welcome [softwaredevelopers.ato.gov.au] · 2019-08-29 · • bam will enable agencies to accept...

Please note: everyone will be automatically placed on

mute when they join the webinar

Welcome

AUSkey transition information session

Wednesday 28 August 2019

Starting at 1:00pm AEST

Presented by:

Paul Stasinowsky, Product Owner, M2M and BAM

Digital Communications and Identity Services

Australian Taxation Office

28 August 2019

Digital Partnership Office

DSP webinar

AUSkey transition

$2.2b

IDENTITY CRIME is one of the most common

crime types in Australia

HOURS 18

Victims of identity fraud

spend an average

repairing the damage caused

Non-financial

impacts to victims

1 in 10 identity crime victims suffered mental

or emotional distress

10%

1 in 14 wrongly accused of a crime

7% Every 20 seconds an Australian is a

victim of ID crime

1 in 5 Australians or

over 21% have been a

victim of ID crime at

some point in their lives

Estimated annual costs to individuals, victims, business and government agencies

38% did not believe the police would

do anything

22% were too embarrassed

28% did not know where or how to

report

UNDERREPORTED

Around 5% of Australians

experience financial loss as a result of ID crime

38% of Australians do not

report ID crime, of these:

More common than robbery, motor

vehicle theft, household

break-in or assault

Source: Dept. of Home affairs, Criminal Justice Division

Identity crime in Australia

3 UNCLASSIFIED Digital Partnership Office – DSP webinar – AUSkey transition

for Australian residents and visa holders

(2016-17) (2016-17)

Aus. residents for tax purposes

Non-resident for tax purposes

Resident (for tax purposes)

Non-resident (for tax purposes)

( 0-19 yrs; 20-30 yrs;

31+ yrs)

Individual Company

Trust Partnership Super Fund

Government

Individual Company Trust

Partnership Super Fund

Government

Over 5m TFNs mapped directly to Associates of 7.2m

ABNs

Only 7.7m have their myGov account linked to ATO

Only 1m use the ATO App

New TFNs are not automatically connected to myGov, ATO Online or ATO App

Less than 2m ABNs have an online account/ credential with the ATO or Digital Service Providers (via Cloud)

No ABN (or underlying TFN of an Associate) receives credentials or an online account during registration

X X X X

The ATO has a large interest in identity


5

AUSkey replacement

UNCLASSIFIED Digital Partnership Office – DSP webinar – AUSkey transition

Why are we replacing AUSkey?

AUSkey has not kept pace with changes in technology and doesn’t meet the future needs of most businesses. AUSkey is:

not supported on mobile devices

not compatible with all internet browsers

difficult to setup and maintain

restricted to online services and authorisations do not carry across channels (i.e. cannot be used to contact the ATO by phone)

unable to provide password reset functionality, forcing users to re-register when a password is forgotten

difficult for users who want to view and manage multiple AUSkeys with some businesses having up to 200 AUSkeys

does not support dual consent.

What will replace AUSkey?

The ATO has built or is building:

• myGovID: Individual credential used to identify yourself.

You can authenticate and access government online services

using myGovID

• Relationship Authorisation Manager (RAM): Whole of

government solution that allows individuals to claim their

associated entity and assign permissions for other users

to access government online services for their business

• A new machine to machine (M2M) solution to support existing M2M arrangements –

replacing device AUSkey. RAM allows DSP to generate and manage M2M credentials

• A SAML service to support Government agencies to on-board with

minimal impact called Business Authentication Manager (BAM).

6

What will replace AUSkey? – Overview


+

7

myGovID



myGovID:

• myGovID is an App, currently available in the Apple App store. It will be available in the Android Play Store in October

• myGovID is your digital identity which makes it easier to prove who you are online

• myGovID lets you prove who you are when using government online services – like having an ID on your phone

• myGovID requires you to prove your identity once. You can then present this identity when authenticating to Government online services on behalf of business

• myGovID is available right now.


RAM:

• RAM enables you to manage your business authorisations in one place

• RAM allows you to act on behalf of a business with participating government online services

• When you’re authorised, RAM will allow you to create and manage machine credentials (replacing device AUSkey)

• RAM is accessed with a myGovID credential

• RAM will require every business to be claimed by an associate

• RAM is available right now.

8

Relationship Authorisation Manager (RAM)



M2M:

• M2M will replace device AUSkey with a new credential called ‘machine credential’

• M2M will also offer a new Secure Token Service (called MAS-ST) which will replace VANguard’s STS

• Machine credentials will be created and managed through RAM

• Authorised representatives will require a specific permission to be able to create and manage machine credentials on behalf of a business

• Machine credentials are backwards compatible with device AUSkey and MAS-ST can provide software authentication where the user has an AUSkey

• New machine credentials will be available from mid-September and MAS-ST will be available in production from late October.

