Using myGovID, RAM and machine credentials (M2M)

At 11.59pm AEDT on Friday 27 March 2020, AUSkey is being replaced by myGovID and Relationship Authorisation Manager (RAM) – our new authentication and authorisation services.

Device AUSkey is also being replaced by new machine credentials which are a component of the Machine to Machine (M2M) solution.

Together, these new services provide a flexible, easy and secure way to access Online services for DSPs and interact with government online services through SBR-enabled software.

How you move to our new services depends on your circumstances and the type of DSP you are, whether you’re a Cloud service provider, a Sending service provider (SSP), a Gateway provider, a Desktop product developer or an On-premise enterprise software provider.

See our Frequently asked questions about myGovID, RAM, the M2M solution and moving from AUSkey to help you make the transition.

On this page:

Using myGovID

myGovID allows you to prove who you are and access Online services for DSPs and other government online services.

Online services for DSPs requires your myGovID to be a ‘Standard’ level identity strength, using at least two Australian identity documents.

If you don't have Australian identity documents, some government online services such as the ATO’s Business Portal accept a ‘Basic’ level identity strength for employees or staff. The ATO is working on a solution for business directors or associates on the ABR who don't have Australian identity documents and are unable to set up their myGovID.

Download the myGovID app from the App Store or Google Play and set it up by adding your identity documents to achieve a ‘Standard’ identity strength

Visit the myGovID website for more information, including participating government online services.

Note: myGovID cannot be used for SBR services. You will need a machine credential to transact with the ATO through your software.

Using Relationship Authorisation Manager (RAM)

Relationship Authorisation Manager (RAM) is an authorisation service that allows you to link your myGovID to and act on behalf of a business or entity online.  You need myGovID to access RAM.

To get started with RAM, first the principal authority needs to set up their myGovID and link to their Australian business number (ABN) in RAM. Once linked, they can set up authorisations for employees and others to act on behalf of the business who will accept the authorisation in RAM.

For Standard Business Reporting (SBR)-enabled software you can use Relationship Authorisation Manager (RAM) to:

  • authorise a Machine credential administrator
  • create machine credentials to interact with government online services through your software
  • notify government agencies about the software you’ll be using to interact with them through My Cloud Software Services (only Office of the Student Identifiers Registrar, Department of Employment, Skills, Small and Family Business only).

Visit Relationship Authorisation Manager website for more information on how to get started and if you need to link your business as a Principal authority.

Using machine credentials (M2M solution)

Machine credentials allow DSPs, businesses and registered tax and BAS agents to interact with ATO online services through their SBR-enabled software. Machine credentials are installed from RAM and used in your SBR enabled software.

You’ll need to create a machine credential if you:

  • are a digital service provider who offers cloud-based SBR-enabled software. You’ll need to install it on your server to enable software authentication by third-party users.
  • use desktop or locally hosted software. This performs the same function as an Administrator or Standard AUSkey in your software. Your digital service provider will let you know when your software has been updated.

If you use cloud-based SBR-enabled software, you will not need to create a machine credential. Instead, your digital software provider will install it on their server.

To clarify, myGovID is used to log in to RAM and Online services for DSPs – not for SBR enabled software. Machine credentials are installed from RAM and used in your SBR enabled software to report to government online services – not used log in to online services.

The ATO will host the M2M MAS-ST service and you will no longer call VANguard for a SAML token.

Who can create a machine credential

You can create a machine credential if you are a:

  • principal authority
  • machine credential administrator (MCA) as assigned by a principal authority or authorisation administrator.

Once the machine credential is created, the principal authority or MCA will be responsible for the use of it in the business.

Before you create a machine credential

Before creating a machine credential, you need to download and install the browser extension software compatible with your device’s operating system:

Installing the browser extension is only required when creating a machine credential and not required when using the credential in your software.

You may need to consult with your IT department in relation to any restrictions they have regarding installing software on your network.

Testing the machine credential (M2M solution)

Test the M2M credential and make necessary changes in your software in our External Vendor Testing Environment (EVTE).

The Digital Partnership Office can help you resolve any issues you have when updating your software to use the new credential.  If you need assistance or want to provide feedback, contact us via Online services for DSPs

The process is similar to conformance testing in EVTE. Download the new M2M keystore from Sharefile and change the authentication endpoint from VANguard STS to the new MAS-ST service and you’re ready to test. You can still test with your Device AUSkey as well as the machine credential after your software has been updated to the new endpoint.

Installing a machine credential guide

This guide provides step-by-step instructions on how to create a new machine credential for an entity in Relationship Authorisation Manager (RAM).

Step 1 - Using Chrome or Firefox, go to authorisationmanager.gov.au and select the myGovID login button.

Step 2 - Log in using your myGovID by entering the email address that you used to create your myGovID.

A code will appear. Open myGovID on your smart device, log in and enter the 4 digit code into the pop-up within the app. Tap Accept.

