ATO wants to verify citizens are alive and physically present for myGovID registrations
The Australian Taxation Office (ATO) is looking to introduce a “liveness” feature to myGovID, the Australian’s government’s digital identity credential.
The agency, which handles myGovID, has gone to market seeking a supplier to deliver a software solution that will allow people who are registering to prove they are a live person and physically present, as well as allow them to take a selfie to verify their identity against a stored identity document, such as their passport or driver’s licence.
The ATO quietly released the app last year to enable citizens to have their identity verified once so they could access government services online using their verified identity, rather than having to continually be verified by each Commonwealth entity.
The ATO emphasised that the successful contractor would need to adhere to strict security guidelines. These include delivering a security management and governance functionality in accordance with the Australian Cyber Security Centre (ACSC) Information Security Manual and Essential Eight mandatory requirements, provide an authenticated log-on for individual ATO users, and configure its IT systems and environments to effectively respond to the latest threats.
Additionally, the ATO said the supplier must utilise securely configured cryptographic data transmission protocols and algorithms to transfer information across untrusted networks, and be able to control the connection of peripheral devices to IT systems that store, process, or transfer ATO information.
Last week, it was revealed that the default login option on myGovID for agents used by the ATO was vulnerable to a code replay attack.
In a blog post, scurity researchers Ben Frengley and Vanessa Teague described how an attacker could use a malicious login form to capture user details, which the attacker could then use to login into other accounts held by the myGovID user.
The pair said they informed the Australian Signals Directorate of the issue on August 19, and were told by the ATO that “they did not intend to change the protocol, at which point we immediately informed them that we would make a warning to users public”.
A spokesperson for the ATO said the flaw was not a “security vulnerability of the myGovID solution or application” and that it can used against login procedures including “passwords, SMS, physical code generators, and mobile apps codes”.
“The approach identified by the researchers, to scam a user by redirecting them to a malicious phishing website requesting credentials, is a well-known and common challenge across authentication systems and is not unique to the myGovID platform,” the spokesperson said.
“The ATO takes IT security very seriously.”
In October, the Digital Transformation Agency said almost 7,000 Australians had created a myGovID.
The ATO said it expected approximately five million Australians would sign up over the first three years of the myGoveID app going live.
As part of the selection process, the tax office said it plans to conduct software trial activities to ensure shortlisted tenderers meet its requirements.
The contract will be for a period to 30 September 2021, with the option to extend it three times for up to two years per extension.
Submissions for the tender closes October 20.
The agency spent its entire Senate Estimates appearance explaining what exactly is digital identity and why Australians don’t really know about its existence.
The federal government has opened discussions on how the commercial sector can participate in Australia’s digital identity system.
By the end of 2018-19, the Digital Transformation Agency said there had been 11,785 downloads of its myGovID iOS smartphone app.