Authentication best practices
Authentication of identity is the process of proving or ensuring that the individual is who they purport to be.
Protecting privacy often requires verifying or “authenticating” the identity of the individual giving consent regarding transactions related to their personal information.
Although verification of an individual by phone, through e-mail, or via the Internet can lower the level of assurance that it is the correct person, assurance is increased if the department has processes formally in place to authenticate the individual’s identity.
Authentication typically relies on one or more of the following:
- Something the individual would know
Examples: password, security question, PIN, mother’s maiden name
- Something the individual has
Examples: smart card, key, hardware token
- Something you are
Examples: photo id, fingerprints, voice patterns, iris scans
Key considerations on authentication
- The level of authentication should be appropriate to the nature of the use or disclosure and sensitivity of the personal information
The degree of authentication must be appropriate to the nature of the use or disclosure and the sensitivity of the personal information involved.
In circumstances requiring a higher level of authentication, there may be a need to use multi- factor authentication such as two or more kinds of authentication to confirm identity.
- Avoid use of a common identifier
Deter against using common identifiers used by different public bodies and programs in the authentication process.
The use of a common identifier increases the risk of data matching and improper linking information.
- A FOIP Notification Statement is not required when information is already with the public body.
Authentication processes regarding personal information already collected by the public body do not require a FOIP notification statement under 34(2) of the Act because the information has already been collected.
In this case, the public body is not collecting new information, but is using the information given by the individual to verify previous transactions.
Authentication is still important to verify that the individual is who they purport to be.
- Authentication and the exercise of the right of consent by other persons
When a public body receives consent from a person exercising the right of consent of another person under section 84 of the FOIP Act, the public body must authenticate the identity of the person exercising the right.
Further information regarding consent and authentication can be found through the Government of Alberta – Service Alberta.