myGov digital ID integration in limbo as DTA misses target rollout date

The Digital Transformation Agency has pushed back the rollout of the government’s new digital identity credential on the myGov online services portal after a pilot highlighted problems with the integration.

Last year, the agency’s head of digital identity Jonathon Thorpe said the myGovID credential would replace myGov’s existing two-factor authentication system before the end of the 2019-20 financial year.

myGovID, which is offered by the Australian Taxation Office, allows citizens to create a digital identity that can be reused across a range of online services and will be the government’s go-to identity credential moving forward.

It currently works like a digital equivalent of the 100 point ID on a number of services, with citizens able to verify identity documents like passports, driver’s licences and Medicare cards in real-time.

Funding for the integration was provided last year as part of a $67.2 million package for the ATO, Services Australia and the DTA to accelerate the development of the government's broader GovPass digital identity ecosystem. 

However, despite completing a myGov digital identity pilot in May, where 149 people used myGovID as a means to access myGov, the DTA wouldn’t recommit to the credential becoming a log-in option before July 1 when asked last month.

At the time, the agency said it and Services Australia were still considering the insights from the month-long pilot, which would inform “the next steps before a fully public integrated system is released”. 

But iTnews can now reveal that the agency, having missed its target of before July 1, has delayed the broader public release of myGovID on myGov after the pilot “highlighted the need for some additional features to enhance the user experience”. 

“Due to increased pressures and surging demand for government services, the decision was taken to delay a broader rollout of this functionality until later this year. This will allow critical resources to focus on the government’s response to COVID-19,” a DTA spokesperson said.

The spokesperson said that the pilot, which involved testing a users’ ability to link a digital identity such as myGovID or Australia Post’s Digital iD with their myGov account and then log in, had raised several concerns.

“The findings highlighted that some changes will be required to improve the usefulness and simplicity of the offering,” the spokesperson said.

“These include the remediation of some system integration errors, changes to content to better support the understanding of the process and changes to the way names are captured and shared across services.”

The agency is also yet to settle on a vendor to support the "liveness detection" component of myGovID, which has now been publicly available to citizens through the Apple App Store and Google Play Store for 12 months.

The platform’s facial recognition - or liveness detection - component that will enable citizens to access more confidential services under what the DTA calls identity proofing level three (IP3) that require a proof-of-life test.

According to the government’s trusted digital identity framework, IP3 provides “high confidence in the claimed identity and is intended for services with a risk of serious consequences from fraud”.

But despite having tested liveness detection software, including from IDEMIA, since September 2018, the DTA would not say whether a final vendor had been chosen to support myGovID.

“The DTA is unable to comment as the process is currently underway,” the spokesperson said.

This is despite Government Services Minister Stuart Robert claiming at last week’s address to the National Press Club that facial recognition functionality will become available through myGovID in September. 

“Our intent by the end of the year is to step it up a notch into a facial biometric or facial authentication service, so it'll authenticate against a driver's licence and the passport office will already have your photograph,” he said in his answers to questions.

“And that'll allow you to securely connect and authenticate through to a service, so you won't need to worry about forgetting a credential, changing a phone number, or anything else; you'll simply use the native biometric on a phone ... and then authenticate through your phone.”

The spokesperson also indicated that the DTA was yet to begin publicly testing the liveness detection component of myGovID, as chief digital officer Peter Alexander said would happen by mid-2020.

“Testing to date has focused on security requirements and user experience, a broader testing approach will be undertaken once the procurement of the liveness vendor and build work for myGovID have been completed,” the spokesperson said.

More than 1.4 million myGovID identities have been created to date.