
Ditch Your Passwords? US Gov To Issue Secure Online IDs - elleferrer
http://www.forbes.com/sites/tomgroenfeldt/2013/08/21/ditch-your-passwords-us-gov-to-issue-secure-online-ids/
======
willvarfar
In Sweden, we have a similar system. The major Swedish banks issue BankID,
which is typically a Java applet you run on your computer which is provisioned
with a certificate you use to sign things.

You need this to use the online benefits and tax systems and so on.

And it works _horribly_.

The hassles I've seen people have running Java and so on is horrifying. And
the security - or lack of it - is staggering. It basically only works under
Windows and on increasing insecure legacy browser configurations and so on.

They also use some PDFs with scripts in sometimes for forms that you have to
'sign'. I don't understand why they do this, but they do.

All in all, No No NO!

~~~
arh68
So is it horrible strictly because it's Java? Or because it's a bad idea
altogether?

~~~
laumars
That's not even remotely what he said. He was making two separate points:

1) _the problems of having to teach users how to enable Java applets._ Having
done time on a customer support desk in a past life, I know full well that
talking someone technologically inept through something like that would be
hell on Earth.

2) and a point about how this idea works out less secure in practice as you're
allowing 3rd party code to run natively on your machine, desensitising users
to running 3rd party Java applets (or even encouraging people have the enabled
to run by default). And scripts running inside PDFs are a known vector for
attack as well.

I also disagree with the practice of pushing proprietary solutions which are
only able to work on a single platform - which it sounds like their solutions
are in-spite of Java and PDF being open and cross platform standards (I'm
having to take the OPs word on that point - as I'm not a resident of the same
country)

------
beobab
Is this the same US Gov who had a bit of kerfuffle in the news recently about
some privacy issue?

~~~
RoryH
Exactly what I was thinking, I can't believe the populace is not choking on
this concept!

~~~
fnordfnordfnord
I can't wait! More ways to keep us safe! /s

------
jmadsen
This is a wonderful idea!

Think of all the money the US taxpayers will save by not needing all that NSA
gadgetry anymore! They'll just log in as you when they want to know what
you're up to

------
Spearchucker
This stuff is based on plain old identity federation. SAML protocol using SAML
assertions.

The problem is that they're outsourcing identity provision - ref. " _...such
as banks, governments, healthcare organizations, and others..._ " in the
linked article.

The article also (correctly) states that " _The credential exchange will be
designed to transmit credential information securely without knowing users’
actual identities._ "

This is neat, for sure, but isn't always required (how would a health care
provider be useful if they didn't know who you are), and is only half of what
they should be doing.

So the relying party shouldn't _always_ need know who the user actually is,
but (much more importantly) the identity provider should _never_ need to know
where the user is conducting his or her affairs.

As an example:

You're laid off at work, and need to claim benefits. You have a mortgage, and
because you feel you can get a new job before you run out of savings that
service the mortgage, you don't want your bank to know that you're been laid
off. But guess what, your bank is your identity provider, and will know that
you've logged into the jobless benefits site. So the bank flies your mortgage
into the side of the mountain. No survivors, call off the search.

Providing this kind of asynchronous privacy (where, at the user's discretion,
the relying party cannot determine who the user is, and the identity provider
cannot determine who the relying party is) is not difficult. U-Prove is tech
from Microsoft (acquired from Credentica) that does it, and is open-source.

~~~
imgabe
What do you mean "there goes your mortgage"? Banks don't swoop in and
foreclose on your home just because you don't have a job. If you're still
making the monthly payments then your mortgage is still in good standing. They
don't care if the money is coming from a salary or your savings.

~~~
Spearchucker
It's a dramatized example intended only to illustrate the point.

~~~
imgabe
Except it doesn't illustrate the point because it's completely inaccurate and
doesn't make any sense. If you're still making payments, what does the bank
have to gain by "flying your mortgage into the side of a mountain"? What do
you even mean by that?

I get that there are ways that the bank could screw if they're your identity
provider. What you stated is not one of them.

~~~
Spearchucker
Ok, you win.

------
regis
Hm, every new bit of news relating to the US government and the Internet makes
me question what exactly the Internet is doing for me and if I could live
without it.

Lately I've began to realize that within the next 5 years my Internet usage
will be extremely minimal(if at all) unless there is some kind of huge change.

I'd rather just cancel all of my accounts on major websites than be forced use
this creepy ID system.

------
sbjustin
> SecureKey, based in Toronto, today announced it has been awarded a contract
> by the USPS to provide a cloud-based authentication infrastructure.

I love that USPS, a government entity so far in the red, has the ability to
award any money at all...

~~~
snowwrestler
You would be in the red too if you were forced to keep providing an
unprofitable service, and prevented from raising your prices.

~~~
sbjustin
Another excellent example of why the government should leave these things to
the private industry or contract it out.

------
zimbatm
How long until Gov ID is required to log into Facebook and Google ? Then the
government doesn't need to even ask these annoying companies to access your
data.

~~~
waldohatesyou
I give them a year.

------
chiph
Getting your credit card info stolen is a huge pain. Imagine the pain from
having your government identity stolen.