Step 3 - Click View or manage authorisations, machine credentials and cloud software notifications. You will be directed to a view of all the entities you can act for.

Step 4 - Select the entity you would like to create a machine credential for.

Step 5 - The entity homepage will be displayed with a list of all the authorisations for the entity. Click the Manage Credentials tab in the toolbar.

Step 6 - The Manage credentials page is displayed. If you’ve already installed the required browser extension, go to the next step. If you have not yet installed the required browser extension, a message advising that browser extension software is required will appear.

Step 7 - Select Create machine credential

Step 8 - Enter the following information:

  • Keystore path – This will be pre-filled but can be changed if required. This is where the machine credential will be created and stored.
  • Keystore password – Choose a password. It should include at least 10 characters with no space, an upper case letter, a lower case letter, a number and a punctuation character. You’ll provide this password within your software either when setting up or authenticating. You are not required to use your myGovID password for the ‘Keystore password’
  • Verify your keystore password. 
  • Credential name – Enter a name for the machine credential. You should create a name which will help you to easily identify the machine credential.
  • Identify the Machine Credential Custodian – This will be pre-filled with your name and cannot be changed.

Tick the box to confirm you understand and accept the machine credential details. Click Download.

Step 9 – Click finish and your credential has been installed.

Step 10 – From the Manage credentials page you can create, view, revoke and claim unassigned machine credentials for the entity.

Support tools and resources

We have a range of guidance material and resources available, including instructional videos, to support you and your users with the move to myGovID, RAM and the M2M solution:

Stay informed

To get the latest information on moving to our new services, subscribe to our Digital service providers newsletter.

Contact us

For more information or to request assistance contact DPO@ato.gov.au or use Online services for DSPs.

Additional information for Cloud service providers

As a Cloud service provider (CSP) you need to create a machine credential in RAM and update the authentication service endpoint as documented in ATO SBR Physical End Points (DOCX, 310KB).

Follow the instructions on Using myGovID, RAM and machine credentials (M2M).

Once a machine credential has been created, downloaded and installed, and your software has been updated to connect to the new authentication service endpoints, you will need to “prime” your credential for use with SBR.

The first time you send a message to SBR your machine credential appears in Access Manager. While a machine credential is created with Full authorisations by default, you still need to login to Access Manager. Select the machine credential for use in hosted SBR services you provide. When this has been completed you are ready to transact with SBR.

This change has minimal impact on CSP users. Updates to Cloud software should be clear to users and existing hosted software notifications won’t be affected. Despite this, CSPs could consider giving their users additional messaging regarding the changes to ease any concerns. Your users do not need to re-establish their hosted software service notification.

As the MAS-ST service is compatible with Device AUSkey you can update the endpoint before installing the new machine credential. You should not install the new credential without updating the endpoint.

What your users need to know

Information and advice you give provide to your users on these changes will vary depending on their technical knowledge for example:

  • As your Cloud service provider, we are working closely with the ATO to ensure your software is ready and tested before all AUSkeys are decommissioned after 27 March 2020 – you do not need to do anything
  • You do not need to create a machine credential – your Cloud Service Provider is making the necessary changes to support your transition to M2M
  • You do not need to update your hosted software service notification with the ATO, this is not affected by the change
  • You should set up your myGovID and link your business in RAM as soon as possible. After 27 March 2020, AUSkey will no longer be available and the new services will be the only way for you to access government online services such as Access Manager and Online services for agents.

Additional information for Sending service provider (SSP) or Gateway providers

If you are a SSP or Gateway provider your processes are closely related to a Cloud service provider (CSP) for installing machine credentials.

Follow the instructions on Using myGovID, RAM and machine credentials (M2M).

If your implementation does not fit the model described under CSP, contact us for assistance via Online services for DSPs.

What your users need to know

Similar to CSPs, the information and advice you give to your users on these changes will vary depending on their technical knowledge and overall readiness for AUSkey decommissioning. Messages for your users may include:

  • As your Sending service provider/Gateway provider, we are working closely with the ATO to ensure your software is ready and tested before all AUSkeys are decommissioned after 27 March 2020 – you do not need to do anything
  • You do not need to create a machine credential – your Sending service provider/Gateway provider is making the necessary changes to support your transition to M2M
  • You should set up your myGovID and link your business in RAM as soon as possible. After 27 March 2020, AUSkey will no longer be available and the new services will be the only way for you to access government online services such as Access Manager and Online services for agents.

Additional information for Desktop software providers

Desktop software providers need to distribute an updated version of their software with an updated authentication endpoint to support the new machine credentials. When you move to the new machine credential, it must be done in conjunction with your users.

Desktop software users may need to use RAM to create and install a machine credential on their device.

Follow the instructions on Using myGovID, RAM and machine credentials (M2M).

Not all desktop software users need a machine credential. If your users transact with the government through a Gateway, a Sending service provider or other third party integration service, they will sign transactions on your behalf.

