How should governments respond to identity on the web?
Today Troy Hunt (a fellow MVP) was quoted in the Sydney Morning Herald in relation to an article about myGov (http://my.gov.au) which is a portal for Australian citizens to access Medicare, eHealth, Centrelink, Child Support and NDIS records. The basic premise of the criticism is that myGov doesn’t support two-factor authentication (2FA) and that this represents a security concern.
Later a conversation between technology professionals on Twitter is speculating about the security around how passwords are stored within the database. Personally I would be extremely surprised if the cornerstone of the Australian Government’s online strategy would store user passwords in plain text instead of a hash and salt combination, but this might be foolish optimism on my behalf. It would be great if someone in the know could actually confirm this, and then perhaps explore the 2FA topic that Troy and others have raised.
I believe that any 2FA implementation would need to be “recommended but optional”. 2FA requires a device capable of generating a token which is supplied along with your username and password. For some users having this additional device might pose a challenge, there are still people in Australian society which do not have access to mobile phones, let alone smart phones. By making 2FA optional it allows those citizens to scale their security to something to what is within their means, alternatively the government could provide special token generators upon request if they wanted to make 2FA mandatory (I’d personally still want to use my phone).
Stepping back a bit, I think there is a much more interesting question about identity on the web and the government’s response to it. On one hand I really want myGov to be secure, on the other I would like it someone open so that as a developer I can create an application that can acquire a verified identity from users. Imagine a local council being able to significantly automate its processes by allowing local residents to file paperwork by signing forms with an OAuth-based flow that jumps out to myGov to gather scoped personal information and perform non-repudiation tasks.
Such a capability would necessarily require a very stringent security audit of the myGov platform prior to being opened up along with the creation of a community of developers who know how to work with the various APIs provided by the myGov platform.