The federal government has awarded a UK company a $11 million contract to deliver biometrics technology as part of its digital identity program.
The Australian Taxation Office signed the deal with London-based iProov, worth $10.7 million and running for three years, for the “provision of liveliness solution”.
The work will see iProov incorporate its biometrics facial recognition technology with the ATO’s myGovID digital identity offering, with a planned public launch by the end of the year.
The technology lets a user to prove they are a “live person” and are physically present while using the digital identity service. A user will be able to take a selfie and have it verified against identity documents such as their passport or drivers’ licence.
An ATO spokesperson said iProov’s technology will establish myGovID to IP level3 standard, equating to a digital 100 point check that is conducted by large institutions and organisations.
It is the second time the government has brought in a private company to deliver liveliness technology, with the Digital Transformation Agency paying French firm IDEMIA a $260,000 consulting contract over 12 months in early 2018, but the government opted to not pursue this work further at the time.
The ATO’s digital identity service is a key part of the federal government’s wider digital identity project, which is aiming to provide identity verification across a range of government and private sector services.
There will eventually be a range of digital identity services on offer for users, with myGovID to be available alongside services from the private sector and state governments.
The project has received $460 million in funding overall, with the most recent federal budget last October providing $250 million for the scheme for a range of initiatives, including the incorporation of biometrics in myGovID.
This had originally been planned to be active by mid-2020, but the ATO didn’t end up going to the market for the technology until October last year, and now plans to run a public beta by mid-year.
iProov will be using its “genuine presence assurance” technology, a face verification service where users conduct a simple face scan on their mobile device as proof of identity.
The company’s technology is in use by the Singapore government, the UK Home Office and the US Department of Homeland Security.
“iProov is honoured that the Commonwealth of Australia has entrusted us with such an important task – to secure the creation of digital identities against impersonation,” chief executive Andrew Bud said in a statement.
“We are delighted that the Australian government has chosen our unique combination of inclusivity and resilience, which is already trusted by governments worldwide to authenticate citizens.”
The Digital Transformation Agency, which is leading the digital identity project, recently ran a round of consultations on legislation surrounding the scheme.
In its submission, cybersecurity firm VeroGuard Systems warned against the use of biometrics technology such as the liveness solution.
“The use of biometrics at any point of authentication introduces substantial privacy and security risks. Avoiding biometrics altogether would be a substantially better approach,” the VeroGuard Systems submission said.
“The exploitation of any biometric system can be catastrophic for users. Once compromised, a user’s biometric cannot be simply replaced in the manner of a password or PIN…in open networks relying on variable hardware and software on user devices, the risks are substantial and cannot be effectively managed.
“There are better, more secure approaches that do not require biometric data to be used.”
Security researchers last year also identified a crucial design flaw in myGovID that they said would allow an attacker to easily trick a user into handing over access to their account and all of the linked services, which will eventually include private sector offerings such as banking.
The researchers warned that Australians should not use myGovID until this flaw was fixed, but the ATO said that it is a public awareness issue rather than a vulnerability. In a further submission to the DTA, the researchers said the whole digital identity scheme should be “abandoned and redesigned from scratch” to focus on privacy and security.