Please note: everyone will be automatically placed on
mute when they join the webinar
Welcome
AUSkey transition information session
Wednesday 28 August 2019
Starting at 1:00pm AEST
Presented by:
Paul Stasinowsky, Product Owner, M2M and BAM
Digital Communications and Identity Services
Australian Taxation Office
28 August 2019
Digital Partnership Office
DSP webinar
AUSkey transition
$2.2b
IDENTITY CRIME is one of the most common
crime types in Australia
HOURS 18
Victims of identity fraud
spend an average
repairing the damage caused
Non-financial
impacts to victims
1 in 10 identity crime victims suffered mental
or emotional distress
10%
1 in 14 wrongly accused of a crime
7% Every 20 seconds an Australian is a
victim of ID crime
1 in 5 Australians or
over 21% have been a
victim of ID crime at
some point in their lives
Estimated annual costs to individuals, victims, business and government agencies
38% did not believe the police would
do anything
22% were too embarrassed
28% did not know where or how to
report
UNDERREPORTED
Around 5% of Australians
experience financial loss as a result of ID crime
38% of Australians do not
report ID crime, of these:
More common than robbery, motor
vehicle theft, household
break-in or assault
Source: Dept. of Home affairs, Criminal Justice Division
Identity crime in Australia
3 UNCLASSIFIED Digital Partnership Office – DSP webinar – AUSkey transition
for Australian residents and visa holders
(2016-17) (2016-17)
Aus. residents for tax purposes
Non-resident for tax purposes
Resident (for tax purposes)
Non-resident (for tax purposes)
( 0-19 yrs; 20-30 yrs;
31+ yrs)
Individual Company
Trust Partnership Super Fund
Government
Individual Company Trust
Partnership Super Fund
Government
Over 5m TFNs mapped directly to Associates of 7.2m
ABNs
Only 7.7m have their myGov account linked to ATO
Only 1m use the ATO App
New TFNs are not automatically connected to myGov, ATO Online or ATO App
Less than 2m ABNs have an online account/ credential with the ATO or Digital Service Providers (via Cloud)
No ABN (or underlying TFN of an Associate) receives credentials or an online account during registration
X X X X
The ATO has a large interest in identity
4 UNCLASSIFIED Digital Partnership Office – DSP webinar – AUSkey transition
5
AUSkey replacement
UNCLASSIFIED Digital Partnership Office – DSP webinar – AUSkey transition
Why are we replacing AUSkey?
AUSkey has not kept pace with changes in technology and doesn’t meet the future needs of most businesses. AUSkey is:
not supported on mobile devices
not compatible with all internet browsers
difficult to setup and maintain
restricted to online services and authorisations do not carry across channels (i.e. cannot be used to contact the ATO by phone)
unable to provide password reset functionality, forcing users to re-register when a password is forgotten
difficult for users who want to view and manage multiple AUSkeys with some businesses having up to 200 AUSkeys
does not support dual consent.
What will replace AUSkey?
The ATO has built or is building:
• myGovID: Individual credential used to identify yourself.
You can authenticate and access government online services
using myGovID
• Relationship Authorisation Manager (RAM): Whole of
government solution that allows individuals to claim their
associated entity and assign permissions for other users
to access government online services for their business
• A new machine to machine (M2M) solution to support existing M2M arrangements –
replacing device AUSkey. RAM allows DSP to generate and manage M2M credentials
• A SAML service to support Government agencies to on-board with
minimal impact called Business Authentication Manager (BAM).
6
What will replace AUSkey? – Overview
UNCLASSIFIED Digital Partnership Office – DSP webinar – AUSkey transition
+
7
myGovID
UNCLASSIFIED Digital Partnership Office – DSP webinar – AUSkey transition
What will replace AUSkey?
myGovID:
• myGovID is an App, currently available in the Apple App store. It will be available in the Android Play Store in October
• myGovID is your digital identity which makes it easier to prove who you are online
• myGovID lets you prove who you are when using government online services – like having an ID on your phone
• myGovID requires you to prove your identity once. You can then present this identity when authenticating to Government online services on behalf of business
• myGovID is available right now.
What will replace AUSkey?
RAM:
• RAM enables you to manage your business authorisations in one place
• RAM allows you to act on behalf of a business with participating government online services
• When you’re authorised, RAM will allow you to create and manage machine credentials (replacing device AUSkey)
• RAM is accessed with a myGovID credential
• RAM will require every business to be claimed by an associate
• RAM is available right now.
8
Relationship Authorisation Manager (RAM)
UNCLASSIFIED Digital Partnership Office – DSP webinar – AUSkey transition
What will replace AUSkey?
