Getting ready for AUSkey decommissioning

At the end of March 2020, AUSkey will be replaced by myGovID and Relationship Authorisation Manager (RAM) – our new authentication and authorisation services – to access government online services on behalf of a business.

Device AUSkey will also be replaced by new machine credentials which are a component of the Machine to Machine (M2M) authentication solution.

Note: AUSkeys will continue to be supported until the end of March 2020.

Together, these new services provide a flexible, easy and secure way to access government online services.

This page includes information on myGovID and RAM and outlines the steps you need to take as both a business and a digital service provider (DSP) to move to these new services, including implementing the M2M solution to support machine credentials.

Note: The steps you need to take will depend on your circumstances and whether you are a Cloud service provider, Sending service provider (SSP), Gateway provider or desktop product developer.

On this page:

myGovID

myGovID is an authentication service that allows you to prove who you are when accessing government online services. It's like the 100 point ID check, but on your smart device. Your myGovID is unique to you and can be used for both your personal and business matters. It is different to a myGov account.
The myGovID app is available to download from the App Store and Google Play. To set up a myGovID with a ‘Standard’ identity strength, you will need two of the following Australian identity documents:

  • passport (not more than three years expired)
  • driver’s licence (including learner permit)
  • Medicare card
  • birth certificate.

In the future, you will be able to use other types of identity documents.

You can link your Australian business number (ABN) to your myGovID using RAM to act online on behalf of a business. See Relationship Authorisation Manager.

Note:

  • If you do not have the Australian Government issued identity documents outlined above, you will not be able to obtain an IP2 standard myGovID at this time. You will only be able to obtain an IP1 basic level myGovID authorisation from a business representative with an appropriate role (authorisation administrator or principal authority) in RAM.
  • myGovID cannot be used for SBR services. See M2M solution and machine credentials for further information.

What you can do to prepare

Check if you’re eligible to set up your myGovID now.

See the myGovID website for more information including participating government online services.

Digital service providers will be able to access Online services for DSPs via myGovID from early 2020.

Relationship Authorisation Manager (RAM)

RAM is an authorisation service that allows you to link your myGovID to an Australian business number (ABN) and act on behalf of a business/entity online.

To link your Australian business number (ABN) to your myGovID using RAM you need to be the principal authority. The principal authority is the sole trader or eligible individual associate* listed on an ABN in the Australian Business Register (ABR).

In the future, businesses/entities with non-individual associates, such as trustee companies, will also use RAM.

RAM protects your business/entity, ensuring only you and authorised users can access a government online service and transact for your business. Once the principal authority has linked the business/entity ABN in RAM, they can manage authorisations for employees. For example, authorise someone as an authorisation administrator or machine credential administrator.
*An associate in this context is a person whose identity has been established/verified and is listed in a Business Entity’s ABR entry, as an ‘associate’ of that Business Entity.

What you can do to prepare

We recommend you identify and engage your principal authority to ensure they are aware of their responsibilities in the process. The principal authority should also identify authorisation administrators and machine credential administrators (MCAs).

Anyone who will be acting on behalf of your business/entity online will also need a myGovID to log in to RAM and accept the authorisation.  

See the RAM website for more information.

M2M solution and machine credentials

Machine credentials allow digital service providers, businesses and registered tax and BAS agents to interact with ATO online services through their SBR-enabled software.

The M2M solution and machine credentials replace the current AUSkey device certificate and are used to consume SBR services. A myGovID cannot be used for SBR lodgments, and conversely, you cannot use machine credentials to access government online services.  The ATO will host the M2M MAS-ST service and you will no longer call Vanguard for a SAML token.

Desktop software developers will need to distribute an updated version of their software with an updated authentication endpoint.  Desktop clients will use RAM to create and install a machine credential on their device.

Users of cloud software will be reliant upon their cloud service provider (CSP) to create the appropriate machine credential and update the authentication service endpoint.

A machine credential will be created by the principal authority or machine credential administrator in RAM. Before creating the machine credential you will need to download and install the browser extension software compatible with your device’s operating system:

See Machine credentials on the RAM website for more information.  

M2M solution: EVTE and production

EVTE

We encourage you to test the M2M credential in the External Vendor Testing Environment (EVTE). It is important to test early to ensure your software is compatible, and complete all testing before the end of 2019.

