL
OFFICIAL #
# OFFICIAL
OFFICIAL #
# OFFICIAL
OFFICIAL #
# OFFICIAL
OFFICIAL #
# OFFICIAL
OFFICIAL #
# OFFICIAL
OFFICIAL #
# OFFICIAL
OFFICIAL #
# OFFICIAL
OFFICIAL #
# OFFICIAL
OFFICIAL #
# OFFICIAL
OFFICIAL #
# OFFICIAL
OFFICIAL #
# OFFICIAL
OFFICIAL #
# OFFICIAL
OFFICIAL #
# OFFICIAL
OFFICIAL #
# OFFICIAL
OFFICIAL #
# OFFICIAL
OFFICIAL #
# OFFICIAL
OFFICIAL #
# OFFICIAL
OFFICIAL #
# OFFICIAL
OFFICIAL #
# OFFICIAL
OFFICIAL #
# OFFICIAL
OFFICIAL #
# OFFICIAL
OFFICIAL #
# OFFICIAL
OFFICIAL #
# OFFICIAL
OFFICIAL #
# OFFICIAL
OFFICIAL #
# OFFICIAL
OFFICIAL #
No
No
No
No
No
No
No
No
# OFFICIAL
OFFICIAL #
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
# OFFICIAL
OFFICIAL #
No
No
No
No
No
No
No
No
No
No
No
No
No
# OFFICIAL
OFFICIAL #
No
No
No
No
No
No
No
No
No
# OFFICIAL
OFFICIAL #
No
No
No
No
No
No
No
No
No
No
No
No
# OFFICIAL
OFFICIAL #
No
No
No
No
No
No
No
No
No
No
# OFFICIAL
OFFICIAL #
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
# OFFICIAL
OFFICIAL #
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
# OFFICIAL
OFFICIAL #
No
No
No
No
No
No
No
No
No
No
No
No
No
# OFFICIAL
OFFICIAL #
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
# OFFICIAL
OFFICIAL #
No
No
No
No
No
No
No
No
No
No
No
No
# OFFICIAL
OFFICIAL #
No
No
No
No
No
No
No
No
# OFFICIAL
OFFICIAL #
No
No
No
No
No
No
No
No
No
No
No
No
No
# OFFICIAL
OFFICIAL #
No
No
No
No
No
No
No
No
No
No
No
No
# OFFICIAL
OFFICIAL #
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
# OFFICIAL
OFFICIAL #
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
# OFFICIAL
OFFICIAL #
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
# OFFICIAL
OFFICIAL #
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
# OFFICIAL
OFFICIAL #
No
No
No
No
No
No
No
No
No
No
No
No
No
No
# OFFICIAL
OFFICIAL #
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
# OFFICIAL
OFFICIAL #
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
# OFFICIAL
OFFICIAL #
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
# OFFICIAL
OFFICIAL #
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
# OFFICIAL
OFFICIAL #
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
# OFFICIAL
OFFICIAL #
No
No
No
No
No
No
No
No
No
No
No
No
# OFFICIAL
OFFICIAL #
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
# OFFICIAL
OFFICIAL #
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
# OFFICIAL
OFFICIAL #
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
# OFFICIAL
OFFICIAL #
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
# OFFICIAL
OFFICIAL #
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
# OFFICIAL
OFFICIAL #
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
# OFFICIAL
OFFICIAL #
No
No
No
No
No
No
No
No
No
No
# OFFICIAL
OFFICIAL #
No
No
No
No
No
No
No
No
No
No
No
No
No
No
# OFFICIAL
OFFICIAL #
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
# OFFICIAL
OFFICIAL #
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
# OFFICIAL
OFFICIAL #
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
# OFFICIAL
OFFICIAL #
No
No
No
No
No
No
No
No
No
No
No
No
No
# OFFICIAL
OFFICIAL #
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
# OFFICIAL
OFFICIAL #
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
# OFFICIAL
OFFICIAL #
No
No
No
No
No
No
No
No
No
No
No
No
# OFFICIAL
OFFICIAL #
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
# OFFICIAL
OFFICIAL #
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
# OFFICIAL
OFFICIAL #
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
# OFFICIAL
OFFICIAL #
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
# OFFICIAL
OFFICIAL #
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
# OFFICIAL
OFFICIAL #
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
# OFFICIAL
OFFICIAL #
No
No
No
No
No
No
No
No
No
No
No
No
No
No
# OFFICIAL
OFFICIAL #
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
# OFFICIAL
OFFICIAL #
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
# OFFICIAL
OFFICIAL #
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
# OFFICIAL
OFFICIAL #
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
# OFFICIAL
OFFICIAL #
No
No
No
No
No
No
No
No
No
No
# OFFICIAL
OFFICIAL #
# OFFICIAL
OFFICIAL #
# OFFICIAL
OFFICIAL #
# OFFICIAL
OFFICIAL #
# OFFICIAL
OFFICIAL #
# OFFICIAL
OFFICIAL #
# OFFICIAL
OFFICIAL #
# OFFICIAL
OFFICIAL #
# OFFICIAL
OFFICIAL #
# OFFICIAL
OFFICIAL #
# OFFICIAL
OFFICIAL #
# OFFICIAL
OFFICIAL #
# OFFICIAL
OFFICIAL #
# OFFICIAL
OFFICIAL #
# OFFICIAL
OFFICIAL #
# OFFICIAL
OFFICIAL #
# OFFICIAL
OFFICIAL #
# OFFICIAL
OFFICIAL #
# OFFICIAL
OFFICIAL #
# OFFICIAL
OFFICIAL #
# OFFICIAL
OFFICIAL #
# OFFICIAL
OFFICIAL #
# OFFICIAL
OFFICIAL #
# OFFICIAL
OFFICIAL #
# OFFICIAL
OFFICIAL #
# OFFICIAL
OFFICIAL #
# OFFICIAL
OFFICIAL #
# OFFICIAL
OFFICIAL #
# OFFICIAL
OFFICIAL #
# OFFICIAL
OFFICIAL #
# OFFICIAL
OFFICIAL #
# OFFICIAL
OFFICIAL #
# OFFICIAL
OFFICIAL #
# OFFICIAL
OFFICIAL #
# OFFICIAL
OFFICIAL #
# OFFICIAL
OFFICIAL #
# OFFICIAL
OFFICIAL #
# OFFICIAL
OFFICIAL #
# OFFICIAL
OFFICIAL #
# OFFICIAL
OFFICIAL #
# OFFICIAL
OFFICIAL #
# OFFICIAL
OFFICIAL #
# OFFICIAL
OFFICIAL #
# OFFICIAL
OFFICIAL #
# OFFICIAL
OFFICIAL #
# OFFICIAL
OFFICIAL #
# OFFICIAL
OFFICIAL #
# OFFICIAL
OFFICIAL #
# OFFICIAL
OFFICIAL #
# OFFICIAL
OFFICIAL #
# OFFICIAL
OFFICIAL #
# OFFICIAL
OFFICIAL #
# OFFICIAL
OFFICIAL #
ANNUAL ANNUAL-02-01-01a 7.2.1 Accredited Providers MUST meet any new or amended
requirements in the newest version of the TDIF, published on the
TDIF website, within 12 months of that version being published.
These requirements will be assessed as part of the Accredited
Provider’s Annual Assessment
ANNUAL ANNUAL-02-01-02 7.2.1 If Finance makes a finding that the Accredited Provider has failed
to comply with ANNUAL-02-01-01 and ANNUAL-02-01-01a, Finance
will advise the Accredited Provider in writing of the non-
compliance and direct it to submit evidence to meet the following
requirements. The accredited provider MUST provide to Finance in
writing:
ANNUAL ANNUAL-02-01-02b 7.2.1 If the risk rating meets or exceeds that outlined above in ANNUAL-
02-01-02a, the Accredited Provider MUST confirm:
# OFFICIAL
OFFICIAL #
ANNUAL 7.2.1
ANNUAL 7.2.1
ANNUAL ANNUAL-02-01-06 7.2.1.2 The Accredited Provider MUST include and submit to Finance a
review of the evidence required for a change of scope of
accreditation, as outlined in Appendix C .
ANNUAL ANNUAL-02-01-07 7.2.1.2 An Accredited Provider MAY use Alternative Assessment Reports
as per requirements ANNUAL-02-03-01 to ANNUAL-02-03-01b to
meet the TDIF requirements.
# OFFICIAL
OFFICIAL #
ANNUAL ANNUAL-02-02-02 7.2.2 The Accredited Provider MUST ensure that all Annual Assessment
requirements are completed by the anniversary of its initial
accreditation date.