M2M:
• M2M will replace device AUSkey with a new credential called ‘machine credential’
• M2M will also offer a new Secure Token Service (called MAS-ST) which will replace VANguard’s STS
• Machine credentials will be created and managed through RAM
• Authorised representatives will require a specific permission to be able to create and manage machine credentials on behalf of a business
• Machine credentials are backwards compatible with device AUSkey and MAS-ST can provide software authentication where the user has an AUSkey
• New machine credentials will be available from mid-September and MAS-ST will be available in production from late October.
9
Machine to Machine (M2M) solution
UNCLASSIFIED Digital Partnership Office – DSP webinar – AUSkey transition
10
Business Authentication Manager (BAM)
UNCLASSIFIED Digital Partnership Office – DSP webinar – AUSkey transition
What will replace AUSkey?
BAM:
• BAM will enable agencies to accept user authentication with a myGovID and a RAM business authorisation for their portal, without the need to significantly reconfigure their portal.
• ATO will provide the BAM service which will provide agencies with the similar authentication mechanism provided by VANguard User Authentication Service (UAS)
• Users will provide their myGovID and select a Business from RAM instead of using an AUSkey when authenticating to government agency portals
• Agency portals will gradually onboard to the BAM authentication solution. We are managing the onboarding process.
We are undertaking a number of activities to assist DSPs transition to the new M2M solution. These include:
• EVTE (External Vendor Test Environment) trial – We conducted an EVTE trial of the new M2M
solution from April with users confirming that for the most part, the only change required was to update the ST
endpoint and get the new credential. This trial was limited to SBR2 services and provided valuable feedback on
the new solution. An SBR1 EVTE trial will commence soon.
• Ongoing availability of the M2M solution in EVTE – A generic new machine credential is currently
available in EVTE for you to test your software. In addition, we have published the EVTE version of the new
MAS-ST endpoint. All DSPs are encouraged to undertake this testing as soon as possible.
• Encouraging representatives from DSPs to create a myGovID now –
to begin claiming and authorising businesses in RAM and managing
existing AUSkeys.
11
How we are supporting DSPs transition to the new M2M solution
UNCLASSIFIED Digital Partnership Office – DSP webinar – AUSkey transition
We are undertaking a number of activities to assist business more broadly transition to the new Digital identity solution. These include:
• Ability to migrate AUSkey authorisations (including permissions in Access Manager) into RAM.
An authorised user will be able to migrate existing AUSkeys and convert them to business
authorisations in RAM. These will be subject to acceptance by the authorised party
• Working with government agencies to transition their portals to accept the new credentials
via Business Authorisation Manager (BAM)
• Encouraging business representatives to create a myGovID now, begin
claiming and authorising businesses in RAM and managing existing
AUSkeys. The next slide will explore what you can do now to prepare
based on what is currently available.
12
How we are supporting business transition from AUSkey
UNCLASSIFIED Digital Partnership Office – DSP webinar – AUSkey transition
Tight timeframes – What DSPs and users can do now to prepare for
AUSkey replacement
13 UNCLASSIFIED Digital Partnership Office – DSP webinar – AUSkey transition
What DSPs can do now as a software provider
• Test new machine credential in EVTE for SBR2.
What DSPs can do now as a business
• Review your associate details in the ABR to ensure they are correct and current
• Review current AUSkeys
• Review business appointments in Access Manager
• Setup myGovID on an iOS device
• Associate should link their business in RAM.
All DSPs are encouraged to test software against the new machine credential and MAS ST service in EVTE. To do this, you will need to do the following:
• Contact DPO to get the testing package
• Update your software to new endpoint in your SBR2 EBMS client
• Download the keystore and install the new test machine credential
• Undertake conformance testing using conformance suites relevant to your products.
SBR 1 will be available soon and we will advise you when available.
14
M2M future testing
UNCLASSIFIED Digital Partnership Office – DSP webinar – AUSkey transition
M2M trial for SBR2 was conducted with DSPs from 29 April to 14 June
21 DSPs participated with 11 DSPs successfully completing the trial, feedback included:
• ‘It really was just a plug and play from the old method.’
• ‘With no more than one hour’s work, I was able to implement M2M within my payroll system.’
The trial enabled participants to identify the necessary changes to software in preparation for the production
release. Points to note include:
• DSPs identified a difference in character length of the STS time stamp length, ATO (3) and VANguard (5).
The character length restriction of 3 has been highlighted in the test kit.
Next Steps
• A trial release of M2M for SBR1 is in development and a small EVTE trial will commence shortly.
