Tuesday, 13 July 2021
Department of Employment Affairs and Social Protection
467. To ask the Minister for Employment Affairs and Social Protection the reason the password length for the MyGov ID is so short, that is, not longer than 16 characters (details supplied); if there is a plan to alter this length in order to improve user and systems’ safety particularly in the context of the recent cyber-attack on the HSE; and if she will make a statement on the matter. [37848/21]
MyGovID is an online account which provides citizens with a safe, secure online identity for accessing public services. It is built on the Public Services Card and an individual’s PPSN, and links a ‘real world’ identity to an online identity.
MyGovID has been built with personal privacy and security in mind and users must set up strong passwords that comply with a number of security features. This allows customers to set up strong passwords that they can remember, helping them avail of a growing range of online services, while keeping their online identity and personal data safe.
MyGovID accounts use two factor authentication. This means a user's password is the first layer of security and a one-time PIN, sent to their verified mobile phone each time they log in to MyGovID, is the second layer of security.
My Department implements a security-by-design and defence-in-depth approach to cyber security. The Department's technical staff operate and monitor all relevant systems to the highest levels and are closely engaged with experts in the Office of the Government Chief Information Officer (OGCIO) and the National Cyber Security Centre (NCSC) to ensure best practice is followed in respect of all cybersecurity matters.
My Department continues to enhance security features on MyGovID and across all its systems. For operational and security reasons, and as advised by the NCSC, my Department does not disclose details of systems and processes which could in any way compromise those efforts.
Therefore, it is not considered appropriate to disclose arrangements in place in relation to cyber security tools and services and my Department does not comment on operational security matters.
I trust this clarifies the matter for the Deputy.