ANNUAL ANNUAL-02-02-03 7.2.2 Before the anniversary of the Accredited Provider’s initial
accreditation date, the Accredited Provider MUST provide Finance
with a full and unredacted copy of:
# OFFICIAL
OFFICIAL #
ANNUAL ANNUAL-02-02-04 7.2.2.1 Once the Accredited Provider has achieved all applicable TDIF
Annual Assessment requirements, it MUST submit a Qualifying
Attestation Letter signed by the Accredited Provider’s Accountable
Executive that contains the following information to support the
Accredited Provider’s claim that its operations remain in
accordance with TDIF requirements:
ANNUAL ANNUAL-02-03-01a 7.2.3 Any request made to Finance to consider Alternative Assessment
Reports MUST include:
ANNUAL ANNUAL-02-03-01 7.2.3
ANNUAL ANNUAL-02-03-01b 7.2.3 The Alternative Assessment Report MUST have been produced no
more than 12 months prior to the date it is provided to Finance
and MUST cover the latest Major Production Release of the
Applicant’s Identity System (if any) at the time of the Accredited
Provider’s Annual Assessment.
# OFFICIAL
OFFICIAL #
ANNUAL ANNUAL-02-04-02a 7.2.4 ANNUAL-02-04-02 does not apply if the Accredited Provider has
demonstrated to Finance that the Accredited Provider has no
interaction with a user when providing the services for which the
Accredited Provider is accredited for.
ANNUAL ANNUAL-02-04-02b 7.2.4 ANNUAL-02-04-02 does not apply if the Accredited Provider has
demonstrated to Finance that the Accredited Provider:
ANNUAL ANNUAL-02-05-01a 7.2.5 The Accredited Provider MUST demonstrate to Finance how the
Assessors :
ANNUAL ANNUAL-02-05-01a 7.2.5
# OFFICIAL
OFFICIAL #
ANNUAL ANNUAL-02-07-02 7.2.7 As part of the Functional Assessments, the Assessors MUST
undertake the following activities
ANNUAL ANNUAL-02-07-02 7.2.7
ANNUAL ANNUAL-02-07-02 7.2.7
ANNUAL ANNUAL-02-07-03 7.2.7 If required by an Assessor or Finance, the Accredited Provider
MUST take reasonable steps to permit the Assessor to undertake a
site visit to the Accredited Provider’s premises or other location
where it provides services in connection with its Identity System.
ANNUAL ANNUAL-02-07-04 7.2.7 The Accredited Provider MUST ensure that each Assessor prepares
a report on the outcomes of the relevant Functional Assessment
that includes:
ANNUAL ANNUAL-02-07-04 7.2.7
# OFFICIAL
OFFICIAL #
ANNUAL ANNUAL-02-08-02a 7.2.8.1 The Accredited Provider’s Accountable Executive MUST respond in
writing to each recommendation, risk and non-compliance outlined
in the Annual Assessment Reports including:
ANNUAL ANNUAL-02-08-03 7.2.8.1 If the Accredited Provider does not implement a mitigation or
recommendation by the timeframe set out in ANNUAL-02-08-02a,
then its Accountable Executive MUST provide to Finance in writing:
# OFFICIAL
OFFICIAL #
ANNUAL ANNUAL-02-08-04a 7.2.8.1 If the risk rating meets or exceeds that outlined above in ANNUAL-
02-08-04, the Accredited Provider MUST confirm:
ANNUAL ANNUAL-02-08-04a 7.2.8.1
ANNUAL ANNUAL-02-09-02 7.2.9 As part of the Annual Assessment the Accredited Provider MUST
review the following PRIV requirements in TDIF 04 Functional
Requirements and provide Finance with:
ANNUAL ANNUAL-02-09-02 7.2.9
# OFFICIAL
OFFICIAL #
ANNUAL ANNUAL-02-09-03 7.2.9 As part of the Annual Assessment the Accredited Provider MUST
provide Finance with a copy of their Annual Transparency Report
(as per PRIV-03-06-05 and PRIV-03-06-05a).
ANNUAL ANNUAL-02-09-04 7.2.9 As part of the Annual Assessment the Accredited Provider MUST
review the following PROT requirements in TDIF 04 Functional
Requirements and provide Finance with:
ANNUAL ANNUAL-02-09-04 7.2.9
# OFFICIAL
OFFICIAL #
# OFFICIAL
OFFICIAL #
ANNUAL ANNUAL-02-10-03 7.2.10.1 The Applicant MUST consider the following risks related to
performing Biometric Binding when reviewing their Fraud Control
Plan and System Security Plan as part of its Annual Assessment
requirements:
ANNUAL ANNUAL-02-10-03a 7.2.10.1 Evidence of the review and risks outlined in ANNUAL-02-10-03,
associated mitigation strategies and treatments, the Applicant’s
risk framework and any supporting evidence MUST be provided to
Finance as part of the Annual Assessment.
ANNUAL ANNUAL-02-10-03b 7.2.10.1 If the risk assessment undertaken by the Applicant in ANNUAL-02-
10-03 indicates that substantial changes have occurred to the PAD
technology of the Accredited Provider’s Biometric Capability , the
PAD technology MUST be re-tested as per IDP-03-08-12 to IDP-03-
08-12i and the report and any additional required evidence
submitted to Finance for review as part of the Annual Assessment.
ANNUAL ANNUAL-02-10-03c 7.2.10.1 If the risk assessment undertaken by the Applicant in ANNUAL-02-
10-03 indicates that substantial changes have occurred to the
matching algorithm of the Accredited Provider’s Biometric
Capability, the Matching Algorithm MUST be re-tested as per IDP-
03-08-18 to IDP-03-08-18d and the report and any additional
evidence submitted to Finance for review as part of the Annual
Assessment.
# OFFICIAL
OFFICIAL #
ANNUAL ANNUAL-02-10-04 7.2.10.1 If the Accredited Provider supports Local Biometric Binding, then it
MUST review and record any variations to the locations used for
Local Biometric Binding during the last 12 months as per IDP-03-
08-14c and FRAUD-02-01-04.
ANNUAL ANNUAL-02-10-05 7.2.10.1 If the Accredited Provider supports Manual Face Comparison, it
MUST review and submit to Finance evidence of:
# OFFICIAL
OFFICIAL #
# OFFICIAL
OFFICIAL #
# OFFICIAL
OFFICIAL #
# OFFICIAL
OFFICIAL #
# OFFICIAL
OFFICIAL #
# OFFICIAL
OFFICIAL #
# OFFICIAL
OFFICIAL #
# OFFICIAL
OFFICIAL #
# OFFICIAL
OFFICIAL #
# OFFICIAL
OFFICIAL #
# OFFICIAL
OFFICIAL #
# OFFICIAL
OFFICIAL #
# OFFICIAL
OFFICIAL #
# OFFICIAL
OFFICIAL #
# OFFICIAL
OFFICIAL #
# OFFICIAL
OFFICIAL #
# OFFICIAL
OFFICIAL #
# OFFICIAL
OFFICIAL #
# OFFICIAL
OFFICIAL #
# OFFICIAL
OFFICIAL #
# OFFICIAL
OFFICIAL #
# OFFICIAL
OFFICIAL #
# OFFICIAL
OFFICIAL #
# OFFICIAL
OFFICIAL #
# OFFICIAL
OFFICIAL #
# OFFICIAL
OFFICIAL #
# OFFICIAL
OFFICIAL #
# OFFICIAL
OFFICIAL #
# OFFICIAL
OFFICIAL #
Sub-Requirement A C I X Y/
N
A C I X
NOTE: If an Accredited Provider does not provide the information
required by ANNUAL-02-01-01 or ANNUAL-02-01-01a by their Annual
Assessment date, Finance will then assess whether the Accredited
Provider has failed to meet one or more of their ongoing obligations. If
Finance finds that the Accredited Provider has failed to meet their
obligations, this will result in a finding of non-compliance with the
TDIF. A finding of non-compliance may result in a failed Annual
Assessment. A failed Annual Assessment may result in suspension or
termination of accreditation.
A C I X
a) a risk rating assigned to each instance of non-compliance as set
out in Appendix A; and
A C I X
b) Include details of:
A C I X
a) it has implemented mitigations to address the recommendation,
risk or non-compliance
A C I X
# OFFICIAL
OFFICIAL #
A C I X
then the Applicant MUST inform Finance of changes to their Identity
System as part of its Annual Assessment and any provisions as
stipulated by the TDIF Agreement (MOU).