• As the M2M solution will remain in EVTE for SBR2 we strongly recommend all DSPs test software against the
new Machine credential to identify necessary changes before the production release.
15
EVTE trial outcome
UNCLASSIFIED Digital Partnership Office – DSP webinar – AUSkey transition
Cloud software vs desktop users will be impacted as outlined below:
• You will not notice any change, nor any disruption to
your business. The Digital Service Provider (DSP)
will undertake the action to deploy updated software
and obtain the new credential.
• You will need to get an updated version of
the software
• Obtain a machine credential via RAM
• Store the machine credential in an appropriate
place
• Install the software and direct the software
to the machine credential keystore
(if required).
Business Entity Digital Service Providers (DSP)
• You will need to get a machine credential via RAM
• Store the machine credential in the same place
as the device AUSkey is currently stored
• Update cloud software product to consume new
credential by updating the endpoint
• Deploy updated cloud software product
• The existing Cloud relationship in
Access Manager will continue to
be recognised.
• You will need to create an updated version of
the software
• Deploy the updated software to users
• Provide instructions to users about installing
machine credentials (or direct users to ATO
published instructions).
Deskto
p/o
r L
ocally
Ho
ste
d S
oft
ware
C
lou
d S
oft
ware
16 UNCLASSIFIED Digital Partnership Office – DSP webinar – AUSkey transition
AUSkey Replacement | Impacts of the new M2M solution
Users who require a form of Cross entity authorisation (XEA) will be impacted as outlined below:
Existing XEA relationships will continue to be recognised in AM (Access Manager). Currently, a credential
(device AUSkey) is applied to this relationship in AM. When a business with XEAs gets a new machine
credential, an authorised representative is required to apply this to the existing XEA relationships.
Entities can then continue to lodge on behalf of other entities via SBR software.
Entities required to lodge information for other entities via SBR software
17 UNCLASSIFIED Digital Partnership Office – DSP webinar – AUSkey transition
AUSkey Replacement | M2M solution – Cross entity authorisation (XEA)
July 2018
Private beta
Business
Oct 2018
Private beta
expansion
Business and
Tax Agents
June 2019
Public beta
Business
Portal
Sept 2018
Private beta
Tax Agents
July 2019 Sep 2019
Private Beta
1st step to AUSkey
transition functionality
• Users were able to
obtain a myGovID (iOS)
• Set up a businesses in
RAM (one only)
• Authorise a business
representative (full
access)
• Log into Business
Portal / Online Services
for Agents on behalf of
the business.
Private Beta
Enhancements
• Set up multiple
businesses in RAM
• Select from a list of
businesses when
accessing the Business
Portal or Online
services for agents
Public Beta for
Business Portal
• Log into the
Business Portal
with a myGovID
(iOS)
• Manage
authorisations in
RAM (including
modify
authorisations)
Private Beta
myGovID (Android)
myGovID available for
Android
Custom
Permissions
RAM integration
with Access
Manager to
customise
permissions to
support ATO
Online for Agents
2018 2019 2020
Public Beta
Release for
Tax Agents
• Log into
Online
services for
agents with a
myGovID
Aug 2019
Business to Business (B2B) discovery
Private Beta for
M2M solution
SBR / DSPs can
install and test
new machine
credential in test
environment
Public Beta for
Device AUSkey
replacement solution
• Users can create a
machine credential
to secure M2M
transactions
On-boarding of
AUSkey relying
agencies
• Commence
production release
of AUSkey relying
services
We are here
Marc
h 2
020 A
US
key D
EC
OM
MIS
SIO
NE
D
April 2019
Private
beta
M2M
May 2019
myGov
change to
2FA
MyGov change to 2FA
New myGov users will not
be able to link to ATO
Online if they are not using
2 Factor Authentication
June 2019
Q2 Release
Private Beta
Release for Tax
Agents
• Log into Online
services for
agents with a
myGovID
Completed Monitoring What’s next
Public Beta
myGovID
(Android)
myGovID available
for Android
• Ability to authorise one business to act on behalf of another business
Oct 2019
18 UNCLASSIFIED Digital Partnership Office – DSP webinar – AUSkey transition
AUSkey Replacement | Release Plan
Public Beta
AUSkey Transition
Future Enhancements
• Import AUSkey users
in RAM tool
• Bulk authorisations
• Commence on-
boarding AUSkey
relying agencies
• Commence on-
boarding other ATO
AUSkey relying
services i.e. DSP,
DASP, ABR
Digital Partnership
Office (DPO)
RAM/myGovID
support web pages
AUSkey Information
Line
IVR options:
• myGovID
• RAM
• Online Services for DSPs
• softwaredeveloper.ato.gov.au
• ato.gov.au
• ABR/AUSkey
• RAM site
• myGovID site
DSP
Customer Service Representative
A number of support options will be available to DSPs and end users via online or phone. Client enquiries will be
managed in the same way that AUSkey clients are currently managed. Phone support for clients who have issues with
myGovID/RAM will be managed under the ATO’s general support framework and DSPs will be supported via the Digital
Partnership Office.
