Identity verification and authentication are among the initial processes required when accessing government services and are of utmost importance. Traditionally, officials verify individuals seeking services by checking their national ID cards before providing information or assistance.

In Digital Service delivery, government agencies must also have methods for digital identity authentication and verification. This process must maintain a high level of reliability to ensure that service providers can confidently verify the actual existence of the service requester and confirm that they are who they claim to be.

Furthermore, digital identity authentication and verification must incorporate strong personal data protection measures, ensuring high-security standards while complying with relevant laws, regulations, and standards. At the same time, the process should not impose an excessive burden on individuals requesting services.

The Digitalization of Public Administration and Service Delivery Act B.E. 2562 (2019) states that government agencies manage operations and provide public services through digital formats and channels. This includes ensuring secure integration and alignment of government data and operations.

Under Section 12 (2), government agencies must implement digital processes and operations that are interoperable. Additionally, Section 12 (4) requires the establishment of a digital identity authentication and verification system to facilitate public services, ensuring compliance with standards and guidelines set by the Digital Government Development Committee.

The Digital Government Development Agency (Public Organization) (DGA) drafted the Standards and Guidelines for Digital Processes and Operations regarding the use of Digital ID for government services for Thai nationals. This was developed through various working groups and processes before being submitted to the Digital Government Development Committee for approval.

The standards were officially published in the Royal Gazette on October 11, 2021, making them mandatory for government agencies providing digital services. These agencies must comply with the standards and implement digital identity authentication and verification within two years from the effective date of the announcement.

DGA has been developing and providing the DGA Digital ID system for authentication and verification since fiscal year 2016. As of September 30, 2022, the system had approximately
1.5 million user accounts and was integrated into various services, including DGA’s services such as the Citizen Portal, the Government Service Center for Businesses (Biz Portal), and digital services from various agencies such as the Food and Drug Administration (FDA), Department of Employment, and the National Broadcasting and Telecommunications Commission (NBTC), etc.

This system allows citizens to access multiple government services without the need to
re-authenticate each service (Single Account). In addition, it helps agencies reduce costs associated with developing their identity verification systems while also saving time on system implementation.

In addition, DGA has been continuously developing the Digital ID authentication and verification system. In fiscal year 2022, DGA initiated a pilot implementation to align with the Digital Government Development Committee’s standards and guidelines on Digital ID for government services for Thai nationals. The key focus of this enhancement is improving the Identity Assurance Level (IAL) to support medium- to high-risk government services, such as credit bureau data verification. This ensures that the authentication process meets security and reliability requirements for sensitive transactions. However, for individuals to upgrade the Identity Assurance Level (IAL) of their Digital ID, they must undergo face-to-face identity verification or, if using a non-face-to-face method, provide valid identity proof. In Thailand, common verification methods include: 1) Inserting a national ID card into an automated service point (such as a kiosk or ATM) and 2) Using digital identity verification services, such as the National Digital ID (NDID) system. To facilitate this process, DGA launched this initiative to help citizens obtain high-assurance Digital ID accounts conveniently. This allows them to verify their identity at nearby service points or through trusted digital channels, such as the NDID system.

Benefits for Government Agencies

• Citizens can conveniently have a highly reliable digital ID account that can be used to access government information and services (Single Account).
• Government agencies can use a reliable digital ID verification and authentication system with efficient personal data protection, and high security that complies with related rules, regulations, and standards to provide services through their agencies’ digital channels.

Learning Media

Technical Characteristics

Digital Identity Authentication and Verification Framework

Digital identity refers to a unique characteristic used to access online government services.
It is a process that consists of enrolment and identity proofing, and authentication. The person undergoing identity proofing is referred to as the “applicant.” Once the applicant has proven that they are indeed the individual they claim to be, or the rightful owner of that identity, their status is changed to “subscriber.”

The level of rigor in the identity proofing process is referred to as the “Identity Assurance Level (IAL)” which consists of IAL1, IAL2, and IAL3, with each level having specific requirements for identity proofing, classified according to the type of digital government service provided.