[Finance will decide, and provide in writing, whether the Applicant will
need to formally apply for a Variation in Accreditation or, depending
on the severity of risks or impacts to the Accredited Provider’s Identity
System, whether the accreditation should be suspended or
terminated]
A C I X
A C I X
A C I X
A C I X
A C I X
# OFFICIAL
OFFICIAL #
A C I X
A C I X
In order for Finance to review an Accredited Provider’s Annual
Assessment materials, the Accredited Provider should submit its
Annual Assessment evidence at least two months prior to the
anniversary of its initial accreditation date
A C I X
a) each Functional Assessment report prepared under ANNUAL-02-
07-04.
A C I X
b) Where applicable, the Accredited Provider’s Annual Usability Test
Report conducted in accordance with ANNUAL-02-04-02 A C I X
c) the Accredited Provider’s Annual Assessment Reports prepared in
accordance with ANNUAL-02-08-01 A C I X
d) each response from the Accredited Provider’s Accountable
Executive under ANNUAL-02-08-02a. A C I X
e) All applicable evidence required as part of the review under
Section 2.9 Evidence Review Requirements and listed in Appendix B.
A C I X
f) An annual Qualifying Attestation Letter in accordance with the
requirements set out in ANNUAL-02-02-04. A C I X
# OFFICIAL
OFFICIAL #
A C I X
• A statement that the Accredited Provider’s Identity System
complies with the TDIF requirements and the TDIF Agreement (MOU)
A C I X
• The version of the TDIF the Accredited Provider is assessed and
accredited under for the relevant Annual Assessment A C I X
• a statement confirming it has provided Finance with all relevant
documents, materials and evidence to the accreditation as part of its
review
A C I X
• A statement confirming that the evidence provided is a fair and
accurate representation of its Identity System A C I X
• If the Accredited Provider has risks or non-compliances identified
in its Annual Assessment reports, then the Qualifying Attestation Letter
MUST contain a summary of these risks, implementation dates and any
further information as per ANNUAL-02-08-02 to ANNUAL-02-08-04a
A C I X
A C I X
a) Which Functional Assessment or TDIF requirements it is provided
as evidence for A C I X
b) A rationale for why the Alternative Assessment Report should be
considered as equivalent to a Functional Assessment or as appropriate
evidence to meet the TDIF Requirements, and
A C I X
c) A Requirements Traceability Matrix, which sets out:
A C I X
A C I X
# OFFICIAL
OFFICIAL #
A C I X
b)a Security Assessment in accordance with ANNUAL-02-09-06 A C I X
c)a Penetration Test in accordance with ANNUAL-02-09-07; and A C I X
d)an Accessibility Assessment in accordance with ANNUAL-02-09-08.
A C I X
Subject to ANNUAL-02-04-02a or ANNUAL-02-04-02b, the Accredited
Provider MUST ensure a user researcher conducts a Usability Test in
accordance with ANNUAL-02-09-09 by the anniversary of the
Accredited Provider’s accreditation date each year.
A C I X
A C I X
1. either:
a) has limited interaction with a User when providing the services for
which the Applicant is accredited, including where the User is
interacting with the Accredited Provider’s Identity System; or
b) has assessed and can demonstrate that there have been no
relevant changes to the Accredited Provider’s Identity System in the 12
months prior to the date of the annual assessment; and
A C I X
2. has determined, through a risk assessment, that there is a low risk
that the failure to conduct the usability testing will adversely impact
the usability of the Accredited Provider’s Identity System; and
A C I X
3. the Accredited Provider has taken reasonable steps, including
processes and procedures, to:
a) obtain and record feedback from Users about the usability of the
Accredited Provider’s Identity System; and
b) incorporate such feedback into the design of its Identity System.
A C I X
A C I X
a) Are independent from the development and operational teams of
the Accredited Provider’s Identity Facility. A C I X
b) Do not possess a conflict of interest in performing the Annual
Functional Assessment on the Accredited Provider’s Identity System A C I X
# OFFICIAL
OFFICIAL #
a) Even calendar years (i.e. 2022, 2024, 2026 etc) require that
Functional Assessments MUST be undertaken by Assessors who are
external to the Accredited Provider’s organisation.
A C I X
b) Odd calendar years (i.e. 2023, 2025, etc) MAY be undertaken by
Assessors who are external to the development and operational teams
of the Accredited Provider’s Identity System.
A C I X
A C I X
a)Documentation reviews.
A C I X
b)Interviews with key Personnel. A C I X
c)A run through of the Accredited Provider’s Identity Facility. A C I X
A C I X
a)test results where applicable;
A C I X
b) an assessment of whether the Accredited Provider’s Identity
System meets the applicable requirements of the TDIF; A C I X
c)recommendations by the Assessor; and A C I X
d) such other information required by the Accredited Provider to
enable the Accredited Provider to comply with the TDIF and prepare
the Annual Assessment Report.
A C I X
# OFFICIAL
OFFICIAL #
A C I X
b) for each recommendation, risk and non-compliance that is not
accepted by the Accredited Provider, the reasons for non-acceptance
and details of alternative actions (if any) to be taken by the Accredited
Provider.
A C I X
a)A revaluation of the risk
A C I X
b) Any agreed upon mitigation strategies implemented, or being
implemented, to manage the risk A C I X
# OFFICIAL
OFFICIAL #
A C I X
c) The Accountable Executive has signed off and confirmed the
implemented mitigation of the risk and the new residual risk rating. A C I X
# OFFICIAL
OFFICIAL #
X
a) The annual assessment of the Cyber Security Risk associated with
the services for which the Accredited Provider is accredited and the
Accredited Provider’s Identity System as per PROT-04-01-01
A C I X
b) Where exceptional circumstances prevented or affected the
Applicant’s capability to implement a TDIF requirement, the record of
decisions taken by the Applicant in relation to such non compliance
and remedial action as per PROT-04-01-03
A C I X
c) Any decisions and supporting documentation made by the
Accredited Provider to vary its protective security arrangements during
the year as per PROT-04-01-03.
A C I X
a) A copy of protective security training materials and evidence that
training was provided by the Accredited Provider to Personnel during
the year as per PROT-04-01-05a.
A C I X
e) Evidence the Accredited Provider has reviewed its System Security
Plan (and supporting System Security Plans) and where relevant
updated them during the year as per PROT-04-01-12 and PROT-04-01-
13
A C I X
f) Evidence the Accredited Provider has tested its Disaster Recovery
and Business Continuity Plan during the year as per PROT-04-02-25.
A C I X
A C I X
d) include a review and assessment of the Accredited Provider’s
compliance with privacy requirements under applicable law and the
TDIF.
A C I X
# OFFICIAL
OFFICIAL #
A C I X
d) include an evaluation of the sufficiency of the Accredited
Provider’s protective security controls A C I X
e) include a review and assessment of any decisions, together with
supporting information, taken by the Accredited Provider’s CSO under
PROT-04-01-03 to vary the Accredited Provider’s protective security
arrangements; and
A C I X
f) include a review and assessment of the entity’s compliance with
the applicable requirements section 4 (Protective Security
Requirements) of TDIF: 04 Functional Requirements.
