The framework governing the federal government’s $200 million digital identity program is “very vague” and “counter-intuitive” and more design flaws will likely be found, according to the security researcher who revealed a potential vulnerability in the system this week.
GovPass is the federal government’s overarching digital identity program and is being led by the Digital Transformation Agency. It has cost more than $200 million as of the start of this year and is still in beta phase, more than five years after it was launched.
GovPass consists of four key elements, the Trusted Digital Identity Framework (TDIF), the central gateway, the digital identity providers, and the connected services. There are currently two publicly funded digital identity providers that have been accredited by the DTA – the Australian Taxation Office’s myGovID and Australia Post’s offering.
Earlier this week Thinking Cybersecurity chief executive and Australian National University adjunct professor Vanessa Teague and University of Melbourne post-grad student Ben Frengley went public with a “critical design flaw” they had discovered in myGovID.
According to the researchers, this flaw would allow a malicious actor to easily gain access to a user’s myGovID account and the connected services through a scam replica website, requiring the user to only enter their email rather than their password.
This is due to what the researchers labelled a “counter-intuitive” protocol where a myGovID user never has to enter their password on the website they are attempting to log into, but rather just a 4-digit code on the app on their phone.
When notified of the issue, the ATO declined to patch it, saying it was no different to a traditional phishing scam and a matter for public awareness.
The myGovID flaw typifies some of the other issues with the GovPass scheme, Prof Teague said, and specifically the TDIF, a number of documents setting down the framework for the digital identity program.
Prospective digital identity providers have to be accredited against the TDIF, which sets out a number of security and privacy requirements.
But Prof Teague said this framework is “very vague” and leaves too much up to the providers.
“It leaves a lot of detail to the implementer. That’s the opposite of what a well-defined standard should be. The option standards and vague descriptions of how it might be done leaves a lot open to the implementer to potentially make a mistake,” Prof Teague told InnovationAus.
“I don’t think this is the last thing people will find about the TDIF.”
The TDIF is “based upon” the international standard OpenID Connect 1.0 and is “consistent” with the International Government Assurance Profile for OpenID Connect 1.0, the agency has said.
But it doesn’t stick exactly to this open and internationally accepted standard, Prof Teague said.
“It implements something a little similar to the OpenID Connect standard, but not quite. That ought to make you nervous to think that the DTA has taken an existing open standard quite carefully designed and then implemented something kind of similar,” she said.
“It has to be carefully designed by people who know what they’re doing and over a long period of time.
“I think they made a mistake. They should have implemented an existing standard. They should implement a real open standard that already exists. They shouldn’t have made up their own in the first place.”
Private companies will soon be able to become accredited under the TDIF, with the document updated this year to accommodate for the expansion. The Coalition will still have to pass legislation facilitating the scheme being opened up to the private sector.
The government has spent more than $200 million on the GovPass scheme, which will eventually be a whole-of-government federated ecosystem of digital identity providers and services.
There are plans in the works for myGovID to be integrated with myGov, and the service replaced AUSkey earlier this year.
But the two security researchers said Australians shouldn’t use myGovID unless they have to until the design flaw is fixed.
In response to the public release of the myGovID flaw, the ATO, which had been notified of it last month, said it was a standard phishing attack.
But Mr Frengley, who discovered the flaw with Professor Teague, said what they had identified is different because the user never has to give away anything secret to the attack, and the myGovID confirms the legitimacy of the login attempt through the smartphone app.
This goes against what most people have been taught about online safety, he said, and an easy fix would be to show what service the user is attempting to log into on the app.
“The attack doesn’t require the victim to give any secrets to an untrusted party. They only provide their credentials to the trusted, uncompromised myGovID app, which actively confirms they’ve involved in a valid login attempt. Everything is okay – except it’s not,” Mr Frengley tweeted.
“The part of the myGovID system users expect to be most trustworthy actively betrays them. All it needs to do to avoid this is tell the user what service they’re logging into – but, like the ATO say, the TDIF doesn’t allow that.”
Despite this claim, Mr Frengley pointed to an example of Australia Post’s digital identity service, which is also accredited under the TDIF, telling users what they are logging into when using the smartphone app.