On this page
The information on this page has been written for employees or owners of businesses or organisations that wish to understand:
- the benefits Digital ID may provide to your business or organisation
- the different kinds of Digital ID services that might be relevant to your business or organisation
- how to engage with and choose a Digital ID provider that’s right for your business or organisation.
What is a relying party
You may be a relying party if you need to identify people or customers for them to access your services. You may choose to use Digital ID as a relying party if you need to identify or confirm certain information about a person or customer before allowing them to access your service or systems.
Common examples of businesses and organisations who can be relying parties include:
- real estate businesses providing services related to buying or renting properties
- telecommunication services
- businesses selling alcohol online and same day alcohol delivery services
- vehicle rental companies
- travel services, including hotels
- employment, recruitment and education providers.
What can Digital ID do for your business or organisation
Digital ID changes how businesses and organisations collect, verify or store personal information. Relying on a Digital ID means you can replace your current processes for verifying a customer’s or employee’s ID with more streamlined processes that use far less personal information.
Digital ID also provides options for account authentication, allowing returning customers to log in securely to your services or systems. It can enable you to move more services online, helping to reach new customers, and make accessing those online services more secure. It can also help streamline processes for background checks to make it easier and faster to onboard new employees.
On this page
On this page
Digital ID providers and services
The Australian Government operates a voluntary accreditation scheme for Digital ID service providers. Accreditation recognises that the Digital ID provider meets the privacy, security, fraud control and usability standards set by the Australian Government.
There are a few ways you can check if a Digital ID provider is accredited. They may be using the Accreditation Trustmark on their webpage or app. You can also find them on the accredited entities register.
Relying parties
Relying parties are not required to be accredited to use a Digital ID provider or service. However, you will continue to be regulated by any existing privacy obligations that apply to you (for example, the Privacy Act 1988) if you collect personal information as part of providing your services to a customer. You can find more guidance on the privacy obligations for relying parties, and key steps relying parties can take to protect the personal information they handle.
There are three different kinds of Digital ID services you can engage depending on the needs of your business or organisation.
Identity services providers
An identity service provider verifies a person's ID documents to create a digital ID. There are 2 kinds of identity service providers:
- An identity service provider that provides a reusable Digital ID service. This means a person verifies their ID once, creates a Digital ID and can then use that Digital ID to access relying party services like your business or organisation again and again. This works like a unique account for your business or organisation’s service that your customers can use to authenticate to your service on return visits.
- An identity service provider that provides a one-off Digital ID service. This means that a person will verify their ID in a single transaction. One-off Digital IDs may be useful for single transactions where you don’t expect or need a customer to pay return visits or for high-value single transactions.
Attribute service provider
Attribute service providers verify additional information about a person that may not necessarily be included in a Digital ID. This might include a person’s:
- qualifications like a university degree or trade certification
- licences such as an electrician’s licence
- authorisations such as being able to act on behalf of a business or organisation
- other verified personal information.
Identity exchanges
An identity exchange connects participants in a Digital ID system to each other. Participants of a Digital ID system may be made up of multiple identity service providers and attribute service providers who are connected via an identity exchange to relying parties like your business or organisation.
On this page
Connecting to an accredited provider
There are different ways for your business to connect to accredited Digital ID providers and the best option will depend on what kind of Digital ID service your business or organisation needs. You should consider:
- the needs of your customers to access your service
- regulatory requirements you may need to comply with in your industry
- the kind of verified information you need from a customer to provide them with your service.
Connecting to a Digital ID system through an identity exchange
This allows a wide variety of customers who may already have a Digital ID with various providers to use their existing Digital ID to access your services. This means that your customers may not be required to create a new Digital ID or be locked into one single Digital ID provider. You can find a list of accredited identity exchanges on the Digital ID accredited entities register.
The Australian Government Digital ID System currently allows individuals to use their digital ID to access government services. By December 2026, the Australian Government Digital ID System will expand to include private sector relying parties and more accredited digital ID providers.
Directly connecting to a provider
This allows you to use a single provider for your identity needs. There are several Digital ID providers that have been accredited right now. You can find a list of accredited identity service providers on the Digital ID accredited entities register.
On this page
Why use an accredited service
Whether you connect directly to a Digital ID provider, or via an exchange, the benefits of using an accredited Digital ID provider include:
- confidence that an individual is who they say they are and that their ID has been verified in accordance with government standards
- guarantee that a customer has consented to sharing their information before it is disclosed to you
- assurance that the digital ID provider protects and securely encrypts any personal information that is disclosed to you
- strong accessibility and usability requirements will help more customers create and use a Digital ID to access your service
- confidence that, where return visits are applicable, a successful authentication process means that the customer accessing your service today is the same customer who accessed your service previously.