A C I X
A C I X
A C I X
b) WCAG version 2.1 to the AA standard for mobile-based Identity
Systems. A C I X
A C I X
# OFFICIAL
OFFICIAL #
I
a)Applicable risks in IDP-03-08-03
I
b) Any Major Production Releases that impact the operation, or
result in a substantive change to the performance, of the Applicant’s
Biometric Capability
I
d) Risks related to identified attacks on the Biometric Capability that
have occurred since the last assessment I
# OFFICIAL
OFFICIAL #
I
a) The tools and annual training for Personnel performing identity
proofing processes to detect fraudulent attributes and Evidence of
Identity Documents
A C I X
b) Reassess the risk and mitigation measures in place, including any
new risks arising throughout the year in response to the Accredited
Provider’s operations
A C I X
c) Include a new date of expiry or review of the Exemption Request
that is not more than 12 months from the date of the review
A C I X
d) Have the Accredited Provider’s Accountable Executive confirm
and sign off on the items above; and A C I X
e)Submit evidence of the above to Finance. A C I X
# OFFICIAL
OFFICIAL #
# OFFICIAL
OFFICIAL #
# OFFICIAL
OFFICIAL #
# OFFICIAL
OFFICIAL #
# OFFICIAL
OFFICIAL #
# OFFICIAL
OFFICIAL #
# OFFICIAL
OFFICIAL #
# OFFICIAL
OFFICIAL #
# OFFICIAL
OFFICIAL #
# OFFICIAL
OFFICIAL #
# OFFICIAL
OFFICIAL #
# OFFICIAL
OFFICIAL #
# OFFICIAL
OFFICIAL #
# OFFICIAL
OFFICIAL #
# OFFICIAL
OFFICIAL #
# OFFICIAL
OFFICIAL #
# OFFICIAL
OFFICIAL #
# OFFICIAL
OFFICIAL #
# OFFICIAL
OFFICIAL #
# OFFICIAL
OFFICIAL #
# OFFICIAL
OFFICIAL #
# OFFICIAL
OFFICIAL #
# OFFICIAL
OFFICIAL #
# OFFICIAL
OFFICIAL #
# OFFICIAL
OFFICIAL #
# OFFICIAL
OFFICIAL #
# OFFICIAL
OFFICIAL #
# OFFICIAL
OFFICIAL #
# OFFICIAL
OFFICIAL #
# OFFICIAL
OFFICIAL #
# OFFICIAL
OFFICIAL #
# OFFICIAL
OFFICIAL #
# OFFICIAL
OFFICIAL #
# OFFICIAL
OFFICIAL #
# OFFICIAL
OFFICIAL #
# OFFICIAL
OFFICIAL #
# OFFICIAL
OFFICIAL #
# OFFICIAL
OFFICIAL #
# OFFICIAL
OFFICIAL #
# OFFICIAL
OFFICIAL #
# OFFICIAL
OFFICIAL #
# OFFICIAL
OFFICIAL #
# OFFICIAL
OFFICIAL #
# OFFICIAL
OFFICIAL #
# OFFICIAL
OFFICIAL #
# OFFICIAL
OFFICIAL #
# OFFICIAL
OFFICIAL #
# OFFICIAL
OFFICIAL #
# OFFICIAL
OFFICIAL #
# OFFICIAL
OFFICIAL #
# OFFICIAL
OFFICIAL #
# OFFICIAL
OFFICIAL #
# OFFICIAL
OFFICIAL #
# OFFICIAL
OFFICIAL #
# OFFICIAL
OFFICIAL #
# OFFICIAL
OFFICIAL #
# OFFICIAL
OFFICIAL #
# OFFICIAL
OFFICIAL #
# OFFICIAL
OFFICIAL #
# OFFICIAL
OFFICIAL #
# OFFICIAL
OFFICIAL #
# OFFICIAL
OFFICIAL #
# OFFICIAL
OFFICIAL #
# OFFICIAL
OFFICIAL #
# OFFICIAL
OFFICIAL #
# OFFICIAL
OFFICIAL #
# OFFICIAL
OFFICIAL #
# OFFICIAL
OFFICIAL #
# OFFICIAL
OFFICIAL #
No
No
No
No
No
No
# OFFICIAL
OFFICIAL #
No
No
No
No
No
No
No
No
# OFFICIAL
OFFICIAL #
No
No
No
No
No
No
No
No
No
# OFFICIAL
OFFICIAL #
No
No
No
No
No
No
No
No
No
No
No
# OFFICIAL
OFFICIAL #
No
No
No
No
No
No
No
No
No
No
No
No
# OFFICIAL
OFFICIAL #
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
# OFFICIAL
OFFICIAL #
No
No
No
No
No
No
No
No
No
No
No
No
# OFFICIAL
OFFICIAL #
No
No
No
No
No
No
No
No
No
No
No
No
No
No
# OFFICIAL
OFFICIAL #
No
No
No
No
No
No
No
No
No
No
No
No
No
# OFFICIAL
OFFICIAL #
No
No
No
No
No
No
No
No
No
No
# OFFICIAL
OFFICIAL #
No
No
No
No
No
No
No
No
# OFFICIAL
OFFICIAL #
No
No
No
No
No
No
No
No
No
No
No
# OFFICIAL
OFFICIAL #
# OFFICIAL
OFFICIAL #
# OFFICIAL
OFFICIAL #
# OFFICIAL
OFFICIAL #
# OFFICIAL
OFFICIAL #
# OFFICIAL
OFFICIAL #
# OFFICIAL
OFFICIAL #
# OFFICIAL
OFFICIAL #
# OFFICIAL
OFFICIAL #
# OFFICIAL
OFFICIAL #
# OFFICIAL
OFFICIAL #
# OFFICIAL
OFFICIAL #
# OFFICIAL
OFFICIAL #
# OFFICIAL
OFFICIAL #
# OFFICIAL
OFFICIAL #
# OFFICIAL
OFFICIAL #
# OFFICIAL
OFFICIAL #
# OFFICIAL
OFFICIAL #
# OFFICIAL
OFFICIAL #
# OFFICIAL
OFFICIAL #
# OFFICIAL
OFFICIAL #
# OFFICIAL
OFFICIAL #
# OFFICIAL
OFFICIAL #
# OFFICIAL
OFFICIAL #
# OFFICIAL
OFFICIAL #
# OFFICIAL
OFFICIAL #
# OFFICIAL
OFFICIAL #
# OFFICIAL
OFFICIAL #
No
No
No
No
No
No
# OFFICIAL
OFFICIAL #
# OFFICIAL
OFFICIAL #
# OFFICIAL
OFFICIAL #
# OFFICIAL
OFFICIAL #
# OFFICIAL
OFFICIAL #
FED FED-02-03-07 6.2.3 The process for the registration of OIDC clients
by the Applicant MUST ensure that only valid
and authorised clients for the Relying Party can
use the same configured sector_identifier_uri.
FED FED-02-03-14 6.2.3 The Applicant MUST ensure that the documents
and attributes used to construct an EDI reflect
the most up to date documents and attributes
bound to the current authentication context.
# OFFICIAL
OFFICIAL #
FED FED-02-03-15a 6.2.3 If the User has not verified any of the
documents in Table 1 (as updated by DTA from
time to time), the Applicant MUST construct an
EDI by concatenating the IP Link for the User
and a suitable globally-unique identifier for the
Applicant (e.g. OIDC Issuer URI).
FED FED-02-03-15b 6.2.3 The string resulting from either TDIF Req FED-
02-03-15 or TDIF Req FED-02-03-15a MUST then
be encoded using UTF-8, before being hashed
using the SHA-256 algorithm.
# OFFICIAL
OFFICIAL #
FED FED-03-01-02 6.3.1 The Applicant MUST use the Pairwise Identifiers
generated by an Identity Exchange for it as a
Relying Party to associate the attributes that it
provides with the Digital Identity brokered by an
Identity Exchange.
FED FED-03-01-03 6.3.1 The Applicant MUST provide an API that enables
the attributes it provides to be shared with
Relying Parties.
FED FED-03-01-04 6.3.1 The Applicant MUST authorise an accredited
Identity Exchange to securely access the API it
provides.
FED FED-03-01-05 6.3.1 The Applicant MAY implement the API as a REST
API.
# OFFICIAL
OFFICIAL #
FED FED-03-01-06 6.3.1 Where the Applicant provides a REST API, the
Applicant MAY authorise access in accordance
with the JSON Web Token Profile for OAuth 2.0
Client Authentication and Authorization Grants
[RFC 7523].
FED FED-03-02-01 6.3.2 The Applicant’s Audit Log MUST include any
User Consent managed by the Applicant that
enables the sharing of attributes with a Relying
Party.
FED FED-03-02-02 6.3.2 The Applicant’s Audit Log MUST include the
value of the RP Audit Id Attribute received from
an Identity Exchange for the following events:
• The retrieval of Attributes by an Identity
Exchange.
• The binding of any Attributes to a Digital
Identity brokered by an Identity Exchange.
FED FED-04-01-05 6.4.1 The Applicant MUST NOT send the unique audit
id that has been generated by the Identity
Exchange for the Relying Party that requested
the Attributes to an Identity Service Provider.
# OFFICIAL
OFFICIAL #
# OFFICIAL
OFFICIAL #
FED FED-04-02-03 6.4.2 Scopes and claims that are received from the
Relying Party MUST be included by the
Applicant in the Authentication Request to the
Identity Service Provider in accordance with the
following processing rules:
# OFFICIAL
OFFICIAL #
FED FED-04-02-10 6.4.2 The Applicant MUST evaluate the ACR returned
from the Identity Service Provider and if the
ACR meets or exceeds the originally requested
value(s), return one of the originally requested
values
# OFFICIAL
OFFICIAL #
FED FED-04-02-16 6.4.2 Scopes and claims that are received from the
Relying Party MUST be included by the
Applicant in the Authentication Request to the
Identity Service Provider in accordance with the
following processing rules:
FED FED-04-02-16d 6.4.2 Scopes and claims not in the TDIF: 06D –
Attribute Profile MUST be ignored. Where
scopes or claims are ignored, the Identity
Exchange MUST NOT raise an error.
