Share this article on:
At both a state and federal level, Australian governments are looking to introduce a number of reforms to better protect the digital identities of the Australian people.
Last week, the National Strategy for Identity Resilience was established during a meeting between data and digital ministers, with the aim of making it more difficult for digital identities to be stolen and, if they are, much easier to restore.
“We increasingly rely on the ability to verify our identities — we do this to access everyday services and conduct business,” said the strategy report.
“Identity resilience has huge potential as an economic enabler.
“However, as the digital economy accelerates, and the world increasingly operates online, Australians’ identities are vulnerable in new ways.
“We need our processes and systems for managing identity information to keep pace with evolving threats by ensuring strong protections and security centred on the privacy of individuals.”
The National Strategy for Identity Resilience aims to establish measures that are consistent across all jurisdictions nationwide by introducing “common objectives, standards and practices”.
The strategy, which will be implemented over a five-year period, has had its goals divided into stages classed as short term, medium term and long term.
The short-term initiatives, which are to be implemented within the next 12 months, involve developing this “cohesive national approach”, improving education and awareness and updating the National Identity Proofing guidelines to support the new approaches.
After this, in the one-to-three-year period, the strategy hopes to develop the Credential Protection Register, a register that was established by the Commonwealth in October last year. The new improvements hope to give individuals “better control of their credentials”.
On top of this, the strategy will develop a “Mobile Phone Trust Score” system, which will allow telcos to assign scores to mobile phone numbers based on a number of factors, such as whether the user has swapped sims, use of virtual private numbers and more.
“The trust score will help to prevent mobile phones being used to facilitate fraud,” it said.
Following this, in the three-to-five-year period, the strategy will look to place a greater focus on issuing digital credentials through digital wallets while bolstering the security standards around digital credentials.
“It is cheaper, easier and quicker to reissue a digital version of a compromised credential than a physical one. The development of digital credential standards is vital to ensure consistency of data, user experience and interoperability while maintaining choice and privacy,” it said.
Furthermore, the strategy will aim to establish stronger identity records for personal documents such as birth documents and immigration records, as well as improve government communication and support services for those who have suffered from data theft and other cyber incidents.
Industry experts, such as Dr Chao Chen, senior lecturer of AI and business analytics at RMIT University, have supported the move, calling it a step towards better protection against cyber fraud.
“The Commonwealth and state/territory agreement marks a key step in combating cyber fraud and identity theft,” he said.
“Traditional ID verification methods are increasingly vulnerable in our digital age, as seen in the recent Optus and Medibank data breaches.
“Biometric authentication, such as fingerprints, iris scans, and face recognition, offer a far more personalised level of security.”
Currently, digital identities are verified using personal information such as birth dates and addresses, as well as biometric data such as facial imaging and fingerprints.
However, Chen adds that the changes are not without their risks, and the push to move identities to the digital medium “isn’t a silver bullet”.
“Potential pitfalls include bypassing of biometric devices, spoofing attacks, and, importantly, privacy concerns,” Chen said.
“Advances in technologies like liveness detection and encryption can help minimise these risks.
“Also, integrating multiple biometric factors can further improve the system’s resilience to fraud.
“For example, a physiological signal-based authentication system has the potential to blend the high security of biometric identification with increased user comfort and privacy.”
RMIT’s Dr Arathi Arakala of the university’s Centre for Cyber Security, Research and Innovation has said that the government needs to ensure that the technologies used and the move to biometric verification must be designed in a way to stay secure.
“Before the government jumps headfirst into the widespread use of biometric data for an ID service, it is vital that technologies and policies to securely store, transfer, and compare the collected biometric data are designed according to established standards and regulations,” she said.
This means storing biometric information client-side rather than on a central database, and allowing individuals the choice to use biometric information as a form of identification.