Table of Contents
[Background 4](#background)
[About myID 4](#about-myid)
[High-level system architecture diagram 5](#high-level-system-architecture-diagram)
[Request for Information 5](#request-for-information)
[Vision 6](#vision)
[Overview of Business Requirements 6](#overview-of-business-requirements)
[High Level Requirements & Prioritisation 7](#high-level-requirements-prioritisation)
[Technical requirements 8](#technical-requirements)
[Biometric Capture and liveness Detection 8](#biometric-capture-and-liveness-detection)
[Technical Verification and Biometric Binding 8](#technical-verification-and-biometric-binding)
[Scalability 9](#scalability)
[Performance 9](#performance)
[Availability 9](#availability)
[Hosting 10](#hosting)
[Integration 10](#integration)
[Compliance 10](#compliance)
[Security and Confidentiality 10](#security-and-confidentiality)
[Operations, Support and Maintenance 11](#operations-support-and-maintenance)
[Operations 11](#operations)
[Vendor Implementation, Support & Maintenance 12](#vendor-implementation-support-maintenance)
[Maintainability 12](#maintainability)
[Reporting and Monitoring 13](#reporting-and-monitoring)
[Usability & Accessibility 13](#usability-accessibility)
[User Experience and Accessibility 13](#user-experience-and-accessibility)
[Response Instructions 14](#response-instructions)
[Appendices 14](#appendices)
[Appendix 1 – Legislation, Guidelines and Standards 14](#appendix-1-legislation-guidelines-and-standards)
[ATO procedures and guidelines 14](#ato-procedures-and-guidelines)
[Specific Requirements IT Goods 14](#specific-requirements-it-goods)
[Indigenous Procurement Policy Reporting 15](#indigenous-procurement-policy-reporting)
Background
myID, managed by the Australian Taxation Office (ATO), is the Australian Government’s Digital ID Provider operating within the Australian Governments Digital ID System (AGDIS).
myID is an app installed on a smart device that enables a user to prove who they are and logon to online services. myID is accredited under the AGDIS legal framework, the Digital ID Act 2024.
The Digital ID Act 2024 and its associated Accreditation Rules establish a comprehensive framework for accrediting entities, such as identity providers, attribute service providers, and exchange providers within Australia’s Digital ID System.
> For more information visit - The Australian Government Digital ID System (AGDIS) | Digital ID System
About myID
myID currently supports three identity proofing (IP) levels:
-
IP1 (Basic) - verified email address and self-asserted name and date of birth
-
IP2 (Standard) - verified email address, verified name and date of birth through the verification of 2 Australian identity documents via the Document Verification Service (DVS)
-
IP3 (Strong) - verified email address, verified name and date of birth through the verification of 2-3 Australian identity documents via DVS and face biometric verification against a source document (Australian Passport or Driver Licence) via the Face Verification Service (FVS)
In future myID will support additional IP level specified in the Digital Act including:
-
IP1+ - verified email address, verified name and date of birth through the verification of 1 Australian identity document via DVS
-
IP2 + - verified email address, verified name and date of birth through the verification of 2 Australian identity documents via DVS and face biometric verification against a source document (where an Australian Passport is not used) via FVS to achieve a Strong myID, users must complete a liveness test to confirm they are a real, live person. The image captured during this process is securely transmitted to the relevant document source agency (e.g. the Australian Passport Office) via the Facial Verification Service (FVS) for a 1:1 face match against the official document photo. The result of this verification either a pass or fail is then returned to myID and displayed to the user.
There are currently over 14 million myIDs with over 6 million who have verified their identity to IP3 (Strong). myID is currently used to access over 240 government online services with more services coming. In the last 12 months (August 2024 – August 2025) myID was used over 95 million times to login to government online services. Further growth in adoption is expected as myID becomes available to access more online services.
High-level system architecture diagram
The below diagram demonstrates the high-level system architecture for myID.
> More information visit - Home | myID
Request for Information
Since the launch of Strong myID in 2021, the technology landscape for identity verification has evolved significantly, particularly in areas such as liveness detection and facial biometric matching. To ensure myID continues to meet the highest standards of security, usability, and inclusivity, the Australian Taxation Office (ATO) is seeking information from technology providers on their capabilities to support future enhancements.
The ATO invites responses from suppliers with expertise in identity verification technologies, specifically in relation to:
-
Liveness detection and facial image capture: Solutions that can reliably detect and verify the presence of a live individual during identity verification.
-
Biometric matching: Capabilities that support use cases such as authentication during service access and account recovery.
