[Linux-aus] Proprietary MyGovID app to be the only way to login to ATO Business Portal

Ben Sturmfels ben at stumbles.id.au
Tue Mar 31 11:39:47 AEDT 2020

Just a quick update - I had a lovely call from a person at ATO
responding to my complaint. A couple of things they mentioned:

 - ATO is the first agency to use MyGovID

 - they have a feedback form on https://www.mygovid.gov.au <- USE IT

 - they have received quite a bit of feedback similar to mine

 - there was some form of hard deadline in place around their previous
authentication set up around 10 years ago - sounded like a contract
expiry but I didn't get specifics - may have been just related to AusKey

 - they really didn't know how the transition was going to go - now they
have learned, surprise surprise, for example a bunch of tax accountants
who don't have smartphones - much respect to those accountants!

 - currently the Digital Identity team is only speaking with people who
are having technical difficulties with the app, not people who want to
participate in the upstream process

All in all, they were very empathetic about the ethical issues of
requiring Apple or Google accounts and trust in proprietary tech. If you
can spare a few minutes, this is an important time to be heard and they
are certainly listening.


On 24/3/20 10:55 pm, Ben Sturmfels via linux-aus wrote:
> On Tue, Mar 24, 2020 at 18:24, Jack Burton <jack at saosce.com.au> wrote:
>> This move then is one which attempts to force Australian tax-paying
>> companies to do business with either Apple or Google...
>> ...ironically, two companies which are famous for *not* paying their
>> fair share of taxes.
>> Take a moment for that to sink in -- in order to pay our taxes, the
>> government now wants us to do business with serial tax-evaders!
> Aw, I wish I'd thought of that line! Thanks Jack!
> In other news, Matt Ceniga pointed me towards mygov-totp-enrol. He wrote:
>> MyGovID may be the only "official" way to sign in, but it's not the
>> only option. MyGovID just does TOTP with SHA512, so assuming you have
>> a TOTP app that doesn't just do SHA1 (I use FreeOTP+, but there are
>> plenty of other options), you can use the tool that this clever human
>> wrote, that basically pretends to be the MyGovID app for the purposes
>> of set-up, and gives you a regular QR-code to feed to your TOTP app:
>> https://github.com/abrasive/mygov-totp-enroll
>> We shouldn't need a third-party tool to do something that should
>> already be offered by the MyGov website. I understand that maybe they
>> didn't trust TOTP apps to support SHA512 hashes (I know that when I
>> tried with LastPass Authenticator, it just *ignored* the SHA512 bit
>> and tried to use the key with a SHA1 hash, resulting in the wrong code
>> with no explanation or error), but there are better options than
>> *forcing* people to use an app like this.
> As Matt suggests, I still think that it's worth some activism here
> regardless - non-technologists shouldn't be second class citizens and we
> shouldn't have to work around the systems that we collectively pay for.
> Regards,
> Ben
> _______________________________________________
> linux-aus mailing list
> linux-aus at lists.linux.org.au
> http://lists.linux.org.au/mailman/listinfo/linux-aus
> To unsubscribe from this list, send a blank email to
> linux-aus-unsubscribe at lists.linux.org.au

More information about the linux-aus mailing list