DHS offers one-time passcodes for myGov login

Australians can now continue using two-factor authentication on their myGov accounts when overseas or out of mobile range through new one-time access codes.

But early reaction to the service has not been as positive as the Department of Human Services might have hoped.

The myGov Access mobile app - available on Android and iOS as of last month - replaces the SMS code or secret questions and answers that have until now been required with a person's username and password to log into the online service portal.

The one-time codes address an issue with SMS two-factor authentication that meant users who were unable to receive an SMS based on their network coverage faced being locked out of their myGov account.

DHS previously advised users in such situations to switch off two-factor SMS authentication prior to entering an SMS dead zone. Login then reverts to requiring responses to security questions.

Once a person has been locked out of their account, they have no option but to create a new one - MyGov does not offer an account recovery feature - which has led to people operating multiple myGov accounts under the same name. 

The new myGov Access app is "ideal for people going overseas or where mobile reception is poor," according to the department.

The app creates a six-digit one-time code that can be used alongside a username and password to sign into myGov. A new code is created every 30 seconds and is valid for a maximum of 60 seconds.

The app can, however, only be used on one mobile device.

"If you change your device or want to delete the app, you must first go to your myGov account settings and change your sign in options," DHS says.

Uninstalling the app risks locking the user out of their account.

A DHS spokesperson told iTnews the app had undergone a "full security assessment" prior to launch and the decision to limit it to a single device was to "ensure security is not compromised".

"The department has followed industry best practice not to allow multiple devices to generate codes for this purpose, as this increases the chances of a security vulnerability," the spokesperson said.

"Before changing devices, people can remove the app as their sign in option by logging into their myGov account."

Time-based access codes are considered more secure than SMS two-factor authentication because they avoid the potential for interception over a network. US standards body NIST deprecated out-of-band authentication using SMS or voice in 2016.

DHS said it had no intention to remove SMS 2FA completely.

Criticised in early reviews

However early reviews of the service are mixed, at best.

Users have complained that the app locks the individual to the device is it downloaded on, causing problems if they move to a new device, or if their device needs to be reset.

Others questioned why the feature - which many noted was an improvement on SMS 2FA - had not been integrated into the existing myGov service, rather than as a standalone application.

Many also raised issues with bugs in the user interface.

The agency first added two-factor authentication through SMS to myGov in 2015 following calls from security experts to better protect the sensitive information stored within.

MyGov offers users access to a range of government services and a single inbox for messages from Centrelink, the ATO, Medicare, and Human Services.

Updated 7:45pm AEDT to include DHS comment