-
Technical verification of credentials: Technologies such as NFC-enabled verification that can support identity verification for individuals located offshore through the verification of electronically readable identity documents (e.g. ePassports) The ATO is seeking to explore emerging technologies and innovative solutions to address several key challenges associated with identity verification within the myID platform. Since the initial procurement of Strong myID in 2021, advancements in biometric technologies particularly liveness detection and facial matching have accelerated. This RFI aims to understand what new capabilities exist in the market that could enhance the security, scalability, and inclusivity of myID.
Specifically, the ATO is seeking to address the following challenges:
The current liveness detection solution was procured in 2021. Given the pace of innovation in this space, the ATO is interested in exploring the availability of solutions available in the market today.
With over 14 million myID users, the ATO is looking for biometric verification solutions that can support authentication at scale. This includes enabling users to verify their identity during login or account recovery without needing to re-prove their identity through manual processes which results in the need for call centre support.
myID currently supports verification only against Australian-issued identity documents. This presents a gap for offshore users who need to access services but cannot be verified through existing mechanisms. The ATO is seeking information on alternative biometric technical verification methods of document verification and biometric binding, such as NFC-enabled document reading that could support identity verification for individuals outside Australia.
Vision
The ATO’s vision is to evolve myID into a future-ready, secure, and inclusive digital identity solution that meets the needs of a diverse and growing user base. We aim to leverage cutting-edge biometric technologies to enhance identity verification, streamline authentication, and improve account recovery, while maintaining the highest standards of privacy and user experience.
Overview of Business Requirements
The Australian Taxation Office (ATO) is seeking information from the market on biometric liveness detection solutions that can support the strategic objectives of the myID app. The solution must support secure, seamless, and scalable identity verification for users accessing online services.
To meet these objectives, the ATO requires a biometric liveness solution that satisfies the following core business requirements:
-
Secure – Must detect and prevent spoofing, deepfakes, and other identity threats as well as biometric match rates (incl. False accept and false reject rates) as defined in the Digital ID Act 2024.
-
User-friendly experience – Quick, simple, and accessible for all users, including those with accessibility needs
-
Device compatibility – Works reliably across a wide range of mobile devices, platforms, browser types and operating systems
-
Accessible – Must be tested and meet minimum WCAG requirements as defined in the Digital ID Act 2024
-
Scalable – Supports high volumes of identity checks with consistent performance, reliability and up time
-
Cost-effective – Offers a sustainable pricing model aligned with government procurement frameworks demonstrating value for money.
-
Comply with the law – Complies with the relevant liveness and biometric verification standards and disclosure requirements prescribed in the Digital ID Act 2024.
-
System integration and maintenance – Seamlessly integrates with existing ATO infrastructure and future digital identity ecosystems/architecture. Upgrade and maintenance of solutions can be adopted with minimal effort and impact to production systems
-
Provides value for money – Solutions and associated costs must represent value for money for Government.
High Level Requirements & Prioritisation
Requirements are prioritised as follows for this RFI:
M – Mandatory: requirements that are essential; failure to comply will render a solution unviable.
D – Highly desirable: requirements that materially improve viability and performance.
O – Optional: value-added capabilities that are beneficial but not essential.
