BankID: A system with a secret spec, where the bank holds your secret key, there is no transparency log whatsoever (so you have no idea what your bank used that secret key for), can be used to authenticate as yourself almost everywhere, and where you can get huge, legally binding bank loans in minutes (and transfer the money away) with no further authentication.
Oh, and if you choose to not participate in this system, enjoy trying to find out the results of your covid test :-) (I ended up getting a Buypass card, but they officially support only Windows and macOS.)
We have that in Sweden too. As an expat it's a complete nightmare for me from day one. Getting my bank to successfully issue it was impossible.
First, in the days before mobile bank-id, they sent windows-only hardware as I recall. Then came the days of letters/cards/hardware getting lost in the mail.
I gave up on it in the end. I have multiple things (banking-wise) I no longer have online access to because of it.
If you're going to make one system to rule them all you need to make sure the logistics actually work.
(3 years ago I moved to Norway)
It took me about a month to get into the system, but once I had my national ID it took about a week for my MFA dongle to arrive. After that It has been a great experience.
There's significant bi-partisan resistance, in the US, to anything like a national ID, unfortunately, with the result that we have one anyway (because of course we do, the modern world doesn't work without it) it's just an ad-hoc combination of other forms of ID, terrible to work with, heavily reliant on commercial 3rd parties, unreliable, and laughably insecure. But the end result is still a whole bunch of public and private databases that personally identify us and contain tons of information—kind of by necessity, actually, since our ID is a combination of tons of things.
It's a very frustrating situation. Worst of both worlds.
I've done some thinking about this, and a possible solution is a bunch of cross signed CA's like the Federal common policy / FPKI for cross trust amongst federal agencies, but done at a state DMV / DPS level. Driver's licenses / state IDs could have certs embedded into the cards and then be used for things like accessing government websites, banks, etc. Yes there are some access concerns, and some privacy concerns that this is in essence a national ID, but what we have now is horribly broken, and we're already being tracked. We get all the downside of pervasive tracking, but none of the upside.
Here in Czechia we have BankID and it is problematic:
1) No verification that the user trusts that particular bank to perform this service. Most banks just deployed BankID for all their customers.
2) No verification between bank and government ensuring that particular person can be represented by particular bank. In principle a bank could inpersonate a person even if that person have no legal relation with that bank.
3) Bank authentication is generally bad. Either login+SMS, or proprietary smartphone applications. No FIDO U2F or any token based systems.
Fortunately, there are also alternatives for identification to government services:
1) Government ID card with smartcard chip. But not everyone has a new version of ID card (old version does not have chip). It also requires separate hardware (smartcard reader) and some software middleware.
2) MojeID service (mojeid.cz) that uses FIDO U2F token.
Disclaimer: working for CZ.NIC org that also offers MojeID service.
#2 and partially #1 are solved by regulation and reputation: banks are highly regulated business, and BankID support requires specific security audit.
Ad #3: FIDO is basically unusable for banking. It's designed for user authentication, not transaction signatures which banks need (and must do because of the PSD2 regulation).
The problem with BankID is that for older accounts, there's no real guarantee you are who you claim to be.
I mean, sure, my bank in Norway has my account tied to a person number, but they don't actually know that when I log in with bankid that I really am the person associated with that person number. --Theoretically the post office was supposed to verify my identity before they gave me the packet containing the code brick, but they forgot to do so - this was over 10 years ago before they had to register the ID details.
So basically I have a highly trusted way of authenticating to financial and government services in Norway even though nobody actually knows that I am who I claimed to be when I opened the bank account, setup bankid, etc.
There is a large contingent of non-religious people who are against it on civil liberties grounds. The resistance to it truly crosses both parties, and it requires the cooperation of the States, which makes it politically non-viable as a practical matter.
Which is why you ignore them. No reason for a nation to be held back by this type of person. Same reason you don’t take cancer treatment advice from someone who suggests juicing.
It was expedient but banks are not the orgs. that should be running that.
Every nation needs to turn their Drivers ID and Passport authorities into 'Ministry of Identity' and issue fobs, passwords that can be used on the basis of some standard. Or something like that, maybe quasi distributed.
I hear people say all the time that, in the US, the Postal Service would be great for this, and I can't help but agree. Sure, they'd have to develop in-house expertise around these sorts of security systems (just as any new federal government agency put in charge of this would have to do), which could be difficult. But they have the ability to distribute forms, documentation, and tokens to pretty much everyone in the US, with physical locations nearly everywhere that can be used to reach those who don't have physical addresses.
Sesse__|4 years ago
Oh, and if you choose to not participate in this system, enjoy trying to find out the results of your covid test :-) (I ended up getting a Buypass card, but they officially support only Windows and macOS.)
mkohlmyr|4 years ago
First, in the days before mobile bank-id, they sent windows-only hardware as I recall. Then came the days of letters/cards/hardware getting lost in the mail.
I gave up on it in the end. I have multiple things (banking-wise) I no longer have online access to because of it.
If you're going to make one system to rule them all you need to make sure the logistics actually work.
adreamingsoul|4 years ago
brimble|4 years ago
It's a very frustrating situation. Worst of both worlds.
seniorThrowaway|4 years ago
zajio1am|4 years ago
1) No verification that the user trusts that particular bank to perform this service. Most banks just deployed BankID for all their customers.
2) No verification between bank and government ensuring that particular person can be represented by particular bank. In principle a bank could inpersonate a person even if that person have no legal relation with that bank.
3) Bank authentication is generally bad. Either login+SMS, or proprietary smartphone applications. No FIDO U2F or any token based systems.
Fortunately, there are also alternatives for identification to government services:
1) Government ID card with smartcard chip. But not everyone has a new version of ID card (old version does not have chip). It also requires separate hardware (smartcard reader) and some software middleware.
2) MojeID service (mojeid.cz) that uses FIDO U2F token.
Disclaimer: working for CZ.NIC org that also offers MojeID service.
mormegil|4 years ago
Ad #3: FIDO is basically unusable for banking. It's designed for user authentication, not transaction signatures which banks need (and must do because of the PSD2 regulation).
tallanvor|4 years ago
I mean, sure, my bank in Norway has my account tied to a person number, but they don't actually know that when I log in with bankid that I really am the person associated with that person number. --Theoretically the post office was supposed to verify my identity before they gave me the packet containing the code brick, but they forgot to do so - this was over 10 years ago before they had to register the ID details.
So basically I have a highly trusted way of authenticating to financial and government services in Norway even though nobody actually knows that I am who I claimed to be when I opened the bank account, setup bankid, etc.
thomascgalvin|4 years ago
jandrewrogers|4 years ago
toomuchtodo|4 years ago
jollybean|4 years ago
It was expedient but banks are not the orgs. that should be running that.
Every nation needs to turn their Drivers ID and Passport authorities into 'Ministry of Identity' and issue fobs, passwords that can be used on the basis of some standard. Or something like that, maybe quasi distributed.
kelnos|4 years ago
withinboredom|4 years ago
paganel|4 years ago
adreamingsoul|4 years ago