# OFFICIAL
OFFICIAL #
FED FED-04-02-22 6.4.2 This specification does not require support for
this mechanism by an Identity Exchange, but
where it is supported the following processing
rules MUST apply:
a. Where the Identity Exchange receives an
id_token_hint within an Authentication Request
from a Relying Party the Identity Exchange is
required to validate the token and extract the
subject. The Identity Exchange must resolve this
to an IP Link at the Identity Service Provider as
per 4.2.2.2.
b. The Identity Exchange should include the
resolved subject identifier in the authentication
request to the Identity Service Provider by
including it in a <saml:Subject> element in the
SAML 2.0 <AuthnRequest> message.
# OFFICIAL
OFFICIAL #
FED FED-04-02-28 6.4.2 The Relying Party MAY include a SAML Subject
in the Authentication Request.
FED FED-04-02-28a 6.4.2 As the subject identifier is the Pairwise Identifier
for the User at the Relying Party, the Identity
Exchange MUST resolve this Pairwise Identifier
in any Authentication Request to an existing
Pairwise Identifier for the User at the required
Identity Service Provider. If no Pairwise
Identifier for the User at the Identity Service
Provider can be resolved then the Identity
Exchange should return an error.
# OFFICIAL
OFFICIAL #
FED FED-04-02-34b 6.4.2 Where the Attributes can be mapped fully into
an available scope an Identity Exchange MAY
request those scopes from an Identity Service
Provider.
FED FED-04-02-34c 6.4.2 Where the Attributes do not map fully into a
scope the Identity Exchange MUST request
those Attributes as claims from the Identity
Service Provider.
# OFFICIAL
OFFICIAL #
FED FED-04-02-36 6.4.2 The Applicant MAY use the acr claim or the
acr_values parameter.
FED FED-04-02-37 6.4.2 The Comparison attribute for the
<RequestedAuthnContext> MUST be set to
exact or minimum.
FED FED-04-02-38 6.4.2 Where the ForceAuthn attribute is included in
the Authentication Request from the Relying
Party, the Applicant MUST set the prompt
parameter to login in the OIDC Authentication
Request to the Identity Service Provider.
FED FED-04-02-40 6.4.2 The Applicant MUST resolve the value of the
subject to a subject identifier at the Identity
Service Provider as per 4.2.2.2.
FED FED-04-02-40a 6.4.2 The Applicant MAY include the resolved subject
identifier in the Authentication Request to the
Identity Service Provider using the sub (subject)
claim.
# OFFICIAL
OFFICIAL #
FED FED-05-02-01 6.5.2 The Applicant MAY define support for additional
computed Attributes derived from the
Attributes in an Attribute Set. Finance will add
any computed attributes to the TDIF: 06D -
Attribute Profile.
# OFFICIAL
OFFICIAL #
OIDC OIDC-02-01-02 6B.2.1 These clients MUST use the authorisation code
flow of OAuth 2.0 by sending the resource
owner to the authorisation endpoint to obtain
authorisation.
OIDC OIDC-02-01-03 6B.2.1 The Applicant MUST ensure that the user
authenticates to the authorisation endpoint.
The user’s web browser is then redirected back
to a URI hosted by the client service, from which
the client can obtain an authorisation code
passed as a query parameter. The client then
presents that authorisation code along with its
own credentials (private_key_jwt) to the
authorisation server’s token endpoint to obtain
an access token.
OIDC OIDC-02-01-04 6B.2.1 The Applicant MUST associate these clients with
a unique public key as described in section 2.4
of this document.
OIDC OIDC-02-01-05 6B.2.1 The Applicant MAY issue a refresh token to this
type of client if they are satisfied that there are
no security issues precluding them from doing
so.
OIDC OIDC-02-01-06 6B.2.1 These clients MUST use the authorization code
flow of OAuth 2.0 by sending the resource
owner to the authorisation endpoint to obtain
authorisation.
# OFFICIAL
OFFICIAL #
OIDC OIDC-02-01-15 6B.2.1 The Applicant MAY issue a refresh token to this
type of client if they are satisfied that there are
no security issues precluding them from doing
so.
OIDC OIDC-02-02-01 6B.2.2 All clients MUST register with the authorisation
server. For client software that may be installed
on multiple client instances, each client instance
MUST receive a unique client identifier from the
authorisation server.
OIDC OIDC-02-03-01 6B.2.3 Clients using the authorisation code grant type
MUST register their full redirect URIs.
OIDC OIDC-02-03-02 6B.2.3 The authorisation server MUST validate the
redirect URI given by the client at the
authorisation endpoint using strict string
comparison.
# OFFICIAL
OFFICIAL #
OIDC OIDC-02-03-03 6B.2.3 The Applicant MUST ensure that the redirect
URI used by a client is one of the following:
• Hosted on a website with TLS protection
(HTTPS).
• Hosted on a local domain of the client (e.g.
http://localhost/).
• Hosted on a client specific non-remote
protocol URI scheme (e.g. myapp:// or
au.gov.app://).
OIDC OIDC-02-03-05 6B.2.3 Clients MUST NOT have URIs in more than one
category and should not have multiple redirect
URIs on different domains.
OIDC OIDC-02-03-06 6B.2.3 Clients MUST NOT forward values passed back
to their redirect URIs to other arbitrary or user-
provided URIs (i.e. no open redirects).
OIDC OIDC-02-03-07 6B.2.3 The Applicant MAY allow these schemes to
continue to be used for existing applications.
OIDC OIDC-02-03-08 6B.2.3 Where the native platform supports the newer
App-Claimed HTTPS URL redirection capability
(Android, and iOS 9 or greater) this method
MAY be used. This method allows the
registration of a HTTPS URL e.g.
https://app.gov.au/auth. When that URL is
accessed the platform will open the application
(if not already open) and the required actions
can be performed.
OIDC OIDC-02-04-01 6B.2.4 Clients using the authorisation code grant type
MUST have a public and private key pair type
for use in authentication to the token endpoint.
OIDC OIDC-02-04-02 6B.2.4 The client MUST register their public keys in
their client registration metadata by either
sending the public key directly in the jwks field
or by registering a jwks_uri that MUST be
reachable by the authorisation server. It is
recommended that clients use a jwks_uri as it
allows for easier key rotation.
OIDC OIDC-02-04-03 6B.2.4 The jwks field or the content available from the
jwks_uri of a client MUST contain a public key in
JSON Web Key Set (JWK Set) format.
# OFFICIAL
OFFICIAL #
OIDC OIDC-02-04-05 6B.2.4 Native Client applications MAY omit their key
during registration if they are a public client
using PKCE.
OIDC OIDC-02-05-01 6B.2.5 The grant type of authorization_code MUST be
supported. Authentication using the
Authorisation Code flow is described in section
3.1 of [OpenIDCore].
OIDC OIDC-02-06-02 6B.2.6 Clients MUST validate the value of the state
parameter upon return to the redirect URI and
MUST ensure that the state value is securely
tied to the user’s current session e.g. by relating
the state value to a session identifier issued by
the client software to the browser.
OIDC OIDC-02-06-03 6B.2.6 Clients MUST include their full redirect URIs in
the authorisation request.
OIDC OIDC-02-06-04 6B.2.6 To prevent open redirection and other injection
attacks, the Applicant MUST match the entire
redirect URI using a direct string comparison
against registered values and MUST reject
requests with invalid or missing redirect URIs.
OIDC OIDC-02-06-07 6B.2.6 For clients that are required to use PKCE as
described in section 2.1.2 and section 2.3, the
following claims MUST be included in the
request to the token endpoint.
• code_verifier.
o Code verifier generated by client to use
PKCE with the S256 code challenge mechanism.
# OFFICIAL
OFFICIAL #
OIDC OIDC-02-06-11 6B.2.6 The client MAY send a UserInfo Request using
either a HTTP GET or HTTP POST.
OIDC OIDC-02-06-12 6B.2.6 The Applicant MUST send the access token
obtained from an OpenID Connect
Authentication Request as a bearer token as per
section 2 of OAuth Bearer Token Usage [RFC
6750].
# OFFICIAL
OFFICIAL #
OIDC OIDC-02-07-03 6B.2.7 The JWT must expire and MAY have a lifetime
no longer than five minutes. Short expiration
times are recommended wherever practicable.
The following guidance is provided in [RFC
7523] regarding expiration times: the JWT MUST
contain an "exp" (expiration time) claim that
limits the time window during which the JWT
can be used.
