Over the next 12 months, the Digital Transformation Agency (DTA) will be running trials to link the federal government’s online portal myGov with its digital identification play, hoping to make the experience of dealing with government online a lot more tolerable.
Although he said 15 million of Australia’s 25 million have a myGov account, DTA Assistant Secretary for Digital Identity and myGov Jonathon Thorpe said that not everyone is happy with it, and that integrating another service could reduce friction.
“A couple of things you might have troubles with, username, passwords, trying to remember those things could be problematic — the other part is actually linking services,” Thorpe told Sailpoint Navigate in Sydney on Wednesday.
“When people say they have a problem with myGov it’s actually trying to get to Centrelink, sometimes it’s trying to get to the tax office, those kind of problems. So we see the integration of digital identity really important here, because this is part of a journey.”
Thorpe said a series of pilots will be run this year to uplift the digital identity’s credentials strength; make it more like a banking experience, such as using Apple’s Face ID or fingerprint authentication, as some examples, to log into myGov; and to reduce some of the questions government asks a user when linking services together.
Although the plan is to link the services together, Thorpe said the government has a “hard sell” with the average Australian when it comes to digital identity.
“Digital identity particularly in an Australian context isn’t about a national identifier, this is not about giving every Australian a number or a card they walk around with, it’s actually trying to make services easier to access,” he said, alluding to the Australia Card flop.
“But the other part we’re also looking at is the whole-of-economy piece … it’s a whole-of-economy problem we’ve got of proving who you are. So we’re building a system that deals with that particular challenge.”
The Australian government last month announced that the country’s national postal organisation had been accredited under its Trusted Digital Identity Framework (TDIF) to be a “trusted identity service provider”.
Thorpe said the DTA will soon be testing a handful of trials with Australia Post to “see how citizens and customers actually choose identity providers, when do they like Australia Post, and what kind of services are they trying to access”.
Must read: Audit finds Australia Post not effectively managing cyber risks
Australia Post joined myGovID as an accredited trusted identity provider. MyGovID was quietly launched in the app store around five weeks ago.
“We haven’t done a lot of communications around it because we’re testing it and running some pilot services … you can prove who you are online without having to go to a government shopfront,” Thorpe explained.
Those responsible for proving identity, Thorpe said, don’t actually know what services the end user is trying to access.
“A key feature of this system is the user is actually in control of their identity, it isn’t stored anywhere and they choose where their identity information is passed through to,” he said.
Thorpe confirmed the DTA is also looking at the banking sector, calling it a “massive opportunity” for the banks to play a part in ensuring there’s “utility and value”.
See also: RBA wants banks involved in Australian government digital identity solution
The DTA is trialling its digital identity play with a handful of government services, such as for applications of a Tax File Number, the Unique Student Identifier (USI), Grants Management, Youth Allowance and Newstart, and the contentious My Health Record online medical file.
Thorpe said identity on its own is fairly useless and there’s a need to make sure the end-to-end experience is easy and actually solves problems, and does not just add another layer of complexity.
“We’re also turning our minds to state and territory, local government, and obviously the banking sector as well — so [looking at] payments — and looking at how that can play a role, too,” he added. “We also recognise that identity on its own isn’t terribly useful, you need to start thinking about the other things that folk need to exchange and that’s often data, so who are you, and what do we know about you, or what things do you have.”
In a payments context, that could be Know Your Customer, or KYC. Other examples would be representing an organisation or a business.
Digital identity is like AUSkey but without the fraud
Thorpe said the problem doesn’t just extend to consumers or individuals — it also moves into the business space quite quickly.
AUSkey is a essentially a login that identifies an individual when they use participating government online services, on behalf of a business. It’s currently used by organisations in Australia.
“It’s a PKI credential, it’s been around for a very long time,” Thorpe said.
He said the DTA undertook user research to understand how organisations were dealing with identity and the old way of authenticating with government.
“What we found, apart from some UX irritants, was a whole bunch of fraud-related issues that were happening,” he said. “The way it works at the moment is that you authenticate as an organisation, seldom do we know who is behind it.”
In addition to the five pilots DTA is running in the consumer space around digital identification, the DTA is also looking at the business aspects, such as removing the need to use AUSkey and replacing it with digital identity. This would see an individual operate on behalf of an organisation using gained permissions applied to them to allow that.
How identity is verified
The Australian government will soon be progressing to the fourth phase of applying rules under its TDIF, which will be centred on biometrics.
Thorpe showed a demonstration of an individual verifying their identity through the myGovID app. Essentially, the user takes a selfie and has that live image matched against the one in their passport.
“It involves quite a lot of technology — this is a world-leading approach, we haven’t found anyone doing this yet, so there’s a lot of markets looking at how this works,” he said.
“If you remember getting your passport photo, you didn’t use a mobile phone … we’re using new tech to basically regenerate that to make sure it’s the same person.
“Your selfie is electronically checked against your passport and then discarded.
“Once it’s satisfied, then it sends something through what we call Face Verification Service which goes to our Home Affairs friends and back to the passport office that actually stores the biometric.”
See also: Committee asks for more transparency over Australia’s face-matching system
According to Thorpe, it is the strongest identity proofing that can digitally be performed at the moment.
“Key point here, we don’t store the biometric, we don’t even store the photo … the user is in complete control of their data, we only store the minimum identity attributes, and we only check what we need,” he added.
“Digital identity has come a long way in Australia, in the sense that we have a system now, we have a product that we’re testing against services — this isn’t a honeypot, there’s no national ID, and it’s all about improving services to customers and businesses.”
Touching on the success and failures of previous identification projects the Australian government has undertaken, Thorpe said this time it is different, with digital identity to be an opt-in.
“If you don’t want to do this, you can go back to a shopfront to prove who you are, but we think that a more convenient experience that you can trust is probably something people want to use,” he said.
“So we see that the more services come into this ecosystem, the more value it creates, the more partnerships we create with the private sector, the more utility it starts to provide to end users and customers, and that’s what will drive adoption verses a mandate.”