Next steps:

If you haven’t started EVTE testing yet, register now to start testing your software with the new credential. If you experience any issues in EVTE you can provide feedback or request assistance via Online services for DSPs.  

The process is similar to conformance testing in EVTE. Download the new M2M keystore from Sharefile and change the authentication endpoint from VANguard STS to the new MAS-ST service and you’re ready to test.  You will still be able to test with your Device AUSkey as well as the machine credential after your software has been updated to the new endpoint.  

See M2M authentication solution for more information.

Moving to production

The principal authority for your business must log in to RAM using their myGovID and claim the business. Before doing so, they should check all details in the Australian Business register (ABR) are up-to-date and accurate. This will ensure RAM is using accurate details to establish the link.

Once the principal authority has linked their business ABN (verified against their record in the ABR) in RAM, they can authorise others to act for the business with a range of government online services. This includes setting up authorisation administrators, who can then set up authorisations for others.  

The ‘Import AUSkey user’ function in RAM makes it easy to bulk transfer permissions (as granted in Access Manager) and preferences of existing AUSkey users (not device AUSkey) associated with your business.

You will need to create a machine credential in RAM if you are the principal authority or machine credential administrator (MCA). To prepare, the principal authority or authorisation administrator can authorise a user as a machine credential administrator (MCA). Machine credentials replace AUSkeys when using SBR services through your software. Before creating the machine credential you will need to download and install the browser extension software compatible with your device’s operating system:

See Authorisations on the RAM website for instructions on authorising your employees.

Cloud Service Provider (CSP)

As a CSP you need to create a machine credential in RAM. Before creating the machine credential you will need to download and install the browser extension software compatible with your device’s operating system.

Once a machine credential has been created and downloaded, you can update the authentication service endpoint as documented in ATO SBR Physical End Points (DOCX, 310KB).  

Install the machine credential plus the authentication service endpoints and you are ready to transact with SBR.

This change is transparent to your clients and should not disrupt their normal business processing.

As the MAS-ST service is backwards compatible with Device AUSkeys you can update the endpoint prior to installing the new machine credential. You should not install the new credential without updating the endpoint.

Sending service provider (SSP) or Gateway provider

If you are a SSP or Gateway provider your processes are closely related to CSPs in the implementation of Device AUSkeys, and you should refer to the advice for CSPs above. If you feel your implementation does not fit the model described, request assistance via Online services for DSPs.

Desktop software provider

As a desktop software provider, the process to move to the new machine credential must be done in conjunction with your clients. While the authentication service endpoint is defined in your software, your clients’ readiness to use the new credentials must be considered. The following should be considered when planning your change:

  • Your software needs to be changed to use the new MAS-ST endpoint for authenticating with a machine credential.  Depending on your deployment model not all of your clients will install your software updates at the same time. Leaving this change until the last moment may leave your clients unable to transact when their AUSkeys cease at the end of March 2020.
  • While the MAS-ST service is backwards compatible with Device AUSkeys, it does not support Administrator or Standard AUSkeys. Changing to the new endpoint before your clients are ready will mean individual AUSkey holders will not be able to use the SBR services.
  • Alternatively, you can operate all AUSkeys and machine credentials in parallel until
    the end of March 2020 by changing your software to support both endpoints based on the credential used by your client.
  • If your clients have issued individual (Admin or Standard) AUSkeys to their staff, and they wish to maintain this business model, they can replace the individual AUSkeys by assigning a customised machine credential.

    Separate guidance will be provided to assist clients with implementing the machine credential in a way that best suits their requirements.

If your network is locked down you may need to work with your IT division to deploy the extensions to relevant users.

More information on setting up and using machine credentials as an alternative to individual AUSkeys will be available soon.

Other resources

We will continue to support you by keeping you up-to-date with the latest guidance material. Also we will engage with you on your implementation plan to help you get ready to move from AUSkey to myGovID and RAM.
The following resources are available to support you and your users with the move to myGovID and RAM.

Stay informed

To get the latest information on AUSkey decommissioning, subscribe to our Digital service providers newsletter.

Contact us

For more information or to request assistance contact DPO@ato.gov.au or use Online Services for DSPs.