Researchers want Australia's digital ID system thrown out and redesigned from scratch

Researchers find myGovID is subject to an easily-implemented code proxying attack, while the digital identity solution from Australia Post does not possess a fundamental requirement for accreditation.
Written by Asha Barbaschow, Contributor

Researchers have recommended the Australian government abandon its existing digital identity system and start again from scratch, highlighting again security flaws in two of the systems already accredited.

Professor Vanessa Teague and Ben Frengley last year disclosed to the Australian Taxation Office (ATO) a weakness in its myGovID system. They found myGovID is subject to an easily implemented code proxying attack, which allows a malicious website to proxy a person's myGovID login and re-use their authentication to log in to the victim's account on any website of their choice.

The pair said the ATO, in response, informed them of having no intentions to fix the flaw.

The Digital Transformation Agency (DTA) is responsible for the Trusted Digital Identity Framework (TDIF), which is a high-level design for a federated authentication system.

"The primary security goal of an authentication mechanism is to prevent malicious parties from logging in fraudulently to others' accounts. A secondary security goal is to maintain the privacy of the identity proof documents and biometric data used to establish identity," the researchers wrote [PDF].

"Neither the TDIF's high-level design, nor its implementation by the ATO (myGovID) meet their intended security goals."

myGovID is an accredited digital ID provider, as is Australia Post's equivalent identity service. Teague and Frengley have identified flaws in the postal service's system, too.

The Identity Exchange (IdX), the researchers said, acts as a single point of failure for both privacy and authentication, resulting in an "extremely brittle architecture that would allow for large-scale identity fraud if that one component came under the control of a malicious party".

They said the IdX is intended to hide the identity of the relying party from the identity provider, but fails to do this in the ATO's implementation. Of concern to both is that the implementation of the TDIF in Australia Post's Digital iD does not even appear to use an IdX at all, which is the fundamental component of the TDIF's design.

"Although we have not examined Australia Post's implementation in detail, it seems to diverge substantially from the TDIF specification, but has apparently been accredited anyway," they added.

"The TDIF as currently designed and implemented does not meet its own guiding principles -- it is not immediately obvious that a brokered model without technical means to preserve privacy even can meet them."

As a result, the researchers have recommended a "careful re-evaluation of the priorities of the TDIF", and a consideration of other options which may meet its goals.

Alternatives the pair have offered up include the use of a public key infrastructure-based system or the use of a simple, standard, pairwise OpenID Connect protocol instead of a "complex brokered model with poor privacy and security properties".

"The system should be abandoned and redesigned from scratch by people with some understanding of secure protocol design and some concern for protecting their fellow citizens from identity theft," they wrote.

"Legislating to make it secure by fiat will not stop organised crime, foreign governments, or ordinary criminals, from taking advantages of its design flaws. A public key infrastructure is much more likely to succeed."

The researchers were also concerned with a paragraph in the DTA's consultation paper that states the resulting digital ID legislation will include additional mechanisms, including penalties for protecting information used in the system, such as biometric information.

These mechanisms could include criminal offence provisions and civil penalty provisions.

"There are numerous Australian laws that do effectively penalise protecting information, but this is the first time we have seen the objective stated explicitly without invoking terrorists or paedophiles," Teague and Frengley wrote.

"We hope this is a typo, and strongly suggest penalising the inappropriate sharing or negligent leaking of information instead.

"It is important not to criminalise security research aimed at improving the system's security by openly examining its (numerous, serious) weaknesses."


Editorial standards