The Trusted Digital Identity Framework

The Trusted Digital Identity Framework comprises 13 policies.

This federation is made up of agencies and systems working together to deliver a safe and secure digital identity ecosystem.

The Australian Government established the Financial Systems Inquiry (FSI) in 2013 to examine the position of the financial system to meet the evolving needs and support economic growth for Australia.

Back to top

Background

In 2014, the FSI recommended developing 'a national strategy for a federated-style model of trusted digital identities' (Recommendation 15). It concluded that a federated digital identity model would best meet the cost, innovation, efficiency and flexibility requirements of the broader Australian digital economy.

In accepting FSI recommendations, the Australian Government agreed that a national approach to digital identity would streamline people’s interactions with government and provide efficiency improvements.

The Australian Government also agreed to work with the state and territory jurisdictions and with the private sector to develop a TDIF. The TDIF responds directly to the FSI and provides the rules and accreditation criteria that providers of digital identity services are accredited against.

Strict standards are applied by the TDIF to the way the federated identity system works, by:

  • Defining requirements for the proper operation of the federated identity system. 
  • Defining the roles and operating responsibilities of the participants. 
  • Providing assurance regarding usability, privacy, security and interoperability of its processes and data.

Identity Proofing levels

  • Level 1 is used when no identity verification is needed or when a very low level of confidence in the claimed Identity is needed. This level supports self-asserted identity (I am who I say I am) or pseudonymous Identity. The intended use of Identity Proofing Level 1 is for services where the risks of not undertaking identity verification will have a negligible consequence to the Individual or the service. For example, to pay a parking infringement or obtain a fishing licence.
  • Level 1 Plus is used when a low level of confidence in the claimed identity is needed. This requires one identity document to verify someone’s claim to an existing identity. The intended use of Identity Proofing Level 1 plus is for services where the risks of getting identity verification wrong will have minor consequences to the Individual or the service. For example, the provision of loyalty cards.
  • Level 2 is used when a low-medium level of confidence in the claimed identity is needed. This requires two or more Identity Documents to verify someone’s claim to an existing identity. The intended use of Identity Proofing Level 2 is for services where the risks of getting identity verification wrong will have moderate consequences to the Individual or the service. For example, the provision of utility services. An Identity Proofing Level 2 identity check is sometimes referred to as a '100-point check'.
  • Level 2 Plus is used when a medium level of confidence in the claimed identity is needed. This requires two or more Identity Documents to verify someone’s claim to an existing identity and requires the Binding Objective to be met. The intended use of Identity Proofing Level 2 plus is for services where the risks of getting identity verification wrong will have moderate-high consequences to the Individual or the service. For example, undertaking large financial transactions.
  • Level 3 is used when a high level of confidence in the claimed identity is needed. This requires three or more Identity Documents to verify someone’s claim to an existing identity and requires the Binding Objective to be met. The intended use of Identity proofing Level 3 is for services where the risks of getting identity verification wrong will have high consequences to the Individual or the service. For example, access to welfare and related government services.
  • Level 4 is used when a very high level of confidence in the claimed identity is needed. This requires four or more Identity Documents to verify someone’s claim to an existing identity and the individual claiming the identity must attend an in-person interview as well as meet the requirements of Identity Proofing Level 3. The intended use of Identity Proofing Level 4 is for services where the risks of getting identity verification wrong will have a very high consequence to the Individual or the service. For example, the issuance of government-issued documents such as an Australian passport.
Back to top

Development and collaboration

The TDIF has been in development since early 2015. During this time, we have spoken with thousands of people across the country and around the world.

We have collaborated with counterparts in the United States, United Kingdom, Canada and New Zealand. We’ve exchanged ideas with Mexico, Japan, Israel, South Korea, Singapore and several European countries.

During development, we released numerous policy drafts for consultation. From face-to-face meetings, emails, video calls and online contributions we received more than 5,500 comments on these drafts.

This feedback has come from the financial sector, privacy advocates, digital identity experts, industry groups, Australian government agencies, state and territory jurisdictions, standards bodies, vendors and members of the public. These documents summarise the feedback received:

Release four of the TDIF comprises 13 policies. The next scheduled review of the TDIF will occur by July 2022.  Any changes made to the document suite before this date will be recorded in a TDIF change management document and published on the DTA website.

The TDIF has replaced the following policies as they no longer apply:

Back to top

TDIF accreditation

Government agencies and organisations applying for TDIF accreditation undergo a series of rigorous evaluations across all aspects of their operations. Participants are required to demonstrate their service meets strict requirements for usability, accessibility, privacy protection, security, risk management, fraud control and more.

This includes the need for an independent privacy impact assessment, privacy assessment, alignment with the Australian Government Protective Security Policy Framework, the Information Security Manual, the Australian Privacy Principles and the Privacy Code. The requirements defined in the framework build on the baseline of the Australian Cyber Security Centre’s Essential 8 cyber security mitigations.

Once accredited, participants need to continually demonstrate they meet their TDIF obligations by undergoing annual assessments.

The TDIF supports 4 accreditation roles:

  1. Attribute Service Providers (ASP) are accredited to undertake the functions of attribute management which are specific to entitlements, qualifications, relationships or other characteristics of people and non-person entities.
  2. Credential Service Provider (CSP) are accredited to undertake the functions of authentication credential management. Binding and distributing credentials to individuals or binding and managing credentials generated by individuals. This function may also be undertaken buy an IdP.
  3. Identity Exchanges (IdX) are accredited to convey, manage and co-ordinate the flow of attributes, claims and assertions between members of an identity federation.
  4. Identity Service Providers (IdP) are accredited to undertake the functions of identity management. Creating, maintaining and managing identity information of individuals.

Participants can apply to be accredited in one or more of these roles.

Back to top

TDIF accredited providers

The TDIF Accreditation Authority has granted accreditation to the following services:

Provider (and service name) Service type IP/CL Level Accreditation date
Department of Human Services
(Exchange)
IdX   13 May 2019
Australia Post (Digital iD) IdP and CSP (mobile app) IP 2
CL 2
17 May 2019
Australian Taxation Office (myGovID) IdP and CSP (mobile app) IP 2
CL 2
30 May 2019
Australian Taxation Office
(Relationship Authorisation Manager)
ASP   20 June 2019
Back to top

Get in touch

If you have any questions you can get in touch with us at identity@dta.gov.au