UNCLASSIFIED
Multi-factor Authentication / POSITION PAPER / November 2018
Position Paper / format / DATE
Multi-factor Authentication
Draft Position Paper
/ For more information on this position paper, email

This paper provides key factors on the approach for implementing multi-factor authentication (MFA), increasing the trust and certainty of the identity, authentication and authorisation of the end user consuming services through software.

Introduction

  1. It is increasingly recognised we have a collective responsibility to be confident we know who we are dealing with and the people interacting with us are using credentials that appropriately represent who they are and what they are authorised to do.
  1. We are witnessing increased levels of the risk of cybercrime, and recognise the key role a multi factor authentication mechanism can play in mitigating this risk.

Key considerations

  1. The Digital Transformation Agency (DTA) is developing the Trusted Digital Identity Framework (TDIF) solution. TDIF will establish the overarching requirements, structure, governance arrangements and interoperable standards for a trusted Australian digital identity system to ensure it is scalable, secure, simple to use and fair. The ATO is developing an identity and authentication solution (AUSid) which will be accredited under the TDIF.
  2. Authentication factors that make up a MFA request must come from two or more of the following:
  3. something you know (eg a personal identification number (PIN)/passphrase or a response to a challenge)
  4. something you have (eg a physical token, smartcard or software-based certificate)
  5. something you are (eg a voice biometric, fingerprint or iris scan).
  6. There is a need for industry and ATO to agree on a minimum acceptable MFA standard. This standard is expected to harden and evolve over time.
  1. There is a need to harden the security in the ecosystem, particularly at the front end. Part of which, will be strengthening the ‘Know Your Client’ (KYC) capability. KYC will assist to ensurewe know who we are dealing with and have a sufficient level of certainty in who we are dealing with. It is incumbent upon all parties within the ecosystem including the ATO and DSPs, to take collective responsibility to strengthen the identity and authentication processes for our clients.
  1. The MFA focus group established that with regard to machine to machine transactions, whilst a user is not involved in the transaction/s, the identity of the user who created and is responsible for the credential used to ‘secure’ this transaction should be known and verified to the level outlined in the TDIF. This interaction would be recorded for audit purposes but the ID attributes of the user would not be passed through in each transaction.

What we heard

  1. There was broad interest in continuing to consume Government provided credentials.
  1. There was broad interest to be able to utilise a Government credential for business to business transactions.
  1. DSPs would like the Government to provide a public key registry, to particularly support business to business transactions. This was noted but will need to be considered further.
  1. It was acknowledged that AUSkey will be phased out and replaced as part of the ATO Identity, Authentication and Authorisation program roadmap.Timelines are still being finalised.

Alternatives explored

  1. There was broad support for a future state TDIF solution.

Conclusion

  1. DSPs agree in principle to aligning with the TDIFrequirements once it is implemented. After TDIF becomes available, DSPs will be required to either:
  2. use the current Cloud Authentication and Authorisation (CAA) solution with the addition of a multi-factor credential. Refer to appendix 3.
  3. consume the government provided TDIF credential, or
  4. become a TDIF credential provider in their own right and consume their own credential.
  1. In the interim, whilst the TDIF standards and solutions are being developed for use in software products, the following requirements will be introduced:
  2. DSPs will be required to review their security credential risks and develop a plan to manage the risks identified.
  3. DSPs providing cloud services will implement a multifactor credential solution or provide assurance of sufficient controls to be considered on a case by case basis.

UNCLASSIFIED / PAGE1 OF 8
UNCLASSIFIED

APPENDIX 1 – Design PATTERN

APPENDIX 2

APPENDIX 3

UNCLASSIFIED / PAGE1 OF 8
UNCLASSIFIED

APPENDIX 4

Considerations

AUSTRAC

The AUSTRAC compliance guide consolidates a range of AUSTRAC guidance material and replaces the AUSTRAC regulatory guide.

The guide relates to the obligations of reporting entities under the:

Anti-Money Laundering and Counter-Terrorism Financing Act 2006(AML/CTF Act)

Anti-Money Laundering and Counter-Terrorism Financing Rules (AML/CTF Rules)

Anti-Money Laundering and Counter-Terrorism Financing Regulations 2008 (AML/CTF Regulations)

Financial Transaction Reports Act 1988 (FTR Act).

The guide:

  • outlines and explains the obligations under the AML/CTF Act, Rules and regulations and presents examples on how they operate
  • assists reporting entities to design, develop and implement systems and controls necessary to mitigate the risks of money laundering and terrorism financing.

The guide is not a regulatory instrument and reporting entities and other stakeholders must always refer to the AML/CTF Act, Rules and regulations to clarify an obligation.

TAX PRACTITIONER BOARD

This information below is sourced from the TPB website:

APRA

The supervisor is satisfied that banks establish KYC policies and processes which are well documented and communicated to all relevant staff.

The KYC management program, on a group-wide basis, has as its essential elements:

  • a customer acceptance policy that identifies business relationships that the

bank will not accept;

  • a customer identification, verification and due diligence program; this

encompasses verification of beneficial ownership and includes risk-based

reviews to ensure that records are updated and relevant;

  • policies and processes to monitor and recognize unusual or potentially

suspicious transactions, particularly of high-risk accounts;

  • escalation to the senior management level of decisions on entering into

business relationships with high-risk accounts, such as those for politically

exposed persons, or maintaining such relationships when an existing

relationship becomes high-risk; and

  • clear rules on what records must be kept on consumer identification and

individual transactions and their retention period. Such records should have at

least a five year retention period.

UNCLASSIFIED / PAGE1 OF 8