DHS adds two-factor authentication to myGov website
The Department of Human Services (DHS) has added two-factor authentication (2FA) to the myGov website, which controls access to online government services such as the PCEHR, Medicare and eTax.
DHS came in for sustained criticism last year over lax security for myGov following the discovery of a cross-site scripting flaw that allowed a security researcher to hack into an individual myGov account, through which he was then able to access a range of personal information.
As myGov is a single sign-on system, it authenticates user access to a range of services the consumer has chosen to link to their account, including their PCEHR, Medicare, Veterans' Affairs, Child Support, Centrelink, the NDIS and the Australian Taxation Office.
The Sydney Morning Herald first drew attention to the problems in a series of articles last year voicing the security industry's concerns over the site, in which several experts called for the introduction of 2FA.
At the time, the department insisted it had robust security measures in place and said access to myGov and other DHS online services was audited and monitored.
“[W]e routinely subject myGov to independent security testing,” A DHS spokesperson said. “As technology changes and new challenges emerge, we update our systems to ensure that the service continues to be secure.”
Last month, DHS added an optional extra step to myGov. Formerly, the sign-up process included a randomly generated user code, a password and a series of security questions.
Now, consumers can elect to provide their mobile phone number in order to have an SMS sent to them containing a one-off security code that must be entered into the site before access is granted.
Users can turn off the security code function in their settings and revert to a secret question if they wish.
Human Services Minister Marise Payne said that in September last year, there were five million active users of myGov, with two million new accounts created since the start of the 2014-15 financial year.
By November, 2.7 million people had lodged their tax returns through myGov, she said.
Posted in Australian eHealth