9

Machine to Machine (M2M) solution


10

Business Authentication Manager (BAM)



BAM:

• BAM will enable agencies to accept user authentication with a myGovID and a RAM business authorisation for their portal, without the need to significantly reconfigure their portal.

• ATO will provide the BAM service which will provide agencies with the similar authentication mechanism provided by VANguard User Authentication Service (UAS)

• Users will provide their myGovID and select a Business from RAM instead of using an AUSkey when authenticating to government agency portals

• Agency portals will gradually onboard to the BAM authentication solution. We are managing the onboarding process.

We are undertaking a number of activities to assist DSPs transition to the new M2M solution. These include:

• EVTE (External Vendor Test Environment) trial – We conducted an EVTE trial of the new M2M

solution from April with users confirming that for the most part, the only change required was to update the ST

endpoint and get the new credential. This trial was limited to SBR2 services and provided valuable feedback on

the new solution. An SBR1 EVTE trial will commence soon.

• Ongoing availability of the M2M solution in EVTE – A generic new machine credential is currently

available in EVTE for you to test your software. In addition, we have published the EVTE version of the new

MAS-ST endpoint. All DSPs are encouraged to undertake this testing as soon as possible.

• Encouraging representatives from DSPs to create a myGovID now –

to begin claiming and authorising businesses in RAM and managing

existing AUSkeys.

11

How we are supporting DSPs transition to the new M2M solution


We are undertaking a number of activities to assist business more broadly transition to the new Digital identity solution. These include:

• Ability to migrate AUSkey authorisations (including permissions in Access Manager) into RAM.

An authorised user will be able to migrate existing AUSkeys and convert them to business

authorisations in RAM. These will be subject to acceptance by the authorised party

• Working with government agencies to transition their portals to accept the new credentials

via Business Authorisation Manager (BAM)

• Encouraging business representatives to create a myGovID now, begin

claiming and authorising businesses in RAM and managing existing

AUSkeys. The next slide will explore what you can do now to prepare

based on what is currently available.

12

How we are supporting business transition from AUSkey


Tight timeframes – What DSPs and users can do now to prepare for

AUSkey replacement


What DSPs can do now as a software provider

• Test new machine credential in EVTE for SBR2.

What DSPs can do now as a business

• Review your associate details in the ABR to ensure they are correct and current

• Review current AUSkeys

• Review business appointments in Access Manager

• Setup myGovID on an iOS device

• Associate should link their business in RAM.

All DSPs are encouraged to test software against the new machine credential and MAS ST service in EVTE. To do this, you will need to do the following:

• Contact DPO to get the testing package

• Update your software to new endpoint in your SBR2 EBMS client

• Download the keystore and install the new test machine credential

• Undertake conformance testing using conformance suites relevant to your products.

SBR 1 will be available soon and we will advise you when available.

14

M2M future testing


M2M trial for SBR2 was conducted with DSPs from 29 April to 14 June

21 DSPs participated with 11 DSPs successfully completing the trial, feedback included:

• ‘It really was just a plug and play from the old method.’

• ‘With no more than one hour’s work, I was able to implement M2M within my payroll system.’

The trial enabled participants to identify the necessary changes to software in preparation for the production

release. Points to note include:

• DSPs identified a difference in character length of the STS time stamp length, ATO (3) and VANguard (5).

The character length restriction of 3 has been highlighted in the test kit.

Next Steps

• A trial release of M2M for SBR1 is in development and a small EVTE trial will commence shortly.

• As the M2M solution will remain in EVTE for SBR2 we strongly recommend all DSPs test software against the

new Machine credential to identify necessary changes before the production release.

15

EVTE trial outcome


Cloud software vs desktop users will be impacted as outlined below:

• You will not notice any change, nor any disruption to

your business. The Digital Service Provider (DSP)

will undertake the action to deploy updated software

and obtain the new credential.

• You will need to get an updated version of

the software

• Obtain a machine credential via RAM

• Store the machine credential in an appropriate

place

• Install the software and direct the software

to the machine credential keystore

(if required).

Business Entity Digital Service Providers (DSP)

• You will need to get a machine credential via RAM

• Store the machine credential in the same place

as the device AUSkey is currently stored

• Update cloud software product to consume new

credential by updating the endpoint

• Deploy updated cloud software product

• The existing Cloud relationship in

Access Manager will continue to

be recognised.

• You will need to create an updated version of

the software

• Deploy the updated software to users

• Provide instructions to users about installing

machine credentials (or direct users to ATO

published instructions).

Deskto

p/o

r L

ocally

Ho

ste

d S

oft

ware

C

lou

d S

oft

ware


AUSkey Replacement | Impacts of the new M2M solution

Users who require a form of Cross entity authorisation (XEA) will be impacted as outlined below:

Existing XEA relationships will continue to be recognised in AM (Access Manager). Currently, a credential

(device AUSkey) is applied to this relationship in AM. When a business with XEAs gets a new machine

credential, an authorised representative is required to apply this to the existing XEA relationships.