OIDC OIDC-02-07-04 6B.2.7 The authorization server MUST reject any JWT
OIDC OIDC-02-07-05 6B.2.7 with an expiration
The JWT time the
MUST contain thatfollowing
has passed, subject
REQUIRED
to allowable clock skew between systems.
claims and MAY contain the following Note
that the authorization server may reject
OPTIONAL Claim values: [Refer to list of JWTs
parameters]
# OFFICIAL
OFFICIAL #
OIDC OIDC-02-07-23 6B.2.7 Identity Exchanges MUST support the use of the
UserInfo endpoint for claims and scopes which
are stated as described in the TDIF: 06 -
Federation Onboarding Requirements.
# OFFICIAL
OFFICIAL #
OIDC OIDC-02-07-24 6B.2.7 The UserInfo endpoint MUST only return claims
that are authorised within the authentication
request that issued the access token that is
being used to access the endpoint.
OIDC OIDC-02-07-25 6B.2.7 For privacy reasons, the Exchange MAY elect to
not return values for some of the requested
claims; it shouldn’t present with a null or empty
string value.
OIDC OIDC-02-07-26 6B.2.7 The sub claim MUST always be returned in the
UserInfo Response.
OIDC OIDC-02-07-27 6B.2.7 The Identity Exchange operating as an OP MUST
accept requests containing a request object
signed by the client’s private key.
OIDC OIDC-02-07-28 6B.2.7 The Identity Exchange MUST validate the
signature on such requests against the Clients
public key.
OIDC OIDC-02-07-29 6B.2.7 The Identity Exchange MUST accept request
objects encrypted with the Identity Exchanges
Public key.
OIDC OIDC-02-07-30 6B.2.7 The Identity Exchange MUST provide an
Authentication Context Class Reference (ACR),
See section 2.8.3 below on valid ACR Claims.
OIDC OIDC-02-07-31 6B.2.7 The Identity Exchange MUST return the ACR
value used for the authentication even if the acr
claim was not marked essential or the
acr_values parameter was used.
OIDC OIDC-02-08-06 6B.2.8 Where the ACR is requested using the acr claim,
this acr claim MAY be marked as essential claim
[see example for further details]
# OFFICIAL
OFFICIAL #
OIDC OIDC-02-08-07 6B.2.8 When the acr values are marked as an essential
claim, the Identity Provider MUST return a value
that matches the requested values.
OIDC OIDC-02-08-09 6B.2.8 When the acr claim is not marked as essential,
i.e. they are a voluntary claim, the Applicant
MAY return the level of assurance that the End-
User was able to achieve.
OIDC OIDC-03-01-02 6B.3.1 These clients MUST use the authorisation code
flow of OAuth 2.0 by sending the resource
owner to the authorisation endpoint to obtain
authorisation.
# OFFICIAL
OFFICIAL #
OIDC OIDC-03-03-03 6B.3.3 The Applicant MUST NOT have multiple redirect
URIs on different domains.
OIDC OIDC-03-03-04 6B.3.3 The Applicant MUST NOT forward values passed
back to their redirect URIs to other arbitrary or
user-provided URIs (i.e. no open redirectors).
OIDC OIDC-03-04-03 6B.3.4 The jwks field or the content available from the
jwks_uri of a client MUST contain a public key in
JSON Web Key Set (JWK Set) format.
OIDC OIDC-03-04-04 6B.3.4 The authorisation server MUST validate the
content of the clients registered jwks_uri
document and verify that it contains a JWK Set.
OIDC OIDC-03-06-01 6B.3.6 The Exchange MUST log all the related
interactions with Identity Providers using the
unique audit id it has generated for an
authentication request from a Relying Party as
per the TDIF: 06 - Federation Onboarding
Requirements.
# OFFICIAL
OFFICIAL #
OIDC OIDC-03-06-04 6B.3.6 Clients MUST validate the value of the state
parameter upon return to the redirect URI and
MUST ensure that the state value is securely
tied to the user’s current session e.g. by relating
the state value to a session identifier issued by
the client software to the browser.
OIDC OIDC-03-06-05 6B.3.6 Clients MUST include their full redirect URIs in
the authorisation request. To prevent open
redirection and other injection attacks, the
authorisation server MUST match the entire
redirect URI using a direct string comparison
against registered values and MUST reject
requests with invalid or missing redirect URIs.
# OFFICIAL
OFFICIAL #
OIDC OIDC-03-07-01 6B.3.7 The Identity Provider MUST always log all
authentication requests and responses,
including the values of client_id and the state
parameters associated with the request.
OIDC OIDC-03-07-04 6B.3.7 The JWT must expire and MAY have a lifetime
no longer than five minutes. Short expiration
times are recommended wherever practicable.
The following guidance is provided in [RFC
7523] regarding expiration times: the JWT MUST
contain an "exp" (expiration time) claim that
limits the time window during which the JWT
can be used. The authorization server MUST
reject any JWT with an expiration time that has
passed, subject to allowable clock skew
between systems. Note that the authorization
server may reject JWTs with an "exp" claim
value that is unreasonably far in the future.
OIDC OIDC-03-07-05 6B.3.7 The JWT MUST contain the following REQUIRED
claims and MAY contain the following
OPTIONAL Claim values: [Refer to list of
parameters]
# OFFICIAL
OFFICIAL #
OIDC OIDC-03-07-12 6B.3.7 All tokens MUST be signed by the issuer IdP’s
private key.
OIDC OIDC-03-07-13 6B.3.7 ID Tokens MAY be encrypted using the
appropriate key of the requesting client.
OIDC OIDC-03-07-14 6B.3.7 The ID Token MUST expire and MAY have a
lifetime no longer than five minutes. Short
expiration times are recommended as the ID
token is consumed by the client and not
presented to remote systems.
# OFFICIAL
OFFICIAL #
OIDC OIDC-03-07-19 6B.3.7 For privacy reasons, the Identity Provider MAY
elect to not return values for some of the
requested claims; it should not present with a
null or empty string value.
OIDC OIDC-03-07-20 6B.3.7 The sub claim MUST always be returned in the
UserInfo Response.
OIDC OIDC-03-07-21 6B.3.7 The Identity Provider MUST accept requests
containing a request object signed by the
Identity Exchange’s private key.
OIDC OIDC-03-07-22 6B.3.7 The Identity Provider MUST validate the
signature on such requests against the Identity
Exchange’s public key
OIDC OIDC-03-07-23 6B.3.7 The Identity Provider MUST accept request
objects encrypted with the Identity Providers
Public key.
OIDC OIDC-03-07-24 6B.3.7 The Identity Provider MUST return the ACR
value used for the authentication even if the acr
claim was not marked as essential or the
acr_values parameter was used.
OIDC OIDC-03-08-07 6B.3.8 When the ACR values are marked as an essential
claim, the Identity Provider MUST return a value
that matches the requested values.
# OFFICIAL
OFFICIAL #
OIDC OIDC-03-08-09 6B.3.8 When the acr claim is not marked as essential,
i.e. they are a voluntary claim, the Identity
Provider MAY return the level of assurance that
the End-User was able to achieve.
OIDC OIDC-04-01-02 6B.4.1 The Applicant MUST support all the scopes and
claims defined in section 4.1.2 of the [TDIF.Attr].
OIDC OIDC-04-01-03 6B.4.1 The Applicant MUST support all the scopes and
claims defined in section 4.1.3 of the [TDIF.Attr].
# OFFICIAL
OFFICIAL #
SAML SAML-02-03-02 6C.2.3 HTTP/1.1 redirects (status codes 301, 302, and
307) MUST be honoured by the Applicant.
SAML SAML-02-03-07 6C.2.3 Public keys used for signature verification of the
metadata MUST be configured out of band by
the Applicant.
# OFFICIAL
OFFICIAL #
# OFFICIAL
OFFICIAL #
# OFFICIAL
OFFICIAL #
# OFFICIAL
OFFICIAL #
# OFFICIAL
OFFICIAL #
# OFFICIAL
OFFICIAL #
# OFFICIAL
OFFICIAL #
# OFFICIAL
OFFICIAL #
# OFFICIAL
OFFICIAL #
# OFFICIAL
OFFICIAL #
SAML SAML-05-01-02 6C.5.1 The Sender and the Recipient of the request
MAY agree to the semantics of data sent this
way.
SAML SAML-05-01-03 6C.5.1 When making or responding to a request using
the SAML 2.0 Federation Protocol the Applicant
MUST use the mapping of the attributes to the
protocols specified in section 4.2.2 of the TDIF:
06D – Attribute Profile.
