The Australian Taxation Office (ATO) is looking to introduce a "liveness" feature to myGovID, the Australian's government's digital identity credential.
The agency, which handles myGovID, has gone to market seeking a supplier to deliver a software solution that will allow people who are registering to prove they are a live person and physically present, as well as allow them to take a selfie to verify their identity against a stored identity document, such as their passport or driver's licence.
The ATO quietly released the app last year to enable citizens to have their identity verified once so they could access government services online using their verified identity, rather than having to continually be verified by each Commonwealth entity.
The ATO emphasised that the successful contractor would need to adhere to strict security guidelines. These include delivering a security management and governance functionality in accordance with the Australian Cyber Security Centre (ACSC) Information Security Manual and Essential Eight mandatory requirements, provide an authenticated log-on for individual ATO users, and configure its IT systems and environments to effectively respond to the latest threats.
Additionally, the ATO said the supplier must utilise securely configured cryptographic data transmission protocols and algorithms to transfer information across untrusted networks, and be able to control the connection of peripheral devices to IT systems that store, process, or transfer ATO information.
Last week, it was revealed that the default login option on myGovID for agents used by the ATO was vulnerable to a code replay attack.
In a blog post, scurity researchers Ben Frengley and Vanessa Teague described how an attacker could use a malicious login form to capture user details, which the attacker could then use to login into other accounts held by the myGovID user.
The pair said they informed the Australian Signals Directorate of the issue on August 19, and were told by the ATO that "they did not intend to change the protocol, at which point we immediately informed them that we would make a warning to users public".
A spokesperson for the ATO said the flaw was not a "security vulnerability of the myGovID solution or application" and that it can used against login procedures including "passwords, SMS, physical code generators, and mobile apps codes".
"The approach identified by the researchers, to scam a user by redirecting them to a malicious phishing website requesting credentials, is a well-known and common challenge across authentication systems and is not unique to the myGovID platform," the spokesperson said.