The Reserve Bank of Australia (RBA) recently confirmed the first version of a framework for a new federated identity credential known as ‘TrustID’ has been completed. It will be compatible with GovPass, the government’s equivalent identity credential based on a framework being run by the Digital Transformation Agency (DTA).
It’s one of a flurry of new measures being introduced by Government at both state and federal levels in an attempt to digitise and harmonise the authentication and identity verification process for our most sensitive information.
Other such movements include the go-live of the digital driver’s licence in NSW, and the inroads into mass facial scanning made by the proposed Identity-matching Services and Passports Amendment Bills.
Although I commend government for looking to streamline authentication processes for Australians by accessing their services through the TrustID framework, the security of users’ credentials could be compromised by the way the framework is currently defined.
The TrustID initiative looks to implement a Single Sign-On, or SSO, allowing a single credential to be used over multiple enterprise and government accounts to authenticate a user’s identity. While eliminating the issue of managing multiple log-ins, it has the potential to be a better system.
There’s more to security than passwords
The overarching concern rests with the current way TrustID has been defined in order to be compatible with the government’s identity credentials. How so? The lowest common security denominator: the password.
While there are industry standards for securing credentials, how they are met greatly differ. Not only are passwords the most basic security measure, we also know they are the most compromised, and the level of security of TrustID will reflect this design decision.
According to haveibeenpwned.com, there are currently 8.5 billion compromised credentials available on the internet, which contain over 555 million unique passwords. This means most people will have a credential that is already compromised, and that might be the very one they associate with their financial or government institutions.
Unfortunately, the inherent risks associated with a reliance on passwords and PINs have been shown too often recently. Just this year Westpac, Queensland Health, and the Department of Parliamentary Services have all suffered data breaches.
If TrustID’s SSO system was in place, each of these data breaches could have potentially afforded fraudsters access to any number of connected accounts.
The solution is three factor authentication
The key to solving the TrustID imbalance is to double down on reducing identity fraud. One of the key ways to make this happen is for the Government to deploy a trusted and proven security measure: Three Factor Authentication.
The most effective combination of Three Factor Authentication in fraud prevention are: something the consumer knows, such as a password or PIN, something the consumer physically has access to, such as their registered device, and something they actually are: a biometric information such as a face or voice print.
Biometrics represents a new era of identity security, as it’s the only part of the credential that proves the person with the device is actually the human being that is authorised to transact on that account.
I believe it’s only a matter of time before more Government departments take note of the highly sophisticated security authentication biometrics affords.
Ultimately, I do support any move towards convenience for Australians to access government and corporate services, but it can never, and should never, be at the expense of security.
Michael Steinmann is Director of Regional Technology at Nuance Communications, Australia/New Zealand