The Trusted Digital Identity Framework
The Trusted Digital Identity Framework is currently made up of 19 policies. Additional policies will be added as required and we learn more about user needs.
This federation is made up of agencies and systems working together to deliver a safe and secure digital identity ecosystem.
The Australian Government established the Financial Systems Inquiry (FSI) in 2013 to examine the position of the financial system to meet the evolving needs and support economic growth for Australia.
In 2014, the FSI recommended developing “a national strategy for a federated-style model of trusted digital identities” (Recommendation 15). It concluded that a federated digital identity model would best meet the cost, innovation, efficiency and flexibility requirements of the broader Australian digital economy.
In accepting FSI recommendations, the Australian Government agreed that a national approach to digital identity would streamline people’s interactions with government and provide efficiency improvements.
The Australian Government also agreed to work with the state and territory jurisdictions and with the private sector to develop a TDIF. The TDIF responds directly to the FSI and provides the rules and accreditation criteria that providers of digital identity services are accredited against.
Strict standards are applied by the TDIF to the way the federated identity system works, by:
- Defining requirements for the proper operation of the federated identity system.
- Defining the roles and operating responsibilities of the participants.
- Providing assurance regarding usability, privacy, security and interoperability of its processes and data.
The TDIF has 4 levels of identity proofing:
- Level 1 is used when a low-level of confidence in the claimed identity is required. Level one supports self-asserted identity (I am who I say I am) – used, for example, when you need to pay a parking ticket or get a fishing licence.
- Level 2 is used when a medium level of confidence in the claimed identity is needed. This requires 2 or more documents to verify someone’s claim to an existing identity. A level 2 identity check is sometimes referred to as a “100-point check”.
- Level 3 is used when a high level of confidence in the claimed identity is required. This requires 3 or more documents to verify someone’s claim to an existing identity. At level 3 the claimed identity also needs to be biometrically bound to the person claiming it by using and comparing them with photo ID. For example, comparing a selfie of them with an Australian Passport or driver licence.
- Level 4 is used when a very high level of confidence in the claimed identity is required. At level 4 the person claiming the identity needs to attend an in-person interview as well as meet all requirements of Level 3.
Development and collaboration
The TDIF has been in development since early 2015. During this time, we have spoken with thousands of people across the country and around the world.
We have collaborated with counterparts in the United States, United Kingdom, Canada and New Zealand. We’ve exchanged ideas with Mexico, Japan, Israel, South Korea, Singapore and several European countries.
During development, we released numerous policy draft for consultation. From face-to-face meetings, emails, video calls and online contributions we received more than 2,500 comments on these drafts.
This feedback has come from the financial sector, privacy advocates, digital identity experts, industry groups, Australian government agencies, state and territory jurisdictions, standards bodies, vendors and members of the public.
The TDIF is currently made up of 19 policies. We will continue to iterate the TDIF, add additional policies as required and as we learn more about user needs.Back to top
Government agencies and organisations applying for TDIF accreditation undergo a series of rigorous evaluations across all aspects of their operations. Participants are required to demonstrate their service meets strict requirements for usability, accessibility, privacy protection, security, risk management, fraud control and more.
This includes the need for an independent privacy impact assessment and privacy audit, alignment with the Australian Government Protective Security Policy Framework, the Information Security Manual, the Australian Privacy Principles and the Privacy Code. The requirements defined in the framework build on the baseline of the Australian Cyber Security Centre’s Essential 8 cyber security mitigations.
Once accredited, participants need to continually demonstrate they meet their TDIF obligations by undergoing annual assessments.
The TDIF supports 4 accreditation roles:
- Identity Service Providers (IdP) are accredited to undertake the functions of identity management.
- Credential Service Provider (CSP) are accredited to undertake the functions of authentication credential management.
- Attribute Service Providers (AP) are accredited to undertake the functions of attribute management which are specific to entitlements, qualifications, relationships or other characteristics of people and non-person entities.
- Identity Exchanges (IdX) are accredited to convey, manage and co-ordinate the flow of attributes, claims and assertions between members of an identity federation.
Participants can apply to be accredited in one or more of these roles.Back to top
TDIF accredited providers
The TDIF Accreditation Authority has granted accreditation to the following services:
|Provider||Service type||Accreditation date|
|Department of Human Services||Identity Exchange||13 May 2019|
|Australia Post (Digital iD)||Identity Service Provider and Credential Service Provider||17 May 2019|
|Australian Taxation Office (myGovID)||Identity Service Provider and Credential Service Provider||30 May 2019|
|Australian Taxation Office||Relationship Authorisation Manager||20 June 2019|