Entities can then continue to lodge on behalf of other entities via SBR software.

Entities required to lodge information for other entities via SBR software


AUSkey Replacement | M2M solution – Cross entity authorisation (XEA)

July 2018

Private beta

Business

Oct 2018

Private beta

expansion

Business and

Tax Agents

June 2019

Public beta

Business

Portal

Sept 2018

Private beta

Tax Agents

July 2019 Sep 2019

Private Beta

1st step to AUSkey

transition functionality

• Users were able to

obtain a myGovID (iOS)

• Set up a businesses in

RAM (one only)

• Authorise a business

representative (full

access)

• Log into Business

Portal / Online Services

for Agents on behalf of

the business.

Private Beta

Enhancements

• Set up multiple

businesses in RAM

• Select from a list of

businesses when

accessing the Business

Portal or Online

services for agents

Public Beta for

Business Portal

• Log into the

Business Portal

with a myGovID

(iOS)

• Manage

authorisations in

RAM (including

modify

authorisations)

Private Beta

myGovID (Android)

myGovID available for

Android

Custom

Permissions

RAM integration

with Access

Manager to

customise

permissions to

support ATO

Online for Agents

2018 2019 2020

Public Beta

Release for

Tax Agents

• Log into

Online

services for

agents with a

myGovID

Aug 2019

Business to Business (B2B) discovery

Private Beta for

M2M solution

SBR / DSPs can

install and test

new machine

credential in test

environment

Public Beta for

Device AUSkey

replacement solution

• Users can create a

machine credential

to secure M2M

transactions

On-boarding of

AUSkey relying

agencies

• Commence

production release

of AUSkey relying

services

We are here

Marc

h 2

020 A

US

key D

EC

OM

MIS

SIO

NE

D

April 2019

Private

beta

M2M

May 2019

myGov

change to

2FA

MyGov change to 2FA

New myGov users will not

be able to link to ATO

Online if they are not using

2 Factor Authentication

June 2019

Q2 Release

Private Beta

Release for Tax

Agents

• Log into Online

services for

agents with a

myGovID

Completed Monitoring What’s next

Public Beta

myGovID

(Android)

myGovID available

for Android

• Ability to authorise one business to act on behalf of another business

Oct 2019


AUSkey Replacement | Release Plan

Public Beta

AUSkey Transition

Future Enhancements

• Import AUSkey users

in RAM tool

• Bulk authorisations

• Commence on-

boarding AUSkey

relying agencies

• Commence on-

boarding other ATO

AUSkey relying

services i.e. DSP,

DASP, ABR

Digital Partnership

Office (DPO)

RAM/myGovID

support web pages

AUSkey Information

Line

IVR options:

• myGovID

• RAM

• Online Services for DSPs

• softwaredeveloper.ato.gov.au

• ato.gov.au

• ABR/AUSkey

• RAM site

• myGovID site

DSP

Customer Service Representative

A number of support options will be available to DSPs and end users via online or phone. Client enquiries will be

managed in the same way that AUSkey clients are currently managed. Phone support for clients who have issues with

myGovID/RAM will be managed under the ATO’s general support framework and DSPs will be supported via the Digital

Partnership Office.

on-line

phone

Support for DSPs and users


Setting up myGovID &

Relationship Authorisation Manager (RAM)

You will need to:

• use an iOS/Android device (Android delivery expected Oct 2019)

• provide an email address

• provide two Australian identity documents from:

Driver licence or learner permit

Passport

Medicare card.


Set up myGovID (once only) | Preconditions

Step 2 Create myGovID account

Step 1 Download myGovID app from app store on your phone

Setup myGovID (once only)

User is prompted to create a myGovID when accessing an online service or can go directly

to the app store and find the myGovID app

Enter and verify email address, enable touch ID/face ID, provide personal details

and create password

Now IP1


Set up myGovID (once only)

Identity document attributes provided, verified with Document

Verification Service (DVS) x2

myGovID is now ready to be used to login and access government

online services

Now IP2

Strong Strong


Setup myGovID (once only)

Facial verification coming soon

Step 3 Build identity

Step 4 Digital identity created

Liveness capture, facial image matched and

verified against photo ID document with Facial

Verification Service (FVS)

Will be IP3

Set up myGovID (once only)

Input myGovID email address and select login Navigate to https://authorisationmanager.gov.au

and select continue


How to use your myGovID to access RAM

Step 2 Provide myGovID credential

Step 1 Navigate to RAM

https://authorisationmanager.gov.au/

Locked screen initial notification

Step 4 Phone notifications

Step 3 myGovID displays access code



Unlocking screen notification

User gains access to RAM User enters the code in myGovID app on mobile phone to gain access to RAM

