Government considers centralising digital ID verification on myGov in wake of Optus breach

3 months ago 21

The Australian authorities is considering utilizing myGov oregon its myGovID strategy to centralise integer individuality authentication successful the aftermath of the Optus information breach, but critics pass immoderate azygous strategy could person its ain cybersecurity weaknesses.

The erstwhile Telstra main enforcement David Thodey was recruited to audit myGov erstwhile the Albanese authorities came into power, and his reappraisal would present analyse whether myGov could beryllium utilized to forestall radical needing to contiguous ID documents aggregate times, a spokesperson for the authorities services minister, Bill Shorten, said.

The idiosyncratic details of astir 10 cardinal customers were exposed successful the Optus breach, including millions of passport, driver’s licence and Medicare numbers, raising questions arsenic to wherefore companies request to cod and store truthful overmuch idiosyncratic information.

The national authorities volition present see whether to make a azygous integer recognition work that businesses could usage instead.

“Within the audit’s remit is to see however myGov tin present seamless services that volition often impact backstage endeavor work providers,” Shorten’s spokesperson said. “This would forestall the request for citizens to supply delicate information aggregate times to aggregate entities.”

There are much than 25m progressive myGov accounts and the spokesperson said it would beryllium “the earthy location for expanded national service”.

Separately, the concern minister, Katy Gallagher, has reportedly convened meetings to see resurrecting integer ID authorities planned by the erstwhile government.

The Morrison authorities released draught authorities successful October past twelvemonth to grow the usage of the myGovID system. It is presently utilized to authenticate ID via an app erstwhile radical get a taxation record number, woody with Centrelink oregon entree myGov.

The authorities ne'er brought the authorities earlier parliament, but present the shadiness authorities services minister, Paul Fletcher, has called connected the Albanese authorities to resurrect the project.

“The Albanese government’s nonaccomplishment to advancement these important reforms has near a superior spread successful our quality to support Australians’ information and amended better integer services,” helium said.

But critics of the connection pass that the integer individuality model could person its ain cybersecurity weaknesses, and is not acceptable for intent arsenic a unafraid signifier of ID authentication.

Cybersecurity researcher Prof Vanessa Teague raised concerns aboriginal successful the improvement of the strategy that the storing of ID papers numbers would mean those documents would inactive beryllium astatine hazard of vulnerability successful the lawsuit of a cyber-attack oregon information breach. She said the strategy utilized an individuality speech that mediates each logins, truthful determination was a azygous constituent of nonaccomplishment wherever 1 server could way each clip a idiosyncratic logged in, and each work they logged successful to.

“There’s nary crushed that the authorization that issued your integer ID should get a changeless update each clip you log in,” she said.

Stephen Wilson, a integer individuality and privateness consultant, said the integer ID strategy was meant to beryllium a azygous login for authorities services, not a replacement for verifying someone’s identity.

“They aimed to springiness citizens a azygous cardinal to entree each national authorities accounts, starting with tax, Medicare and Centrelink. The cardinal proves you’re a national known to the ATO,” helium said.

“But it wasn’t designed to verify thing other astir you – particularly the things extracurricular the national sphere.”

If the ID numbers were compromised, everyone would request to beryllium issued with a caller one, helium said.

Wilson argued a amended method would to enactment recognition into the integer wallets connected smartphones. It would support the idiosyncratic accusation stored successful the card, and simply authenticate recognition with the work you are using.

“IDs should spell untouched by quality hands. Credit cards, Medicare, driver’s licences, idiosyncratic wellness identifiers – they should each beryllium encapsulated wrong a personally controlled spot and presented with a hallmark, truthful the receiver knows each fig comes from the existent idiosyncratic and not an impostor.”

One complication successful processing a integer ID is that work for assorted aspects of the strategy sits with antithetic departments and agencies.

MyGov sits with Services Australia, portion myGovID is the work of the Australian Taxation Office. The Digital Transformation Agency is liable for starring projected enlargement of the integer ID system.

By 2024, the national authorities volition person spent $624m connected processing the strategy since 2016, according to information published by the parliamentary library.

A spokesperson for the ATO said much than 6.5m verified myGovID identities had been created arsenic of 6 October, and determination were astir 300,000 authentications a day.