The Trusted Digital Identity Framework (TDIF) is an accreditation framework for Digital Identity services. It sets out the requirements that applicants need to meet to achieve accreditation. The TDIF also includes guidance material and templates to support providers to meet TDIF requirements.
Organisations and government agencies can apply for TDIF accreditation and undergo a series of assurance evaluations for their Digital Identity service. To become a TDIF accredited provider, applicants are required to demonstrate how their Digital Identity service meets requirements for:
- accessibility and usability
- privacy protection
- security and fraud control
- risk management
- technical integrity and more.
This includes the need for:
- an independent privacy impact assessment
- an independent security assessment
- ICT penetration test
- organisational policies and practices that demonstrate alignment with the Australian Government Protective Security Policy Framework, the Information Security Manual, the Australian Privacy Principles and the Privacy Code.
The requirements defined in the framework build on the baseline of the Australian Cyber Security Centre’s Essential Eight cyber security mitigations.
Once accredited, providers need to continually demonstrate they meet their TDIF obligations by undergoing annual assessments.
The TDIF supports 4 accreditation roles.
The TDIF Accreditation Authority has granted accreditation to the services listed below.
An identity provider can create, maintain or manage information about a person’s identity, and offer identity-based services. Relying parties need to be confident that the person they provide a service to is who they say they are. The level of confidence they need depends on the type of service they are providing, and the consequences if they provided it to the wrong person. Identity providers help boost relying parties’ confidence in a person’s digital identity by collecting, verifying, and validating attributes that confirm a person’s identity to an appropriate identity proofing level (IP).
|Service name||Provider||Service type||Accredited identity proofing levels||Verification type||Accreditation date||Accreditation status|
|Digital iD||Australia Post||Mobile application||IP2 (Standard)||Reusable identity||17 May 2019||Active|
|myGovID||Australian Tax Office||Mobile application||IP1, IP2 (Basic, Standard)||Reusable identity||30 May 2019||Active|
|OCR Labs||OCR Labs||Mobile application||IP2 (Standard)||One-off verification||8 July 2021||Active|
|myGovID||Australian Tax Office||Mobile application||IP3 (Strong)||Reusable identity, biometric enabled||30 August 2021||Active|
Credential providers can generate, bind and distribute credentials to individuals or can bind and manage credentials generated by individuals. For services in which return visits are applicable, a successful authentication provides risk-based assurances that the individual accessing the service today is the same individual who accessed the service previously. The robustness of this confidence is described by a credential level (CL) categorisation.
|Service name||Provider||Service type||Accredited credential levels||Accredited credential types||Accreditation date||Accreditation status|
|Digital iD||Australia Post||Mobile application||CL2||Multi-factor AuthN||17 May 2019||Active|
|myGovID||Australian Tax Office||Mobile application||CL2||MF Crypto Software||30 May 2019||Active|
Identity exchanges convey, manage and coordinate the flow of identity attributes and assertions between members (identity providers, credential providers, attribute providers and relying parties) of an identity federation.
|Service name||Provider||Interoperability statement||Accreditation date||Accreditation status|
|Exchange||Services Australia||The exchange is able to connect to other digital identity federations using OpenID Connect 1.0 and SAML.||13 May 2019||Active|
|connectID||eftpos||The exchange brokers authentication and identity requests using OpenID Connect 1.0||15 September 2021||Active|
Attribute providers generate and manage attributes and claims about an individual, business or organisation that are provided to relying parties to support their decision-making processes. An attribute provider represents an authoritative source for a selected set of authorisation, qualification, self-asserted, entitlement, or platform attributes under the TDIF.
|Service name||Provider||Accredited attribute class||Attributes||Accreditation date||Accreditation status|
|Relationship Authorisation Manager (RAM)||Australian Tax Office||Authorisation||Business authorisations||20 June 2019||Active|
|myGov||Services Australia||Platform||myGov LinkID||25 August 2021||Active|
The TDIF is currently made up of 13 policies. Additional policies will be added as required and as we learn more about user needs.
(Note: We aim to meet the Australian Government’s web accessibility requirements with the documents below. However, if you require a more accessible version, please contact us.)
01 – Glossary of abbreviations and terms [PDF, 624KB] includes a list of acronyms and defines the key abbreviations and terms used in the TDIF.
02 – Overview [PDF, 815KB] provides a high-level overview of the TDIF.
