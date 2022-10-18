Millions of users of the highly successful Service NSW app and online portal are set to be given multi-factor authentication (MFA) tools for their MyServiceNSW accounts, as the state government significantly ups its cybersecurity posture amid a sharp rise in malicious activity.

The move was revealed by NSW minister for customer service and digital government, small business, and fair trading Victor Dominello on Tuesday as Service NSW began piloting MFA for users that will initially be confined to SMS and be required upon log-in for those who opt-in.

It comes as NSW doubles down on hardening its touchpoints and back-end systems following the Optus hack fiasco that let personal information for around 10 million customers out into the wild, although most of the information was fairly low-value in terms of exploitability.

The challenge, literally, that government agencies face when it comes to hardening security and access controls is that putting barriers in front of people actually ruins decent user experience, something Dominello clearly wants to avoid, hence the heavy piloting before a bigger release.

“Apologies in advance — the initial pilot will not be silky smooth,” Dominello said on social media.

“Many cyber breaches occur because of weak passwords or stolen passwords. MFA isn’t a silver bullet, but it provides additional layers of security.

“It’s like going out in a snowstorm. You need to add layers to protect yourself from the cold.”

Snowstorm is one euphemism.

Dominello said that after the first iterations of MFA, Service NSW would focus “on providing more robust and convenient second-factor choices, such as push notifications through your Service NSW app.”

“Further enhancements will provide customers choice in how MFA can be applied (rather than every time a log in occurs),” Dominello said, essentially meaning the government will set baselines but users will be able to scale up security as they see fit.

“Service NSW will be working on applying MFA to specific scenarios and transactions in the MyServiceNSW account to protect customers. As an example, MFA will be required when customers want to change their bank account details,” Dominello said.

Interactions between state governments and banks, especially for revenue agencies that handle bill payments, are becoming an increasingly sensitive issue, especially around payments security and the future of BPAY, which is highly regarded within the government.

Meanwhile, the fallout from the Optus Hack is starting to settle after two weeks of heavy fire from Canberra, with the Department of Foreign Affairs now telling victims they don’t need to change their passports before travelling.

At the Department of Home Affairs, Secretary Mike Pezullo last week told a conference that there were far worse cyber scenarios than what happened to Optus, while acknowledging the anxiety many of its customers now felt.