# OFFICIAL
OFFICIAL #
A I X
A C I X
# OFFICIAL
OFFICIAL #
A C I X
A C I X
A C I X
A C I X
# OFFICIAL
OFFICIAL #
A C I X
A C I X
A C I X
A C I X
A C I X
A C I X
A C I X
# OFFICIAL
OFFICIAL #
A C I X
A C I X
I X
I X
# OFFICIAL
OFFICIAL #
# OFFICIAL
OFFICIAL #
C I X
# OFFICIAL
OFFICIAL #
C I X
C I X
C I X
# OFFICIAL
OFFICIAL #
# OFFICIAL
OFFICIAL #
# OFFICIAL
OFFICIAL #
I X
# OFFICIAL
OFFICIAL #
# OFFICIAL
OFFICIAL #
# OFFICIAL
OFFICIAL #
# OFFICIAL
OFFICIAL #
# OFFICIAL
OFFICIAL #
# OFFICIAL
OFFICIAL #
# OFFICIAL
OFFICIAL #
A I X
A I X
A C I X
# OFFICIAL
OFFICIAL #
# OFFICIAL
OFFICIAL #
# OFFICIAL
OFFICIAL #
# OFFICIAL
OFFICIAL #
# OFFICIAL
OFFICIAL #
# OFFICIAL
OFFICIAL #
X
X
# OFFICIAL
OFFICIAL #
# OFFICIAL
OFFICIAL #
# OFFICIAL
OFFICIAL #
A X
I X
# OFFICIAL
OFFICIAL #
# OFFICIAL
OFFICIAL #
X
X
# OFFICIAL
OFFICIAL #
# OFFICIAL
OFFICIAL #
# OFFICIAL
OFFICIAL #
# OFFICIAL
OFFICIAL #
I X
A I X
I X
I X
A C I X
A I X
# OFFICIAL
OFFICIAL #
A I X
A I X
A I X
A I X
A I X
A I X
A I X
A I X
A I X
# OFFICIAL
OFFICIAL #
A I X
A I X
A I X
A I X
A I X
A I X
A I X
# OFFICIAL
OFFICIAL #
A I X
A I X
A I X
A I X
A I X
A I X
A I X
A I X
I X
# OFFICIAL
OFFICIAL #
A X
A I X
A I X
A I X
A I X
A I X
# OFFICIAL
OFFICIAL #
I X
A X
A X
A X
A X
A X
A X
# OFFICIAL
OFFICIAL #
A X
A X
A X
A X
A X
A X
A X
A X
A X
# OFFICIAL
OFFICIAL #
A X
# OFFICIAL
OFFICIAL #
# OFFICIAL
OFFICIAL #
I X
# OFFICIAL
OFFICIAL #
# OFFICIAL
OFFICIAL #
A I X
A I X
I X
A I X
# OFFICIAL
OFFICIAL #
# OFFICIAL
OFFICIAL #
# OFFICIAL
OFFICIAL #
# OFFICIAL
OFFICIAL #
# OFFICIAL
OFFICIAL #
# OFFICIAL
OFFICIAL #
# OFFICIAL
OFFICIAL #
# OFFICIAL
OFFICIAL #
# OFFICIAL
OFFICIAL #
# OFFICIAL
OFFICIAL #
# OFFICIAL
OFFICIAL #
# OFFICIAL
OFFICIAL #
# OFFICIAL
OFFICIAL #
# OFFICIAL
OFFICIAL #
# OFFICIAL
OFFICIAL #
# OFFICIAL
OFFICIAL #
# OFFICIAL
OFFICIAL #
# OFFICIAL
OFFICIAL #
# OFFICIAL
OFFICIAL #
# OFFICIAL
OFFICIAL #
# OFFICIAL
OFFICIAL #
# OFFICIAL
OFFICIAL #
# OFFICIAL
OFFICIAL #
# OFFICIAL
OFFICIAL #
# OFFICIAL
OFFICIAL #
# OFFICIAL
OFFICIAL #
# OFFICIAL
OFFICIAL #
# OFFICIAL
OFFICIAL #
# OFFICIAL
OFFICIAL #
# OFFICIAL
OFFICIAL #
# OFFICIAL
OFFICIAL #
# OFFICIAL
OFFICIAL #
# OFFICIAL
OFFICIAL #
# OFFICIAL
OFFICIAL #
# OFFICIAL
OFFICIAL #
# OFFICIAL
OFFICIAL #
# OFFICIAL
OFFICIAL #
# OFFICIAL
OFFICIAL #
# OFFICIAL
OFFICIAL #
# OFFICIAL
OFFICIAL #
# OFFICIAL
OFFICIAL #
# OFFICIAL
OFFICIAL #
# OFFICIAL
OFFICIAL #
# OFFICIAL
OFFICIAL #
No
No
No
No
No
No
# OFFICIAL
OFFICIAL #
No
Archived
Archived
No
Archived
No
No
No
# OFFICIAL
OFFICIAL #
No
No
No
No
No
No
No
# OFFICIAL
OFFICIAL #
No
No
No
No
No
No
# OFFICIAL
OFFICIAL #
No
No
No
No
No
Archived
No
No
No
No
No
# OFFICIAL
OFFICIAL #
No
No
No
No
No
No
No
No
No
Archived
Archived
# OFFICIAL
OFFICIAL #
No
Archived
Archived
Archived
Archived
Archived
Archived
No
No
No
No
No
# OFFICIAL
OFFICIAL #
No
No
No
No
Archived
Archived
No
Archived
No
No
No
# OFFICIAL
OFFICIAL #
No
Archived
Archived
No
No
No
No
No
Archived
Archived
Archived
Archived
Archived
Archived
# OFFICIAL
OFFICIAL #
Archived
Archived
No
No
No
No
No
No
No
No
No
No
# OFFICIAL
OFFICIAL #
No
No
No
No
No
Archived
Archived
No
# OFFICIAL
OFFICIAL #
No
No
No
No
No
No
No
No
# OFFICIAL
OFFICIAL #
No
No
No
No
No
No
# OFFICIAL
OFFICIAL #
No
No
No
No
No
No
No
# OFFICIAL
OFFICIAL #
No
No
No
No
No
No
No
No
# OFFICIAL
OFFICIAL #
No
No
No
No
No
No
No
No
No
No
# OFFICIAL
OFFICIAL #
No
No
No
No
No
No
No
No
No
No
# OFFICIAL
OFFICIAL #
No
No
No
No
No
No
No
No
# OFFICIAL
OFFICIAL #
No
No
No
No
No
No
No
No
No
No
No
No
No
# OFFICIAL
OFFICIAL #
No
No
No
No
No
No
No
No
No
# OFFICIAL
OFFICIAL #
No
No
No
No
No
No
No
No
No
No
# OFFICIAL
OFFICIAL #
No
No
No
No
No
No
No
No
No
No
# OFFICIAL
OFFICIAL #
No
No
No
No
No
No
No
No
No
No
# OFFICIAL
OFFICIAL #
No
No
No
No
No
No
No
No
No
No
No
No
# OFFICIAL
OFFICIAL #
No
No
No
No
No
No
No
No
No
No
No
No
No
No
# OFFICIAL
OFFICIAL #
No
No
No
No
No
No
No
No
No
No
No
# OFFICIAL
OFFICIAL #
No
No
No
No
No
No
No
No
No
No
No
# OFFICIAL
OFFICIAL #
No
No
No
No
No
No
No
No
No
No
No
No
# OFFICIAL
OFFICIAL #
No
No
No
No
No
No
No
No
# OFFICIAL
OFFICIAL #
No
No
No
No
No
No
No
No
No
No
No
No
# OFFICIAL
OFFICIAL #
No
No
No
No
No
No
No
No
No
No
No
No
No
No
# OFFICIAL
OFFICIAL #
No
No
No
No
No
No
No
No
No
# OFFICIAL
OFFICIAL #
No
No
No
No
No
No
No
No
No
# OFFICIAL
OFFICIAL #
No
No
No
No
No
No
No
No
No
# OFFICIAL
OFFICIAL #
No
No
No
No
No
No
No
No
No
# OFFICIAL
OFFICIAL #
No
No
No
No
No
No
# OFFICIAL
OFFICIAL #
No
No
No
No
No
No
No
No
No
# OFFICIAL
OFFICIAL #
No
No
No
No
No
No
No
No
No
No
No
# OFFICIAL
OFFICIAL #
No
No
No
No
No
No
No
No
# OFFICIAL
OFFICIAL #
No
No
No
No
No
No
No
No
No
# OFFICIAL
OFFICIAL #
No
No
No
No
No
No
No
No
No
No
No
# OFFICIAL
OFFICIAL #
No
No
No
No
No
No
No
No
# OFFICIAL
OFFICIAL #
No
No
No
No
No
No
No
No
# OFFICIAL
OFFICIAL #
IP1
IP 1 TABLE-01-01 Identifier chosen by the Individual MUST be unique
IP 1 TABLE-01-02 Approved technical Credential bindings: CL1/CL2/CL3
IP1 Plus
IP1 Plus TABLE-01-03 Identifier chosen by the Individual MUST be unique
A check MUST undertaken by the IdP to establish that the Individual is the
IP1 Plus TABLE-01-04 sole claimant of the Identity
A check MAY undertaken by the IdP that the identity is not that of a
IP1 Plus TABLE-01-05 deceased person
IP1 Plus TABLE-01-07 [Footnote: Such as law enforcement or other government agencies]
All Names and Date of Birth Attributes MUST be verified with Source
Verification or Technical Verification
[This requires all names and the date of birth of the Individual to be
verified as part of the Identity Proofing process. It does not require every
IP1 Plus TABLE-01-08 identity document to include these attributes. ]
Verification of a Photo ID MUST be undertaken?