on-line
phone
Support for DSPs and users
19 UNCLASSIFIED Digital Partnership Office – DSP webinar – AUSkey transition
Setting up myGovID &
Relationship Authorisation Manager (RAM)
You will need to:
• use an iOS/Android device (Android delivery expected Oct 2019)
• provide an email address
• provide two Australian identity documents from:
Driver licence or learner permit
Passport
Medicare card.
21 UNCLASSIFIED Digital Partnership Office – DSP webinar – AUSkey transition
Set up myGovID (once only) | Preconditions
Step 2 Create myGovID account
Step 1 Download myGovID app from app store on your phone
Setup myGovID (once only)
User is prompted to create a myGovID when accessing an online service or can go directly
to the app store and find the myGovID app
Enter and verify email address, enable touch ID/face ID, provide personal details
and create password
Now IP1
22 UNCLASSIFIED Digital Partnership Office – DSP webinar – AUSkey transition
Set up myGovID (once only)
Identity document attributes provided, verified with Document
Verification Service (DVS) x2
myGovID is now ready to be used to login and access government
online services
Now IP2
Strong Strong
23 UNCLASSIFIED Digital Partnership Office – DSP webinar – AUSkey transition
Setup myGovID (once only)
Facial verification coming soon
Step 3 Build identity
Step 4 Digital identity created
Liveness capture, facial image matched and
verified against photo ID document with Facial
Verification Service (FVS)
Will be IP3
Set up myGovID (once only)
Input myGovID email address and select login Navigate to https://authorisationmanager.gov.au
and select continue
24 UNCLASSIFIED Digital Partnership Office – DSP webinar – AUSkey transition
How to use your myGovID to access RAM
Step 2 Provide myGovID credential
Step 1 Navigate to RAM
Locked screen initial notification
Step 4 Phone notifications
Step 3 myGovID displays access code
25 UNCLASSIFIED Digital Partnership Office – DSP webinar – AUSkey transition
How to use your myGovID to access RAM
Unlocking screen notification
User gains access to RAM User enters the code in myGovID app on mobile phone to gain access to RAM
Step 6 Access to RAM
Step 5 Enter access code on phone
26 UNCLASSIFIED Digital Partnership Office – DSP webinar – AUSkey transition
How to use your myGovID to access RAM
27 UNCLASSIFIED Digital Partnership Office – DSP webinar – AUSkey transition
A one time process to link your business in RAM
Setup business authority in RAM
Step 1 Log into RAM and select
‘Link your business’
Validates user against businesses where they are listed as an eligible associate in the ABR
Step 2 Enter an address for tax purposes
John
Citizen
Business relationship set-up and can now be used to manage authorisations for others
28 UNCLASSIFIED Digital Partnership Office – DSP webinar – AUSkey transition
Setup business authority in RAM
Step 3 Select business to bring into RAM
John Citizen
Aelert
Log into RAM (as previously demonstrated)
29 UNCLASSIFIED Digital Partnership Office – DSP webinar – AUSkey transition
Authorise employee (and give Machine Credential Administrator [MCA] role)
Step 1 Principal authority or Auth Admin logs into RAM with their myGovID
Step 2 Principal authority or Auth Admin clicks on
‘Manage Authorisations’ in RAM
User enters authorisation code from email
John Citizen
30 UNCLASSIFIED Digital Partnership Office – DSP webinar – AUSkey transition
Authorise employee (and give MCA role)
Step 3 User puts business in focus
All business the user is authorised for will appear in the business view screen
Step 4 A list of authorised business
representatives is shown
All users authorised for the business will appear in the business view screen
John Citizen
Aelert 45001242101
Citizen, John Principal Authority
31 UNCLASSIFIED Digital Partnership Office – DSP webinar – AUSkey transition
Authorise employee (and give MCA role)
Step 6 Complete authorisation request for
business representative
Determine authorisation and access level required for user
Determine authorisation and access level required for user
Step 5 Complete details
for business representative
32 UNCLASSIFIED Digital Partnership Office – DSP webinar – AUSkey transition
Authorise employee (and give MCA role)
Step 8 Employee now appears as pending in business view
Users will appear in the business view as pending until they have accepted the
authorisation
Step 7 Confirm and send
authorisation request
Review and confirm authorisation request
Citizen, John Principal Authority
Jones, Isla
33 UNCLASSIFIED Digital Partnership Office – DSP webinar – AUSkey transition