Read more about the privacy and security protections and benefits of Digital ID.
The main controls and requirements for accredited Digital ID providers are outlined below. For a full list of accreditation requirements and further information on their operation, please see the Digital ID Act, Accreditation Rules and accompanying explanatory statements.
Identity strength
Identity strength indicates the confidence you can have that the person is who they say they are. The strength is determined by the “identity proofing level” or IP level. The higher the IP level, the stronger their Digital ID is.
It’s important to work out what IP levels will be appropriate for your business or organisation. This includes the minimum information that a Digital ID provider may give to you for both one-off and reusable Digital IDs.
To work out which identity strength is best for your business or organisation, you should consider:
- the risk and impact of incorrectly identifying a customer before providing your service to them. This will help you determine which identity strength you will require a Digital ID to be verified at before an individual can access your service(s).
- the accessibility of certain documents or information for customers who want to access your service. Some customers may not possess certain documents, e.g. a driver’s licence or Australian passport, and therefore cannot verify their Digital ID to higher IP levels.
- Digital ID providers may offer different ranges of document combinations to reach each IP level.
- The majority of Australians should be able to verify their Digital ID to at least an IP2—this has been previously known as a 100 point ID check.
- the kinds of attributes you need a customer to verify for them to access your service(s). For example, the customer’s name and date of birth.
- the suitability of Digital ID for your customers. It is important to remember that not all customers will be able to or want to obtain and use a Digital ID. Your organisation or business should consider providing a choice to your customers to ensure your services remain inclusive.
Some identity strength levels require additional processes such as confirming that a person’s face matches their photo ID such as a driver’s licence or passport photo. This is called a biometric match. This will provide high confidence that the presenting person is a real person, and the right person. Once completed, a one-to-one matching comparison is conducted between that individual’s image and the image that has been issued and displayed on their approved photo ID. Soon after the match is verified, the biometric is deleted.
Digital ID providers that offer higher identity strength levels for Digital IDs must protect this information according to additional privacy safeguards in the Digital ID Act.
Examples of the common kinds of ID and the combinations of ID required to reach each different identity strength for a Digital ID are provided below.
IP1 is considered a “basic” Digital ID strength. No verified documents are required to generate a Digital ID at this identity strength. A basic strength Digital ID is for transactions or services where the customer may remain anonymous, but the parties desire a continuing conversation.
This identity strength is for transactions or services where misidentifying a person will have minor consequences for your business or organisation's service. To reach Basic plus, a person is required to present a single verified ID document or credential that must contain a name and date of birth. A person can provide different types of ID documents. Below are examples of an ID document that can be used to create a Basic plus Digital ID, including:
- An Australian passport, or
- A drivers licence, or
- A foreign ePassport, or
- An immicard
This identity strength is for transactions or services where misidentifying a person will have moderate consequences for your business or organisation's service. To reach Standard, a person is required to present a two verified ID documents or credentials, one of which must contain a name and date of birth. The examples below are of a combination of ID documents that can be used to create a Standard digital ID, including:
- An Australian birth certificate and a drivers licence, or
- A drivers licence and medicare card, or
- An Australian birth certificate and a medicare card, or
- An Australian visa (which is linked to a foreign passport or ePassport and a medicare card
This identity strength is for transactions or services where misidentifying a person will have moderate to high consequences for your business or organisation's service. To reach Standard plus, a person is required to present a two verified ID documents or credentials, one of which must contain a name and date of birth. One document must also be a photo ID and a biometric match against a person's selfie and their photo ID must be done. Each of the examples below are of a combination of ID documents that can be used to create a Standard plus Digital ID, including:
- A drivers licence and Medicare card plus a biometric match of a person's selfie against their photo ID picture.
- A foreign passport or ePassport (which must be linked to an Australian visa) and a Medicare card plus a biometric match of a person's selfie against their photo ID picture.
