[Linux-aus] Proprietary MyGovID app to be the only way to login to ATO Business Portal

[Glen Turner]

> 
> I've just sent a letter to the Commissioner of Taxation about the
> rollout of MyGovID as the only way to log in to the ATO Business Portal.

Can I suggest that you encourage MyGov to support WebAuthn rather than
debate the pros and cons of the MyGovID TOTP app (which,
hypocritically, I've done in another e-mail in this thread).

That gives the ATO something they want -- better security -- whilst
getting something we want -- free software (although on secure or
dedicated hardware rather than on general purpose hardware).

Most importantly, WebAuthn improves security for all Australians.  The
days of TOTP offering adequate security are coming to a rapid end.
Phishing, a fake website, reusing the captured 1FA and 2FA transaction
in real time -- it's not rocket science.  TOTP is better than nothing,
better than SMS; but for a valuable site like MyGov building an attack
to sidestep TOTP is well worth the trouble for criminals.

A nice thing about promoting WebAuthn is that it's "take it or leave
it" with no modifications possible to the protocols for enrolment or
for use.  That's the point -- those protocols are baked into the
WebAuthn/FIDO2 hardware; and that hardware should treat non-compliance
with the FIDO2 protocol as an attempt at subversion.

-glen