‘More secure than any credential’: ATO plays down myGovID security concerns
From security concerns to clashes with workplace policies, the transition to myGovID has caused a few headaches within the profession, but the ATO believes worries are misplaced.
As the profession prepares for the move to myGovID, a number of common concerns have been raised, namely around the security of myGovID and how users’ identities will be kept safe, and how mandating the use of a mobile phone goes against a firm’s workplace practice.
Speaking to Accountants Daily, ATO deputy commissioner and chief digital officer John Dardo said the Tax Office had undertaken various rounds of consultation with the industry and understood the different concerns.
On the security front, despite being unable to disclose the rigorous testing process due to industry safeguards, Mr Dardo was adamant that practitioners would have little to be worried about.
“This is more secure than any credential that has ever been made available to the practitioner community in the past and it certainly is more secure than email and SMS second factor [authentication],” Mr Dardo said.
“[However], the user stuff is out of our control — if somebody has a mobile device and they start to enrol the thumbprints and fingerprints of their whole street, we can’t control that.
“As long as the user is doing the right things, this is by far the most secure credential we’ve ever built.”
Turning to the use of mobile devices in the workplace, Mr Dardo said that because myGovID is only supported on compatible smart devices, firms might need to change their workplace policies.
He noted the two extremes the ATO had heard in its consultation with the industry.
“One extreme, and some of the big practices have told us this, including almost everyone in the big four, is that if they don’t trust their staff enough to have a mobile phone in the workplace, they don’t employ them and it is a really simple threshold for them, and that’s our policy in the ATO as well,” Mr Dardo said.
“The other extreme is that ‘we don’t trust our staff and we don’t let them have a phone in the workplace because it is unprofessional’, and our response to them is we get it, but you’re going to have to change your business practice.”
Mr Dardo also stressed that the mobile phone would only be required in the log-on step.
“This is just the key to get in. If you are maintaining activity on that device, you don’t use the key again until there’s a 25-minute lapse in activity,” he said.
“As long as their computer is not lapsing every 25 minutes, they are not going to be using the key again until maybe after lunchtime or after an appointment — they might be using it four or five times a day, but they are not going to be using it 16 times in a day.
“They only need it to key in and they can chuck the phone back in their drawer or back in their bag and keep working — they don’t have to look at their phone every minute.”