What you need to do

To make the move to a machine credential and support your users with their transition you need to:

  • Change your software to use the new MAS-ST endpoint for authenticating with a machine credential.
    • Depending on your deployment model, not all of your users will install your software updates at the same time.
    • Leaving this change until the last moment could mean your users are unable to transact when their AUSkey no longer works after 27 March 2020.
  • While the MAS-ST service is compatible with Device AUSkey, it does not support Administrator or Standard AUSkey.
    • Changing to the new endpoint exclusively before your users are ready mean individual AUSkey holders won’t be able to use SBR services.
  • Or, you can operate all AUSkeys and machine credentials in parallel until 27 March 2020.
    • You can do this by changing your software to support both endpoints based on the credential used by your user/s.
  • If your users have issued individual (Administrator or Standard) AUSkeys to their staff, and they wish to maintain this business model – they can replace individual AUSkeys by creating a customised machine credential for authorised staff.

What your users need to know

The information and advice you give to your users on these changes varies depending on their technical knowledge and overall readiness for AUSkey decommissioning. If you regularly transact with government online services using a third party service provider, for example, if you use a Sending service provider (SSP), you may want to tell your users of the changes being made by that SSP.

If your users hold their own AUSkey to transact with the government through your software, messages for your users may include:

  • You need to set up your myGovID and link your business in RAM as soon as possible – after 27 March 2020 you need to use our new services to access government online services such as Access Manager and Online services for agents
  • As your desktop software provider, we will tell you when we’re giving you updated software and that you need to install it before 27 March 2020
  • We will tell you when you need to install your machine credential
  • You need to replace any AUSkeys with a machine credential to transact through our software
  • You will need to add your existing business appointments to your new machine credential – check your details in Access Manager are correct after you send your first transaction.
  • Not all desktop software users need a machine credential – If you transact with the government through a Gateway, a Sending service provider or other third party integration service, they will sign transactions on your behalf.

Additional information for On-premise enterprise software providers

When you move to the new machine credential, it must be done in conjunction with your users.

While the new credential’s authentication service endpoint is defined in your software, your users also need a machine credential. Not all enterprise software users need a machine credential. If your users transact with the government through a Gateway, a Sending service provider or other third party integration service, they will sign transactions on your behalf.

Follow the instructions on Using myGovID, RAM and machine credentials (M2M).

What you need to do

To make the move to a machine credential and support your users with their transition:

  • Change your software to use the new MAS-ST endpoint for authenticating with a machine credential.
    • Depending on your deployment model, not all of your users will install your software updates at the same time.
    • Leaving this change until the last moment could mean your users are unable to transact when their AUSkey no longer works after 27 March 2020.
  • While the MAS-ST service is compatible with Device AUSkey, it does not support Administrator or Standard AUSkey.
    • Changing to the new endpoint exclusively before your users are ready mean individual AUSkey holders won’t be able to use SBR services.
  • Or, you can operate all AUSkeys and machine credentials in parallel until 27 March 2020.
    • You can do this by changing your software to support both endpoints based on the credential used by your user/s.
  • If your users have issued individual (Administrator or Standard) AUSkeys to their staff, and they wish to maintain this business model – they can replace individual AUSkeys by creating a customised machine credential for authorised staff.

Large businesses or entities using on-premise software

Large entities may operate within private cloud-hosted software services, where the enterprise software provider host all or part of their software in the cloud. Where that tenancy remains under the control of the customer this software is still considered to be ‘on-premise’.

As a machine credential custodian you can only upload your credential to a cloud tenancy that remains in the exclusive use and control of your company.

Reference to cloud services in these instructions is a reference to software providers that operate cloud-hosted multi-tenanted business software. Cloud service providers are endorsed under the ATO’s DSP Operational Framework, and use their device credential to sign transactions on behalf of their clients.

Control in this example refers to administrative or management access to the information contained within the tenancy and does not preclude third party infrastructure and environment management.

What your users need to know

The information and advice you give to your users on these changes will vary depending on their technical knowledge and overall readiness for AUSkey decommissioning.

If your users transact with government online services using a third party service provider, they should check with their service provider on that providers’ readiness to use the Machine to Machine solution.

If you hold a service arrangement on behalf of your users, you should let them know about the service provider’s readiness.

If your users hold their own AUSkey to transact with the government through your software, messages for your users may include:

  • You need to set up your myGovID and link your business in RAM as soon as possible – after 27 March 2020 you will need to use our new services to access government online services such as Access Manager and Online services for agents
  • As your on-premise enterprise software provider, we will tell you when we’re giving you updated software and that you need to install it before 27 March 2020
  • You need to replace any AUSkeys with a machine credential to transact through our software
  • We will tell you when you need to install your machine credential
  • You may need to add any business appointments to the new credential – check your details in Access Manager after you send your first transaction to make sure it’s correct.

If you deliver your software through a cloud tenancy your users won’t have to install the update but you need to keep them informed on when the change will occur. You should also provide them with any specific instructions on installing their credential in the cloud tenancy.