A user accessing services from a government service provider (relying party: RP) must verify their identity to prove they are the individual they claim to be or the rightful owner of the claimed identity. This is done by presenting the identity provider (IdP) with the necessary credentials as defined by the requirements. Once the identity provider verifies the information, they will send the authentication result to the government service provider. The government service provider can then use the information in the authentication result to assess the user’s rights and eligibility.

The government’s access to the data (authorization) in measuring the level of rigor in the authentication process is referred to as “Authenticator Assurance Level (AAL).” This includes AAL1, AAL2, and AAL3, with the following distinctions:

• AAL1: Requires single-factor authentication (SFA).
• AAL2: Requires two-factor authentication (2FA), involving two different factors.
• AAL3: Requires authentication similar to AAL2 but must include at least one factor that is a hardware-based device and must be protected against impersonation.

The diagram shows that the digital identity proofing and authentication process consists of two main procedures: (1) Registration and Identity Proofing and (2) Authentication. The Identity Provider (IdP) must be involved in managing the system to ensure continuity and security, such as updating, modifying, or canceling identity data for both applicants and subscribers to keep the updated information.

The diagram on the left illustrates the Registration and Identity Proofing process, which consists of the following steps:

1. The applicant registers and proves their identity with the Identity Provider (IdP), who may verify the information with trusted data sources.
2. If the identity proofing is successful, the Identity Provider will register or issue the authentication credentials and create the identity assurance factor for the subscriber.
3. The applicant changes status to become a subscriber.

In addition, the Identity Provider must store the authentication credentials, the status of the credentials, and the data used in the registration process for the entire duration of the credential’s use (at a minimum). The subscriber is responsible for keeping the authentication credentials secure.

The diagram on the right illustrates the Authentication process, which consists of the following steps:

1. The subscriber requests to access services from the government service provider.
   The government service provider may redirect the subscriber to authenticate with the Identity Provider instead.
2. The Identity Provider must verify the authentication credentials linked to the subscriber’s identity to ensure that the credentials are valid and belong to the correct person.

The components of the system, based on the NIST 800-63-3 Digital Identity Guideline from the United States, consist of four main parts:

• Entity: This refers to the service requester who needs to prove their identity before accessing services. It includes both individuals (citizens) and legal entities that require service.

• ID Provider (IDP): The Identity Provider manages the identity proofing and authentication process. It handles the digital identity information for the user and the Relying Party (RP). In this case, DGA Digital ID serves as the ID Provider for government digital services. It supports digital identity proofing through services like the DGA Smart Kiosk and can connect to other identity verification systems such as NDID, DOPA (Department of Provincial Administration), etc.

• Relying Party (RP): This is the service provider that requires confirmation of the subscriber’s identity in order to authorize access to certain services. The Relying Party will request identity data from the ID Provider and Authorizing Source. In this context, government agencies offering digital services to citizens, include the Digital Government Agency (DGA), Revenue Department, Department of Business Development, and others, act as Relying Parties.

• Authorizing Source (AS): This refers to the entity that owns or has access to the digital identity data. It is responsible for verifying the authenticity and trustworthiness of the personal information. Typically, this role is handled by agencies that already manage identity data, such as the Department of Provincial Administration (DOPA) or the Credit Bureau.

The Digital Identity Proofing and Authentication Data Linking System

The Digital Identity Proofing and Authentication Data Linking System (DGA Digital ID) has been developed to allow government agencies, which are mostly Relying Parties (RP),
to connect to various Identity Providers (IDP) that offer high levels of trust for identity verification, as shown in the image below.

The steps for linking data for identity proofing and authentication are as follows:

1. Government e-Service Systems: The service provider (government agency) must authenticate the identity of individuals requesting services and send a request for identity proofing/authentication to the DGA Digital ID system.
2. Citizen Choice for Authentication Method: Citizens wishing to use the services can choose their preferred method for identity verification. Currently, the DGA Digital ID system supports several authentication methods, including:
   • DGA Verification: This allows citizens to authenticate their identity using the laser code on the back of their ID card or by inserting their ID card into a DGA Smart Kiosk (public service kiosk).
   • D.DOPA Application: This application from the Department of Provincial Administration (DOPA) is used for identity verification.
   • National Digital ID (NDID): Citizens can authenticate via an ID Provider (IDP), usually commercial banks, through the National Digital ID (NDID) system (scheduled for launch in fiscal year 2025).
3. Verification Result: Once citizens complete the digital identity verification with the DGA Digital ID system, the system sends the verification results back to the relevant e-Service system of the government agency, along with related information such as the citizen’s name, surname, and the trust level of the authentication. This allows the agency to provide appropriate information and services.

