ATO re-tenders for myGovID anti-spoofing facial recognition software

The Australian Taxation Office has gone back to the market to find a facial recognition solution to underpin the government’s myGovID digital identity credentialing app.

The national revenue agency issued a tender for a 'liveness' solution late last week, more than two years after the Digital Transformation Agency first sought to test such a mechanism.

It means a public beta of the app’s facial recognition component will now not take place until September 2021.

Liveness detection, or a proof-of-live test, is required for myGovID to move past being simply a digital equivalent of the 100 point ID check.

While the app can currently be used to create a digital identity and to log into a limited range of online government services, more confidential services require a higher identity proofing level.

The DTA calls this identity proofing level three (IP3), which provides “high confidence in the claimed identity and is intended for services with a risk of serious consequences from fraud”.

All government services are expected to be available through online channels by 2025, making liveness detection central to the government's digital vision.

The DTA and ATO had been testing liveness detection software from IDEMIA since September 2018 after tendering for it in March 2018.

The ATO has also conducted a liveness proof-of-concept with myGovID users using software from vendors iProov and FaceTec.

Tender documents released on Friday now indicate a vendor will be found by Christmas, with a contract of up to seven years on offer.

The ATO said the new liveness detection software will “allow the person to take a ‘selfie’ which will then be used to verify their identity against a stored identity document”.

It will also “prove the person registering is a live person and physically present” in a bid to prevent the creation of fraudulent digital identities.

The vendor will be responsible for the “ongoing management of the licenced software”, including any updates and support, while the ATO takes on integration duties.

Any hosting of the software will be done by the ATO on Amazon Web Services, as is the case with the rest of myGovID.

The ATO plans to spend the first half of next year building the IP3 solution, which will involve the integration of the liveness software, before a private beta in June 2021.

Submissions to the tender will close on October 20.

Last week, researchers warned Australians not to use myGovID due to an implementation flaw in the login system that they said could see attackers gain full access to their accounts. 

The ATO, who have described the so-called flaw as a scam that could apply to most online login systems, told the researchers that it did not intend to change the protocol.