~~~
yxhuvud
Should be no different from getting your physical legitimation stolen.

~~~
chiph
The difference is the credit card company is motivated to keep you happy as a
customer. The government is more like: "Assuming this really happened --
what's he going to do - move to Liberia?"

------
programminggeek
Here is the thing, people use insecure password storage because secure
password storage retrieval is seen as either "too slow" or it is seen as "not
required". For example, how many people are still using md5 hashing for
password storage?

It seems like all the govt issuing a secure online id will do is add another
unused standard to the pile without changing the behavior that makes things
less secure in the first place.

[http://xkcd.com/927/](http://xkcd.com/927/) sums this problem up nicely.

~~~
ganeumann
Except that the government can _require_ this standard's use to file taxes,
access certain important government accounts, etc. They have the ability to
create a standard and make it stick.

~~~
Gormo
> They have the ability to create a standard and make it stick.

This is rarely, if ever, the case. I can't actually think of any technical
standards whose dominance originates from a successful government mandate.

~~~
grey-area
What has government ever done for us, part from GPS, metric, GMT, telephony,
electrical standards, safety standards, the Internet etc?

~~~
Gormo
When military technology enters the mainstream, and becomes the basis of
technology in widespread use by the public, it goes without saying that the
original military specifications are the initial "standards" present for that
technology.

This isn't the same as the government attempting to mandate standards for
public use, especially with the intent to alter the way people are already
using technology.

In your list, only GPS represents a technology originally used by the
military, whose initial military specification still mostly describes its
current function. Everything else, and especially the Internet - which grew
out of a DARPA project, but certainly isn't one any longer - is either a vague
category (electrical/safety standards), areas in which standards have not
originated from government mandates (telephony, the Internet, time zones), or
areas in which government attempts to shift standards have been demonstrable
failures (metric usage in the US).

------
api
... that they will key escrow.

Doesn't mean you couldn't implement your own secondary key though. Sign it
with your ID and use that key for key exchange and you've defeated the escrow.

~~~
mpyne
The impression I got was that it was nothing more serious than an identity
authentication scheme, not an encryption mechanism... they don't need to
"escrow the key" (nor would it matter), they'd already be able to reset your
account whenever they feel like it anyways.

------
superuser2
Reliably verifying real-world identities online is a hard problem. I
personally don't enjoy faxing my driver's license several times to get it to
come through legibly, handing out my SSN like candy, scanning bank statements,
answering questions about previous residences, and waiting for a 48-hour
manual review process just to do any sort of business that's tied to a real
identity.

The existing system is archaic, fundamentally insecure, and horrendously
broken from a UX standpoint. As far as privacy, the federal government is
already an identity provider required by many services (in the form of social
security numbers). I have no objection to it performing that role more
securely and efficiently.

------
penguindev
Trying to navigate the spin, but this company appears to tie things like your
existing, bank issued, two-factor hardware dongle to your government identify.

Best line of the article: "The cloud-based service follows federal guidelines
to protect privacy, said SecureKey, although exactly what that means after the
Snowden revelations is not clear."

Seems unlikely to fly; surely some big megacorp - or cartel of them - wants an
exclusivity deal to make government approved ids.

BTW does anyone find it ironic that libertarian leaning programmers are so
high in demand, and well paid, by the surveillance state.

------
dcc1
Anyone else thinks this is a start of slippery slope? Once enough people are
using it any other form of login could be made illegal and "citizen sheep" can
be tracked much easier by big brother NSA

------
Jgrubb
I'd love to read this, but I'm feeling a need to start boycotting Forbes
articles. Is this available anywhere else?

~~~
nwh
[http://archive.is/cT7WX](http://archive.is/cT7WX)

------
the_watcher
Why would the US government be better about protecting my account information
than companies who business is literally identity protection?

------
segmondy
What next? Will they offer secure email services?

~~~
tobiasu
You joke, but [https://en.wikipedia.org/wiki/De-
Mail](https://en.wikipedia.org/wiki/De-Mail)

The drugs that were consumed when they came up with this must be government
issue only. Stuff's too hard for the streets..

Also, the crypto is as secure as a wet paper bag..

~~~
superuser2
You realize that the alternatives are fax, postal mail, and attachments on
cleartext emails, right?

~~~
drill_sarge
If you are having fake security like de-mail I'd rather sent my official stuff
for the authorities with traditional postal mail than this.

~~~
superuser2
Why is it fake security?

~~~
drill_sarge
use google translate: [http://www.ccc.de/de/updates/2013/de-mail-
unqualifizierte-ma...](http://www.ccc.de/de/updates/2013/de-mail-
unqualifizierte-makulatur)

It's a big joke.

~~~
superuser2
Ah ok. So just building a separate email system and calling it "secure"
without actually doing any crypto. Nice.

------
marcuspovey
In the light of everything that has happened over the last month, this _has_
to be a joke, right?

~~~
RKearney
Well, has anything really changed? With the exception of a few small companies
shutting down to "stick it to the man", what honestly has changed? No one has
been removed from office and no revolution has started. We all sit here and
watch as it happens.

~~~
hafichuk
_We all sit here and watch as it happens._

Are you calling us all armchair dissidents?

------
tingletech
Let's bring back the clipper chip while we are at it.

------
hawleyal
"secure"

------
lignuist
Cool, can I use this as a foreigner too?

------
o0-0o
This idea is dead on arrival.