Authorise employee (and give MCA role)
Step 9 Employee obtains authorisation
code via email
Employee receives email with authorisation code and instructions on what to do next
34 UNCLASSIFIED Digital Partnership Office – DSP webinar – AUSkey transition
Employee accepts authorisation (including MCA role)
Step 1 Employee obtains authorisation
code via email
Employee receives email with authorisation code and instructions on what to do next
User logs into RAM with their myGovID
Step 2 Employee logs into RAM with their myGovID
Step 4 View authorisation request and accept
User enters authorisation code from email
User views detailed Summary of request and option to accept authorisation
35 UNCLASSIFIED Digital Partnership Office – DSP webinar – AUSkey transition
Employee accepts authorisation (including MCA role)
Step 3 Enter authorisation code
Amelia Murphy
Yes
Isla Jones
Isla Jones Isla Jones
Isla Jones
36 UNCLASSIFIED Digital Partnership Office – DSP webinar – AUSkey transition
Employee accepts authorisation (including MCA role)
Step 5 The authority has been granted
Aelert 45001242101
Isla Jones
Isla Jones
Employee creates and downloads a machine credential
37 UNCLASSIFIED Digital Partnership Office – DSP webinar – AUSkey transition
MCA finds the business that they are authorised for and then clicks on the business they wish to create
a machine credential for
Step 1 MCA clicks on ‘Manage authorisations’
Step 2 MCA puts their business in focus
Aelert
Employee creates and downloads a machine credential
38 UNCLASSIFIED Digital Partnership Office – DSP webinar – AUSkey transition
The MCA then clicks on Manage credentials in order to go to the Create and download a new machine
credential page
A message and link is displayed if the system is unable to detect a valid Browser Extension. The link takes the
user to the RAM website where they can view information and download the Browser Extension
Step 3 MCA clicks on ‘Manage credentials’
Step 4 An M2M Browser Enabler is required
in order to download
Employee creates and downloads a machine credential
39 UNCLASSIFIED Digital Partnership Office – DSP webinar – AUSkey transition
Once the Browser Extension has been installed the MCA clicks on ‘Create machine credential’ to create
a new machine credential
The Keystore Path is automatically generated but can be updated if required. Users enter a Keystore Password of their
choice and the name they would like the credential to be known as. The Machine Credential Custodian is automatically
generated and cannot be updated
Step 5 MCA clicks on ‘Create machine credential’
Step 6 Creating a machine credential
Employee creates and downloads a machine credential
40 UNCLASSIFIED Digital Partnership Office – DSP webinar – AUSkey transition
Step 7 Credential installed
Step 8 Machine credential now displayed
The request is submitted and the machine credential created
Isla Jones
High level flow for obtaining a machine credential
41 UNCLASSIFIED Digital Partnership Office – DSP webinar – AUSkey transition
42 UNCLASSIFIED Digital Partnership Office – DSP webinar – AUSkey transition
High level flow for obtaining SAML access token (backward compatible to SBR)
• AUSkey will be decommissioned in March 2020
• The M2M solution will soon be available and you will need to get onboard as you begin to prepare
• The new machine credential will be available in production from mid September 2019
• New M2M solution will be available from end of October 2019
What you need to do
To test the M2M solution in EVTE contact the DPO via:
• Online services for DSPs (OS4DSPs):
• Log in using your AUSkey
• Complete the SBR developer registration or new contact registration form (new users only)
• Navigate to the M2M credential group and submit a ‘Register for M2M testing in EVTE’ request
• If you cannot use OS4DSPs you can email [email protected]
Once you receive the welcome pack you will be able to test the new machine credential in EVTE.
Next steps
43 UNCLASSIFIED Digital Partnership Office – DSP webinar – AUSkey transition
44 UNCLASSIFIED Digital Partnership Office – DSP webinar – AUSkey transition
Further information
Further information is available at the following:
• https://www.mygovid.gov.au/
• https://info.authorisationmanager.gov.au/
M2M information:
• https://softwaredevelopers.ato.gov.au/
• DSP Newsletters
• Account Manager
In addition, you will see an increase in information across a range of forums providing updates
on AUSkey transition / M2M solution.
Questions and Answers