This identity strength is for transactions or services where misidentifying a person will have high consequences for your business or organisation's service. To reach Strong, a person is required to present a three verified ID documents or credentials, one of which must contain a name and date of birth. One document must also be a photo ID and a biometric match against a person's selfie and their photo ID must be done. The exception to the three documents rule is if one document is an Australian passport. Each of the examples below are of a combination of ID documents that can be used to create a strong Digital ID, including:
- An Australian passport and Medicare card plus a biometric match of a person's selfie against their photo ID picture, or
- An Australian birth certificate, drivers licence and Medicare card plus a biometric match of a person's selfie against their photo ID picture, or
- An Australian visa, a foreign passport or ePassport and a Medicare card plus a biometric match of a person's selfie against their photo ID picture.
This identity strength is for transactions or services where misidentifying a person will have major consequences for your business or organisation's service. To reach Very Strong, a person is required to present a four verified ID documents or credentials, one of which must contain a name and date of birth. One document must also be a photo ID and a biometric match against a person's selfie and their photo ID must be done. IP4 also requires that an in-person check is required. The examples below are different combinations of four ID documents to reach the standard Digital ID strength as well as the additional biometric match process and in-person check.
- An Australian passport, Medicare card, Australian birth certificate and driver's licence plus a biometric match of a person's selfie against their photo ID picture and an in-person check, or
- An Australian visa, a foreign passport or ePassport, a drivers licence and a Medicare card plus a biometric match of a person's selfie against their photo ID picture and an in-person check.
On this page
Authentication for a reusable Digital ID
A reusable digital ID is suitable for an organisation or business that requires or allows a customer to return to access a service.
This is referred to as authentication, where a customer uses their digital ID to “log in” or authenticate to your service. A successful authentication provides reasonable risk-based assurance that the customer accessing your service today is the same person as the customer who accessed your service previously. The robustness of this assurance is described via an authentication level (AL).
These authentication levels are derived from the associated technology, processes and security controls which are required to be implemented by a digital ID provider at each level. Like the IP levels, you will need to determine the required authentication level alongside the IP level that is suitable for your service, organisation or business.
The authentication level will be determined by the level of risk to your service that the person accessing the account is the same person who accessed the account previously. For example, that the digital ID used to log into a system administrator account is controlled by the same person who was authorised to access the account previously.
Most identity service providers provide authentication solutions at AL2, as any digital ID verified at IP levels above IP1 and below IP4, must be accessed or used via an AL2 or AL3 authentication process. This is commonly known as a multi-factor authenticator. There are different kinds of authentication factors that make up a multi-factor authenticator. For example, multi-factor cryptographic software is made up of cryptographic software that may be stored on a device and a pin number or biometric information that activates and unlocks that software.
There is low assurance that the customer controls and continues to control the digital ID. AL1 can only be used to access IP1 Digital IDs.
At a minimum, single-factor authentication is required at this level. For example, a password.
There is a moderate to high assurance that the customer controls and continues to control the Digital ID. AL2 is required to access IP1 Plus to IP3 Digital IDs.
At a minimum, multifactor authentication is required at this level. For example, cryptographic softwear and a pin number of biometric information.
There is very high assurance that the customer controls and continues to control the Digital ID. AL3 is required to access IP4 Digital IDs.
Multi-factor authentication using a device is required at this level. For example, a USB Fob and pin number or biometric information.
On this page
Attributes
An attribute is a piece of information associated with a person. For example, a person’s:
- name
- address
- date of birth
Some attributes are restricted from being disclosed to relying parties, except in certain circumstances. Restricted attributes are attributes protected by additional privacy protections in the Digital ID Act. A restricted attribute is information such as:
- identity document numbers such as a drivers licence or passport number
- tax file numbers (TFN)
- Medicare numbers
- health information
- the unique identifier of a particular version of a document or credential (e.g. the card number for a particular version of a driver license).
A Digital ID provider or attribute service provider can only provide restricted attributes to you if they are authorised to do so under their accreditation conditions.
How does my service provider get attributes?
Digital ID providers can supply you with a person’s attributes that have been verified as part of the identity proofing process for generating a Digital ID. Before a person’s attributes are disclosed to you, the person must expressly consent to the disclosure and agree to share their personal information with you. Common verified attributes you can request to receive as part of a Digital ID transaction are a person’s name, date of birth, contact details such as a mobile phone number or email address and the identity strength of the Digital ID.
Attribute service providers can provide other verified attributes to you, such as business authorisations. Over time, additional attribute service providers may become accredited to operate outside of the Australian Government Digital ID System. There may also be new kinds of accredited attribute service providers in the future to provide other verified attributes about person such as the kinds of licences (e.g. electrician, medical etc.) or qualifications (e.g. master’s degree) they hold.
