[Linux-aus] Proprietary MyGovID app to be the only way to login to ATO Business Portal
Glen Turner
gdt at gdt.id.au
Wed Mar 25 08:12:24 AEDT 2020
>
> In other news, Matt Ceniga pointed me towards mygov-totp-enrol
I've used that successfully with andOTP as the TOTP client. Moving away
from SMS to TOTP seems wise of myGov.
I'm not keen on the MyGovID app as a TOTP client. It seems to grab the
time from a central server, look for a broadcast message, then do the
TOTP task. Although I only had a quick look at the traffic, so I might
not have that quite right.
>From a threat analysis point of view, the major threat to TOTP is
altering the time and doing a "replay attack". But fetching the time
from a myGovID server means that the myGovID second form of
identification app falls to the same activity which could undermine the
password itself -- subversion of a myGov central server. Thus
undermining the promise of a *second* form of identification. It would
have been better simply to use the time on the TOTP client's phone.
That increases the risk of a replay attack of a single client, but
lowers the risk of replay attack on all clients. In short, from a
technical point of view the difference in security between the myGovID
app and a standard TOTP app is debatable.
There's a lot to be said for allowing clients to choose their TOTP
application and giving some guidance to customers. Many TOTP apps make
better use of the phone's identity and security hardware than myGovID.
Such as using the fingerprint reader as a Secure Attention Key used by
the TOTP program running in a secure enclave of the CPU. Fingerprints
are desirable -- in many households a person's fingerprint is more
secure than their PIN code (often re-used, known by other household
members, etc). Running the program in a secure enclave with the secret
key kept in "secrets storage" which the CPU makes available only to
that enclave has obvious security benefits over a standard program.
To be fair to the myGov people, the TOTP app landscape probably wasn't
as rosy when they started specifying their 2FA project. But Google
Authenticator really raised the bar across all TOTP applications whilst
they were developing and fielding their system.
I don't at all understand the lack of support for WebAuthn devices by
myGov.
-glen
More information about the linux-aus
mailing list