03 – Accreditation process [PDF, 1MB] sets out the process and requirements an applicant is required to complete to achieve TDIF accreditation.
04 – Functional requirements [PDF, 881KB] outlines requirements applicable to the accredited roles, including fraud control, privacy, protective security, user experience and technical testing. It also includes a series of functional assessments to be undertaken by the applicant to achieve TDIF accreditation, including a privacy impact assessment (PIA), privacy assessment, security assessment, penetration test and an accessibility assessment against the Web Content Accessibility Guidelines.
04A – Functional Guidance [PDF, 844KB] provides guidance to applicants on meeting the requirements set out in the TDIF 04 Functional requirements.
05 – Role requirements [PDF, 1.2MB] includes user terms and lifecycle management requirements applicable to the accredited roles.
05A – Role Guidance [PDF, 971KB] provides guidance to applicants on meeting requirements set out in the TDIF 05 Role requirements.
06 – Federation Onboarding Requirements [PDF, 803KB] outlines the requirements to be met when an applicant’s identity system is approved to onboard to the Australian Government’s identity federation. This document includes functional requirements, technical integration testing requirements, operating obligations and the accreditation requirements for an identity exchange.
06A – Federation Onboarding Guidance [PDF, 1.37MB] provides guidance to applicants on meeting requirements set out in the TDIF 06 Federation onboarding requirements.
06B – OpenID Connect 1.0 Profile [PDF, 1.3MB] describes how OpenID Connect 1.0 is used within the Australian Government’s identity federation.
06C – SAML 2.0 Profile [PDF, 957KB] describes how SAML 2.0 is used within the Australian Government’s identity federation.
06D – Attribute profile [PDF, 996KB] describes the attributes used within the Australian Government’s identity federation and how these are mapped in the OpenID Connect 1.0 Profile and SAML 2.0 Profile.
07 – Annual Assessment [PDF, 604KB] sets out the process and requirements an accredited provider is required to complete by the anniversary of their initial accreditation date to remain TDIF accredited.
The following templates are provided as guidance for applicants and can help support their accreditation effort.
TDIF Accreditation Requirements – template [XLS, 619KB] includes all TDIF requirements.
TDIF Application for Accreditation Letter – template [docx, 64KB] a template for the TDIF accreditation letter as required in the TDIF 03 accreditation process.
TDIF Statement of claims [PDF, 511KB] to be completed and submitted with the TDIF Application for Accreditation Letter as required in the TDIF 03 accreditation process.
TDIF Fraud Control Plan – template [docx, 283KB] sets out the standard assessment requirements to be covered by an applicant’s Fraud Control Plan.
TDIF Functional Assessments (generic) – template [docx, 281KB] sets out the standard assessment requirements to be covered by an applicant’s functional assessment.
TDIF Privacy Impact Assessment (PIA) – template [docx, 324KB] sets out the standard assessment requirements to be covered by an applicant’s privacy impact Assessment.
TDIF Privacy Assessment (functional assessment) [docx, 299KB] sets out the specific assessment requirements to be covered by an applicant’s privacy assessment.
TDIF Technical Test Plan – template [docx, 282KB] sets out the requirements to be covered by an applicant’s Technical Test Plan and report.
TDIF Cryptographic Key Management Plan - template [docx, 280KB] sets out the requirements to be covered by an applicant’s Cryptographic Key Management Plan.
TDIF Exemption request form [docx, 93KB] to be used by an applicant when submitting an exemption request to the DTA.
TDIF Usability Test Plan and Report - template [docx, 281KB] sets out the requirements covered by the Applicant's usability test plan, testing and report.
TDIF Attestation Letter (Annual Assessment) [docx, 48KB] a template for the TDIF attestation letter as required by the TDIF 07 Annual Assessment requirements.
The next scheduled review of the TDIF will occur by July 2022. Any changes made to the document suite before this date will be recorded in a TDIF change management document and will be made available on our website. All changes to the TDIF will occur in accordance with the TDIF Variation Standard Operating Procedure.
All changes made to the TDIF are published in accordance with the TDIF Variation Standard Operating Procedure. All changes to the TDIF documents are recorded in the TDIF Change Log, available below.
TDIF Variation Standard Operating Procedure [PDF, 440KB] sets out the procedure for implementing requested changes to the TDIF.
TDIF Change Request Form [PDF, 149KB] use this form to request any changes to the TDIF.
TDIF Change Log – October 2021 [XLS, 304KB] records any changes made to the TDIF before July 2022.