Technical requirements
Biometric Capture and Liveness Detection
| Requirement ID | Requirement Description | Priority (M/D/O) |
|---|---|---|
| LV-1 | The solution MUST capture biometric images of sufficient quality for biometric comparison, complying with ISO/IEC 29794-5 when generating the image quality profile of the acquired image. | M |
| LV-2 | The solution MUST implement automated image-quality controls within its biometric capability and provide clear user-interface guidance to direct a user to capture an image that meets the required image quality profile. | M |
| LV-3 | The solution MUST employ presentation attack detection (PAD) to determine whether the acquired image originates from a living human subject present at the point of capture. | M |
| LV-4 | The solution MUST complete image capture and presentation attack detection (PAD) as part of a single continuous process before the image is submitted to the ATO system for online biometric verification to prevent exploitation via separation of acquisition and PAD. | M |
| LV-5 | The solution MUST ensure PAD technology meets at least Evaluation Assurance Level 2 (Level B) as defined by ISO/IEC 30107-3:2023 and the Digital ID (Accreditation) Data Standards. | M |
| LV-6 | The solution MUST have been tested or validated by a qualified third-party biometric testing entity experienced in ISO/IEC 30107 to evidence the PAD meets Evaluation Assurance Level 2 (Level B) requirements. | M |
Technical Verification and Biometric Binding
Scalability
| Requirement ID | Requirement Description | Priority (M/D/O) |
|---|---|---|
| S-1 | The solution MUST be scalable to ensure performance requirements are met under variable and increasing usage patterns. | M |
| S-2 | The solution MUST support SaaS solution. | M |
Performance
Availability
| Requirement ID | Requirement Description | Priority (M/D/O) |
|---|---|---|
| A-1 | The solution MUST achieve or exceed 99.95% availability. (Note: ATO provides cloud infrastructure where applicable.) | M |
Hosting
| Requirement ID | Requirement Description | Priority (M/D/O) |
|---|---|---|
| H-1 | The solution MUST be a cloud-hosted Software as a Service (SaaS) offering, delivered via a secure, scalable, and vendor-managed environment. | M |
| H-2 | If cloud-based, the Tenderer MUST describe connectivity with current AWS technologies and services, connectivity methods (e.g., AWS PrivateLink) and resources required from ATO to support connectivity. | M |
Integration
| Requirement ID | Requirement Description | Priority (M/D/O) |
|---|---|---|
| IN-1 | The solution MUST support the Microsoft MAUI development environment and provide bindings for client API access. | M |
| IN-2 | The solution MUST support operation through standard web browsers in addition to mobile platforms. This includes providing a seamless and secure user experience for individuals completing liveness verification via browser-based channels (e.g., Chrome, Safari, Edge, Firefox) | M |
| IN-3 | Where the solution is not hosted within an ATO Software Service, the solution MUST not require server affinity. | M |
| IN-4 | The solution MUST support silent automated deployments, including infrastructure setup (IaaS), where ATO is responsible for deployment. | M |
| IN-5 | The Tenderer SHOULD provide two short case studies demonstrating delivery of similar services in high-volume, large-scale deployments, including references. | D |
Compliance
Security and Confidentiality
| Requirement ID | Requirement Description | Priority (M/D/O) |
|---|---|---|
| SC-1 | The solution MUST be able to show evidence of ability to comply to PSPF, ISM, Essential 8 requirements and other security requirements as defined in Digital ID ACT 2024. | M |
| SC-2 | The solution MUST be able to demonstrate ability to comply with the Australian Privacy Principles. | M |
| SC-3 | The solution SHOULD secure all collected, held or used data (Personal Information, ATO Data, ATO Material, and inter-agency information) in use and at rest using ASD-approved cryptographic algorithms consistent with the Australian Government ISM or NIST. | D |
| SC-4 | The solution SHOULD include controls to ensure integrity of data generated within the client software or provided to the Facial Verification Service. | D |
| SC-5 | The solution/service MUST NOT transfer Personal Information outside Australia. | M |
| SC-6 | The solution MUST be capable of meeting relevant ISM controls to allow the ATO’s Information Security Advisor to issue certification at the PROTECTED level. | M |
| SC-7 | All Personal and ATO data MUST be hosted and stored in Australia and comply with Australian data sovereignty laws and the Data Hosting Certification Framework. | M |
| SC-8 | The Tenderer SHOULD list all products used in delivery of Licensed Software, their function, whether third-party, and any access those products have to user data. | D |
Operations, Support and Maintenance
Operations
| Requirement ID | Requirement Description | Priority (M/D/O) |
|---|---|---|
| OP-1 | The Tenderer MUST Provide secure, isolated non-production (production environments) coupled with 24x7 monitoring. | M |
| OP-2 | The solution SHOULD enable dynamic, automated test environments with integration testing. | D |
| OP-3 | The provider MUST maintain data sovereignty and provide internal real-time service status visibility. | M |
| OP-4 | The solution MUST continuously monitor access and privileged activities. | M |
| OP-5 | The Tenderer MUST provide assurance that system access is limited to approved IP ranges that are regionally localised. | M |
| OP-6 | The solution SHOULD provide mechanisms to detect early indicators of stress or coercion among personnel interacting with sensitive systems. | D |