On this page
Data minimisation principle
Accredited Digital ID providers are subject to the data minimisation principle under the digital ID legislation. This means that they must be able to provide a business or organisation with only the attributes needed to provide services to a customer or to verify the ID of a prospective employee. This allows you to reduce the amount of information you collect about an individual. You can find out more about how you can reduce the amount of information you need to collect here: Relying parties privacy obligation when handling personal information.
The following scenarios provide hypothetical examples of how a relying party like your business or organisation may use Digital ID to provide a service to customers.
Example scenario 1
OnlineAlcohol.com is a same-day alcohol delivery service. To allow a person to purchase alcohol online, it must ensure the person is over the age of 18. OnlineAlcohol.com verifies age using the accredited Digital ID provider ABC Digital ID. ABC Digital ID provides identity proofing levels IP1 plus through to IP3. Because OnlineAlcohol.com just needs to confirm if a person is over the age of 18, they only need to request that a Digital ID is verified to at least IP1 Plus, which means at least one identity document with an individual’s name and date of birth has been verified.
OnlineAlcohol.com only needs to know that the person purchasing the alcohol is legally entitled to, therefore only requests that ABC Digital ID provide the information confirming that the person has verified their identity and that they are over 18. Once the person provides express consent to ABC Digital ID, the following attributes may be disclosed to OnlineAlcohol.com:
- The IP level of the Digital ID to confirm that it has been verified
- A yes/no response to confirm the person is over 18, this information is calculated using their verified date of birth.
Example Scenario 2
LocalRent.au is a rental property management business. Before allowing a person to rent a house or apartment, they need to verify the identity of the person.
LocalRent.au used to complete the identity verification process by scanning a person’s identity document information and then storing it. This meant that LocalRent.au was storing personal information, including restricted attributes such as pictures of driver’s licences, for long periods of time. This practice increased privacy risk to individuals and increased privacy compliance risks for LocalRent.au, including making them more susceptible to cyber security and data breaches.
Using an accredited digital ID provider now means that LocalRent.au does not have to complete the identity proofing process and store sensitive personal information. LocalRent.au can trust that accredited Digital ID provider ABC Digital ID has performed all required identity proofing checks to verify the individual's identity.
To do this, LocalRent.au requires a higher assurance in the identity of the person opening the account and requests that a person verifies their Digital ID to at least IP2. This means that the person has verified two identity documents as part of creating their Digital ID.
Once the person provides express consent to ABC Digital ID, the following attributes may be disclosed to LocalRent.au:
- The IP level, at least IP2 or above, of the Digital ID to confirm that it has been verified
- The person’s name
- The person’s verified mobile number and email
Redress and user support
Accredited identity service providers are required to provide advice to individuals with a Digital ID on how to safeguard it against fraud risks such as scams. This helps ensure that individuals are continuously educated about fraud risks, including Digital ID related scams. This requirement is another way to reduce the likelihood that a fraudulent or compromised Digital ID will be used to access your services.
Accredited Digital ID providers that provide public-facing accredited services (for example a Digital ID app that a customer downloads on their mobile phone) must also provide support to individuals adversely affected by a Digital ID fraud incident. They can determine how best to provide such support, but at a minimum it must include having a real person that individuals can speak to and having communication channels (such as an email or chat function).
Fraud control rules for accredited entities
Accredited Digital ID providers are required to meet fraud control and privacy rules and responsibilities. These are designed to help prevent, detect and address Digital ID fraud incidents and minimise the fraud risks that could negatively impact both individuals and your service when relying on a Digital ID. This helps to lower the likelihood of a fraudulent or compromised Digital ID being used to access your service(s). These detection and prevention mechanisms also include the immediate suspension of Digital IDs suspected or identified as being involved in a Digital ID fraud incident.
Additionally, Digital ID providers must have an accessible way for individuals and relying parties like your business or organisation to confidentially report real or suspected Digital ID fraud incidents. Digital ID providers are obligated to investigate and address fraud incidents involving compromised Digital IDs when they occur.
Cost of using Digital ID or accredited services
Charging for accredited services operating outside of the Australian Government Digital ID System is not regulated by the government, meaning that each accredited Digital ID provider may set different prices for their services.
When can my business or organisation join AGDIS?
If you are a private sector relying party, the government has committed to expanding the Australian Governments Digital ID System to allow the private sector to participate by December 2026.
If you are a Commonwealth, state or territory government relying party, you can register your interest now.
Set it up once, then reuse it to prove who you are.
