Skip to main content

Coronavirus (COVID-19) and the Attorney-General’s Department: Find out how our services are being delivered and how you can access them. For the latest COVID-19 news, updates and advice from the Australian Government, visit

Identity is authenticated for each interaction


Previous page



Next page



Customer or third party identities are authenticated for each interaction.

NB: This is a process undertaken to confirm the person we are engaging with owns the record they are trying to access.

This control is underpinned by:

In particular, it involves testing the credentials supplied by the person making the claim.

The three types of authentication are:

  • Something you know (e.g. a password)
  • Something you have (e.g. an ID badge or cryptographic key)
  • Something you are (e.g. a fingerprint or other biometric data)


Some examples of this type of countermeasure include:

  • All customers or providers must pass an identity authentication check prior to servicing.
  • Staff must enter their log-on ID and password to access systems.
  • Customers or providers must pass a two-factor authentication to access their online account.
  • Customers must enter a unique PIN to access the mobile app.
  • Voice or facial biometrics.

Purpose of this countermeasure

Someone can provide false or misleading information or stolen evidence of identity to support a request or claim.

Providing false or misleading information or forged documents to commit fraud are offences under the Criminal Code Act 1995.

Whole-of-Government policies require us to have a high level of confidence in the identity of a customer when providing government services and payments.

Providing services to someone without authenticating their identity can lead to fraudsters impersonating customers or third parties to receive fraudulent payments or gain access to information.


This type of control is supported by:

How do I know if my countermeasures are effective?

You can apply the following methods to measure the effectiveness of these types of countermeasures:

  • Review authentication controls and policies to see if they conform to national guidelines and frameworks.
  • Review the information threshold for authenticating an identity. What level of information is publicly available, e.g. could be found on social media?
  • Confirm the existence of reference and guidance material.
  • Confirm processes are consistently applied both within channels and across channels.
  • Review a sample of completed transactions to confirm correct processes were undertaken.
  • Ask staff about the authentication processes to ensure they have a consistent and correct understanding.
  • Undertake vulnerability testing or a process walk-through to confirm that processes cannot be circumvented.
  • Identify how the requirement to authenticate identity is communicated to staff.
  • Review identified cases of fraud involving the use of a false or stolen identity.


Previous page



Next page




Commonwealth Fraud Prevention Centre logo