Step 6 Access to RAM

Step 5 Enter access code on phone




A one time process to link your business in RAM

Setup business authority in RAM

Step 1 Log into RAM and select

‘Link your business’

Validates user against businesses where they are listed as an eligible associate in the ABR

Step 2 Enter an address for tax purposes

John

Citizen

Business relationship set-up and can now be used to manage authorisations for others


Setup business authority in RAM

Step 3 Select business to bring into RAM

John Citizen

Aelert

Log into RAM (as previously demonstrated)


Authorise employee (and give Machine Credential Administrator [MCA] role)

Step 1 Principal authority or Auth Admin logs into RAM with their myGovID

Step 2 Principal authority or Auth Admin clicks on

‘Manage Authorisations’ in RAM

User enters authorisation code from email

John Citizen


Authorise employee (and give MCA role)

Step 3 User puts business in focus

All business the user is authorised for will appear in the business view screen

Step 4 A list of authorised business

representatives is shown

All users authorised for the business will appear in the business view screen

John Citizen

Aelert 45001242101

Citizen, John Principal Authority



Step 6 Complete authorisation request for

business representative

Determine authorisation and access level required for user

Determine authorisation and access level required for user

Step 5 Complete details

for business representative



Step 8 Employee now appears as pending in business view

Users will appear in the business view as pending until they have accepted the

authorisation

Step 7 Confirm and send

authorisation request

Review and confirm authorisation request

Citizen, John Principal Authority

Jones, Isla



Step 9 Employee obtains authorisation

code via email

Employee receives email with authorisation code and instructions on what to do next


Employee accepts authorisation (including MCA role)

Step 1 Employee obtains authorisation

code via email

Employee receives email with authorisation code and instructions on what to do next

User logs into RAM with their myGovID

Step 2 Employee logs into RAM with their myGovID

Step 4 View authorisation request and accept

User enters authorisation code from email

User views detailed Summary of request and option to accept authorisation



Step 3 Enter authorisation code

Amelia Murphy

Yes

Isla Jones

Isla Jones Isla Jones

Isla Jones

[email protected]



Step 5 The authority has been granted

Aelert 45001242101

Isla Jones

Isla Jones

Employee creates and downloads a machine credential


MCA finds the business that they are authorised for and then clicks on the business they wish to create

a machine credential for

Step 1 MCA clicks on ‘Manage authorisations’

Step 2 MCA puts their business in focus

Aelert



The MCA then clicks on Manage credentials in order to go to the Create and download a new machine

credential page

A message and link is displayed if the system is unable to detect a valid Browser Extension. The link takes the

user to the RAM website where they can view information and download the Browser Extension

Step 3 MCA clicks on ‘Manage credentials’

Step 4 An M2M Browser Enabler is required

in order to download



Once the Browser Extension has been installed the MCA clicks on ‘Create machine credential’ to create

a new machine credential

The Keystore Path is automatically generated but can be updated if required. Users enter a Keystore Password of their

choice and the name they would like the credential to be known as. The Machine Credential Custodian is automatically

generated and cannot be updated

Step 5 MCA clicks on ‘Create machine credential’

Step 6 Creating a machine credential



Step 7 Credential installed

Step 8 Machine credential now displayed

The request is submitted and the machine credential created

Isla Jones

High level flow for obtaining a machine credential



High level flow for obtaining SAML access token (backward compatible to SBR)

• AUSkey will be decommissioned in March 2020

• The M2M solution will soon be available and you will need to get onboard as you begin to prepare

• The new machine credential will be available in production from mid September 2019

• New M2M solution will be available from end of October 2019

What you need to do

To test the M2M solution in EVTE contact the DPO via:

• Online services for DSPs (OS4DSPs):

• Log in using your AUSkey

• Complete the SBR developer registration or new contact registration form (new users only)

• Navigate to the M2M credential group and submit a ‘Register for M2M testing in EVTE’ request

• If you cannot use OS4DSPs you can email [email protected]

Once you receive the welcome pack you will be able to test the new machine credential in EVTE.

Next steps


mailto:[email protected]


Further information

Further information is available at the following:

• https://www.mygovid.gov.au/

• https://info.authorisationmanager.gov.au/

M2M information:

• https://softwaredevelopers.ato.gov.au/

• DSP Newsletters

• Account Manager

In addition, you will see an increase in information across a range of forums providing updates

on AUSkey transition / M2M solution.

https://www.mygovid.gov.au/

https://info.authorisationmanager.gov.au/

https://softwaredevelopers.ato.gov.au/

https://softwaredevelopers.ato.gov.au/

Questions and Answers

welcome [softwaredevelopers.ato.gov.au] · 2019-08-29 · • bam will enable agencies to accept...

Documents