The Australian Taxation Office (ATO) hopes to have struck enough of a balance between security and usability to keep its newest digital authenticator, AUSkey, in use for years to come.
AUSkey last month replaced ATO Digital Certificates, which operated from 2005 and replaced the 2002 Business Authentication Framework.
It will be used by 11 other government agencies besides the ATO, including the Australian Business Registry (ABR), State and Territory Revenue Offices, and Australian Securities and Investments Commission (ASIC).
Like Digital Certificates, AUSkey is a form of soft digital PKI (public key infrastructure), where a 1024-bit, ABR-issued private key is installed on users' computers, servers or USB devices.
ATO assistant commissioner Bettina Konti said software-based PKI was chosen from seven methods that were researched and risk-assessed by the ATO. Other options that were canvassed include: username and password; one-time password (OTP) tokens; OTP over SMS; hardware-based PKI; shared secret; and biometrics.
Software-based PKI was deemed sufficiently secure while addressing user demands of a "real-time registration process", Konti told iTnews, citing an ATO survey of 376 businesses and intermediaries.
"We have deliberately designed AUSkey to strike a balance between usability and security," she said. "The registration process is no less strong [and] no less secure than ATO Digital Certificates."
As both AUSkey's predecessors were deemed too clunky and difficult to obtain, Konti said the ATO had done away with "noise" that caused Digital Certificates to take days to issue.
Physical and e-mail addresses would no longer be required as proof of identity, she said, since these were often publicly available, and were problematic when ATO records were not kept up to date.
AUSkey relied on more permanent information like a user's full name, date of birth and tax file number, as well as an online process by which the business administrator - such as a CEO or CFO - could vouch for his or her identity.
AUSkey is part of the Government's Standard Business Reporting (SBR) initiative, which addresses recommendations of its 2005 Taskforce on Reducing the Regulatory Burdens on Business.
Paul Madden, the Treasury's SBR program director, told iTnews that the Government has been working closely with some 240 members of the ATO's Software Developers Consultative Group to deliver AUSkey and implement the XBRL standard by 1 July.
SBR software is built on SSL transport layer security, the Security Assertion Markup Language (SAML), and the SOAP 1.2 messaging framework with WS-Security, he said.
The Government also has released a 'software developers kit' so that developers may enable Microsoft- or Java-based financial, accounting or payroll software to communicate directly to the government.
Once fully implemented, the Treasury expects SBR to reduce the cost of reporting to Australian businesses by an estimated $800 million per year.
Adoption of SBR is voluntary, and while the Government hopes for a widespread uptake, it has been unable to support Linux systems for AUSkey, which may be installed on Mac OS X, Windows Server 2003 and 2008, and Windows XP, Vista and 7 operating systems.
"Tax operating systems don't formally support Linux systems ... It's a bit cost-prohibitive [to develop for Linux] when it's such a small component of users," Konti told iTnews, estimating Linux users to comprise only one percent of Australian business users.
"We're in production now and are getting some good feedback," she said of AUSkey. "Ultimately, businesses will determine the usage and longevity of AUSkey."