IP1 Plus TABLE-01-09 Yes or UiTC as per TABLE-01-10
Verification of a UiTC document MUST be undertaken that can confirm
name and date of birth required?
IP1 Plus TABLE-01-10 Yes or Photo ID as per TABLE-01-09
IP1 Plus TABLE-01-11 Approved technical Credential bindings: CL1/CL2/CL3
IP2
IP2 TABLE-01-12 Identifier chosen by the Individual MUST be unique
A check MUST undertaken by the IdP to establish that the Individual is the
IP2 TABLE-01-13 sole claimant of the Identity
A check MAY undertaken by the IdP that the identity is not that of a
IP2 TABLE-01-14 deceased person
# OFFICIAL
OFFICIAL #
All Names and Date of Birth Attributes MUST be verified with Source
Verification or Technical Verification
[This requires all names and the date of birth of the Individual to be
verified as part of the Identity Proofing process. It does not require every
IP2 TABLE-01-19 identity document to include these attributes. ]
[Footnote: Australian Passports MAY be used for CoI and Photo ID for up
IP2 TABLE-01-20 to IP3 proofing but MUST NOT be accepted as CoI for IP4 proofing]
Verification of a Photo ID MUST be undertaken?
IP2 TABLE-01-21 Yes or CoI as per TABLE-01-20
# OFFICIAL
OFFICIAL #
IP2 Plus TABLE-01-30 [Footnote: Such as law enforcement or other government agencies]
All Names and Date of Birth Attributes MUST be verified with Source
Verification or Technical Verification
[This requires all names and the date of birth of the Individual to be
verified as part of the Identity Proofing process. It does not require every
IP2 Plus TABLE-01-33 identity document to include these attributes. ]
[Footnote: Australian Passports MAY be used for CoI and Photo ID for up
IP2 Plus TABLE-01-34 to IP3 proofing but MUST NOT be accepted as CoI for IP4 proofing]
Verification of a Photo ID MUST be undertaken?
IP2 Plus TABLE-01-35 Yes or CoI as per TABLE-01-34
# OFFICIAL
OFFICIAL #
A check MUST undertaken by the IdP that the identity is not that of a
IP3 TABLE-01-41 deceased person
Confirmation of the link between the individual and the claimed identity
by completing Biometric Binding in accordance with Section 3.8
IP3 TABLE-01-42 Requirements for Biometric Binding
If completing Manual Face Comparison (as per section 3.8.6), then the
IP4 TABLE-01-42a original, physical PhotoID is to be provided in-person
All Names and Date of Birth Attributes MUST be verified with Source
Verification or Technical Verification
[This requires all names and the date of birth of the Individual to be
verified as part of the Identity Proofing process. It does not require every
IP3 TABLE-01-47 identity document to include these attributes. ]
[Footnote: Australian Passports MAY be used for CoI and Photo ID for up
IP3 TABLE-01-48 to IP3 proofing but MUST NOT be accepted as CoI for IP4 proofing]
Verification of a Photo ID MUST be undertaken
IP3 TABLE-01-49
# OFFICIAL
OFFICIAL #
All Names and Date of Birth Attributes MUST be verified with Source
Verification or Technical Verification
[This requires all names and the date of birth of the Individual to be
verified as part of the Identity Proofing process. It does not require every
IP4 TABLE-01-63 identity document to include these attributes. ]
Verification of a CoI document MUST be undertaken
IP4 TABLE-01-64 Australian Passports MUST NOT be accepted as CoI for IP4 proofing
# OFFICIAL
OFFICIAL #
The Applicant MUST have one of the following permitted Credential Type
Combinations to satisfy the credential level:
ONE OF:
• Memorised Secret
• Look-up Secret
• Out-of-Band Device
• SF OTP Device
• SF Crypto Software
• SF Crypto Device
• MF OTP Device
• MF Crypto Software
• MF Crypto Device
The Applicant MUST have one of the following permitted Credential Type
Combinations to satisfy the credential level:
ONE OF:
• MF OTP Device
• MF Crypto Software
• MF Crypto Device;
OR
Memorised Secret AND ONE OF:
• Look-up Secret
• Out-of-Band Device
• SF OTP Device
• SF Crypto Software
• SF Crypto Device
# OFFICIAL
OFFICIAL #
The Applicant MUST have one of the following permitted Credential Type
Combinations to satisfy the credential level:
• MF Crypto Device
OR
• SF Crypto Devices AND Memorised Secret
OR
• SF OTP Device AND MF Crypto Software
OR
• SF OTP Device AND MF Crypto Device
OR
• SF OTP Device AND SF Crypto Software AND Memorised Secret
# OFFICIAL
OFFICIAL #
Uniqueness Objective I
CSP Bindings I
Uniqueness Objective I
Uniqueness Objective I
Legitimacy Objective I
Other Requirements I
Documents required for
Verification I
Uniqueness Objective I
Uniqueness Objective I
Legitimacy Objective I
# OFFICIAL
OFFICIAL #
Other Requirements I
Other Requirements I
Other Requirements I
Uniqueness Objective I
Uniqueness Objective I
Legitimacy Objective I
Binding Objective
Binding Objective I
# OFFICIAL
OFFICIAL #
Other Requirements I
Other Requirements I
Other Requirements I
Uniqueness Objective I
Uniqueness Objective I
# OFFICIAL
OFFICIAL #
Legitimacy Objective I
Binding Objective I
Binding Objective I
Other Requirements I
Other Requirements I
Other Requirements I
# OFFICIAL
OFFICIAL #
CSP Bindings I
Uniqueness Objective I
Uniqueness Objective I
Legitimacy Objective I
Binding Objective I
Binding Objective I
Binding Objective I
Other Requirements I
Other Requirements I
Other Requirements I
# OFFICIAL
OFFICIAL #
Credential Type
Combinations C
Re-authentication C
Security Requirements C
Security Requirements C
Credential Type
Combinations C
Re-authentication C
Re-authentication C
# OFFICIAL
OFFICIAL #
Security Requirements C
Security Requirements C
Security Requirements C
Security Requirements C
Credential Type
Combinations C
Re-authentication C
Re-authentication C
Security Requirements C
Security Requirements C
Security Requirements C
Security Requirements C
Security Requirements C
Security Requirements C
# OFFICIAL
OFFICIAL #
# OFFICIAL
OFFICIAL #
# OFFICIAL
OFFICIAL #
# OFFICIAL
OFFICIAL #
# OFFICIAL
OFFICIAL #
# OFFICIAL
OFFICIAL #
# OFFICIAL
OFFICIAL #
# OFFICIAL
OFFICIAL #
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
# OFFICIAL
OFFICIAL #
No
No
No
No
No
No
No
No
No
No
No
No
No
No
# OFFICIAL
OFFICIAL #
No
No
No
No
No
No
No
No
No
No
No
No
# OFFICIAL
OFFICIAL #
No
No
No
No
No
No
No
No
No
No
No
No
# OFFICIAL
OFFICIAL #
No
No
No
No
No
No
No
No
No
No
No
No
No
# OFFICIAL
OFFICIAL #
No
No
No
No
No
No
No
No
No
No
No
# OFFICIAL
OFFICIAL #
No
No
No
No
No
No
No
No
No
No
No
No
No
# OFFICIAL