A clear industry consensus in favour of government-backed digital ID has emerged across submissions to the govermment’s revised cyber security strategy consultation.
NAB [pdf] explained its support for strong digital ID comes from a desire for a zero-knowledge proof of ID.
“Where entities were permitted to rely on zero knowledge proofs (ie, it is sufficient that an entity knows that an individual is over 18 years old and does not need to collect actual date of birth details or evidence thereof), this would minimise the data security risk to both businesses and individuals,” the bank said.
If existing digital ID “standards and protocols” were uplifted, NAB said, a business could verify an attribute such as an individual’s age, without collecting information useful to cyber criminals.
However, the NAB submission stated: “The current regime is not yet fit for purpose”.
ANZ Banking Group [pdf] agrees, saying such a regime would “help minimise the volume of identity documents collected and stored.”
The banking industry’s representative body, the Australian Banking Association, added [pdf] that a digital ID capability “could be the anchor for a new, secure-by-design approach to cyber resilience”.
The consulting sector also votes in favour of improving Australia’s digital identity regime.
Deloitte said [pdf] that “continued large-scale data breaches show that knowledge based methods of enrolling or authenticating users (passwords, Q&A) cannot reliably assure identity.
“Digital services that rely on the aggregation of personally identifiable information (PII) attract identity fraud and cybercrime at-scale.”
While also supporting an improved digital ID system, EY warned [pdf] that public trust could undermine it: “Almost three in ten Australians are still uncomfortable with the concept,” it said.
“To address this issue, government will need to embed security mechanisms from the outset, start with a voluntary system (akin to the My Health Record rollout) and establish an independent governance authority to build public trust.”
AWS and Optus [pdf] offer a similar contribution to the digital ID debate: that multi-factor authentication should be part of a national solution.
AWS’ submission [pdf] emphasised that multi-factor authentication is vital: “Although we normally caution against prescriptive advice, there is an exception to every rule.
“Multi-factor authentication (MFA) is one of the simplest and most important protections available to users, making them less susceptible to password leaks or social engineering”.
While citizens are becoming increasingly familiar with MFA, the submission said, “government can play an important role in speeding up this process”.