| OP-7 | The solution MUST deliver real-time alerts for high-risk or policy-violating behaviors, including biometric failures. | M |
| OP-8 | The solution SHOULD support tiered alerting based on risk severity and detect abnormal access or potential data loss incidents. | D |
| OP-9 | The solution MUST provide Australian-based NV1-cleared support, maintain compliance with ISM timelines, deliver governance reporting, and enable secure incident management via an iRAP-certified portal. | M |
| OP-10 | The Tenderer MUST offer dedicated helpdesk, roadmap for fraud prevention, knowledge transfer, and demonstrate experience with government identity systems and security certifications as well as SLA mgt and governance. | M |
Vendor Implementation, Support & Maintenance
| Requirement ID | Requirement Description | Priority (M/D/O) |
|---|---|---|
| VISM-1 | The Tenderer MUST provide solution-specific support and troubleshooting via a formal helpdesk function. | M |
| VISM-2 | The Tenderer MUST provide documented processes, manuals and operational instructions to support the solution. | M |
| VISM-3 | The Tenderer MUST provide ongoing support to ensure software is kept up to date with regular patching and updates. | M |
| VISM-4 | The solution MUST provide ongoing platform maintenance services. | M |
| VISM-5 | The Tenderer SHOULD provide roadmaps and planned updates in fraud prevention and identity technology. | D |
| VISM-6 | The Tenderer SHOULD demonstrate proven experience in successful implementation of similar systems in other Government Agencies. | D |
| VISM-7 | The Tenderer SHOULD describe emerging technologies and recommendations based on vendor research. | D |
Maintainability
| Requirement ID | Requirement Description | Priority (M/D/O) |
|---|---|---|
| M-1 | The Tenderer MUST keep Licensed Software up-to-date through maintenance and patches (including security patches) for the Licensed Software and any third-party components. | M |
Reporting and Monitoring
| Requirement ID | Requirement Description | Priority (M/D/O) |
|---|---|---|
| RM-1 | The solution MUST centrally log system activity, including security setting modifications, verification activities, and support shipping logs to ATO’s logging system. | M |
| RM-2 | The solution MUST provide configurable metrics, dashboards and drill-down visualisations (e.g., capture time statistics, failure to enrol/acquire rates). | M |
| RM-3 | The solution MUST provide ATO with appropriate access to view logs (requests, response payloads and processing status) for troubleshooting. | M |
| RM-4 | The Tenderer MUST describe monitoring capability or integration options. | M |
Usability & Accessibility
User Experience and Accessibility
| Requirement ID | Requirement Description | Priority (M/D/O) |
|---|---|---|
| UX-1 | The solution MUST support Mobile First and Responsive Web Design methodologies. | M |
| UX-2 | The Tenderer MUST provide UI standards, UI screen designs, and UX documentation including user flow mappings. | M |
| UX-3 | The solution MUST conform to WCAG 2.1 Level AA for mobile and web browser experiences. | M |
| UX-4 | The solution MUST provide the ATO with the ability to customise user experience elements. | M |
Response Instructions
Respondents should provide responses in Part 3a Techincal response form, detailed written responses mapping their capabilities to each requirement identifier above. For each requirement, include technical details, architecture diagrams, implementation approach, security controls, validation/testing evidence, and relevant certifications(if needed attach information in separate documents). Attach case studies, third-party testing reports, and sample SLA terms where available. Responses should be concise, clearly referenced, and submitted per the AusTender process.
Appendices
Appendix 1 – Legislation, Guidelines and Standards
Respondents must demonstrate compliance with relevant Commonwealth legislation, guidelines and standards including but not limited to: the Digital ID Act 2024 (commenced 1 December 2024), Digital ID (Accreditation) Rules 2024 and Accreditation Data Standards, the Australian Government Information Security Manual (ISM), Trusted Digital Identity Framework (TDIF), ASD Essential Eight, and ATO procedures and guidelines for contractors.
Digital ID Act 2024 - Federal Register of Legislation
For the purposes of clause 12. Additional Information of the RFI Part 1 Conditions of Tender, the applicable ATO procedures and guidelines are the:
Ethical business relationship statement
ATO information security guidelines for contractors
WH&S requirements for contractors and suppliers to the ATO
Recordkeeping management for our contractors
Specific Requirements\
In the event of a procurement process post this RFI that progresses to a contract, the Respondent must:
Have an EMS Certified or aligned to ISO 14001; or align business processes to the ISO 14001 within 6 months of the Contract being signed; and must maintain EMS certification or alignment to ISO 14001 during the term of the Contract, and
Be a signatory to the Australian Packaging Covenant or comply with the requirements of the National Environment Protection (used packaging materials) measure (unless exempt by legislation).
Indigenous Procurement Policy Reporting
In the event of a procurement process post this RFI that progresses to a contract, the Respondent must provide such written reports and evidence of its compliance with their Indigenous Procurement Policy obligations every quarter/6 months/year during the Term.
Complete and submit the following attachments:
If already completed and returned to the ATO in the last 12 months, these are documents are not required.
The ATO Cyber Security reserves the right to conduct a go-no-go penetration test.