After verifying their identity with the DGA Digital ID system, citizens will receive an Authenticator Account, which they can use to access other government services without the need to re-register.

Examples of agencies using the service:

• Department of Employment 

1. • Thai Mee Ngarn Tham System (ระบบไทยมีงานทำ): The platform for job seekers to find job opportunities.
   • Unemployment Registration and Reporting System: The system for individuals to register and report their unemployment status.

• Food and Drug Administration:

1. • e-Submission System: The platform for online submission of regulatory documents and applications for food and drug products.

Related Laws

Service Providers

The Digitalization of Public Administration and Service Delivery Act B.E. 2562 (2019) requires government agencies to manage and provide public services in digital formats and channels, with management and integration of government data and operations to be consistent and securely linked.

Section 12 (2) requires government agencies to establish processes or digital operations that must work together. In addition, Section 12 (4) provides a digital identity verification and authentication system for the benefit of facilitating public services, which has consistent standards and guidelines as determined by the Digital Government Development Committee.

Digital Government Development Agency (Public Organization)

The Digitalization of Public Administration and Service Delivery Act B.E. 2562 Section 10 (5) “Support the integration of digital services of government agencies to create comprehensive public services as determined by the Digital Government Development Committee to facilitate the public.”

Royal Decree on Criteria and Methods for Good Governance (No. 2) B.E. 2562 Section 10
“In the initial phase, the Digital Government Development Agency (Public Organization) shall provide a central digital platform for government agencies to use to provide services to the public and communicate with each other within ninety days from the date this Royal Decree has been enforced.

Related Standards

• Announcement of the recommendations for the standards on digital identity verification and authentication
• Standards and criteria for the preparation of digital processes and operations on the use of digital IDs for government services for Thai nationals have been published in the Royal Gazette for general information on October 11, 2021

System Security

The Digital Identity Verification System is hosted on a cloud infrastructure provided and managed by the Digital Government Development Agency (Public Organization) (DGA). This government cloud system has a Service Level Agreement (SLA) with at least 99.5% uptime, and it is designed with strong data protection measures. It complies with high-security standards and has been certified for ISO/IEC 27001: 2013, which is an Information Security Management System (ISMS) certification.

Furthermore, the applications and systems involved adhere to the Computer Crime Act (Amendment) B.E. 2560 and the Cybersecurity Act B.E. 2562.

In addition, the system was developed with security considerations, including:

• Application, system, and platform development under ISO/IEC 9001 standards.
• Before deployment, all applications, systems, and platforms undergo thorough testing, including Functional Tests, Performance Tests, and Security Tests. These tests ensure that the system operates flawlessly, is highly available, and has low security risks.

The Digital Government Development Agency (Public Organization) (DGA) conducts security tests for applications and platforms using at least two methods:

1. Static Application Security Testing (SAST): This method involves reviewing the source code of the developed application and platform to identify potential vulnerabilities or risks that may expose the system to attacks or breaches by malicious actors.
2. Vulnerability Assessment (VA): This method involves assessing the installed applications and platforms to evaluate whether they are susceptible to attacks due to insecure settings or infrastructure configurations that might not be adequately protected.

Contact Information for Service Requests:

• For the general public interested in using the service, detailed information can be found at the website: https://connect.egov.go.th.
• Government agencies interested in using the service can contact the DGA Contact Center at phone number 02-612-6060 or via email at [email protected].

More details

• Service presentation document: https://docs.google.com/presentation/d/1y7yFzSrl5_HgYDELp3Uk1j0gdw4lwUG7pu3VO_VsgKI/edit?usp=sharing
• Service details video: https://www.youtube.com/watch?v=z-YfS28cIXs