> But the United States doesn't offer any type of universal ID, which means private institutions and even the federal government itself have had to improvise.
Oh, please! No! No! No! India bulldozed a national identification number (called Aadhaar) on its residents and it has made more people vulnerable to many kinds of attacks, including phone number hijacking, draining people’s bank accounts, etc. To say that it’s been an unmitigated disaster would be an understatement. As with things related to government, the governing organization for Aadhaar, called UIDAI, always claims that it’s completely secure, while ignoring the fact that linking one number to everything in one’s life increases the attack surface and the severity of the threats.
So please research on the number of ways Aadhaar has failed, and is making some feeble attempts to recover, before getting into a “let’s create a new static number to identify people with instead of a phone number or SSN”. That’d just be changing the narrative without achieving anything.
Bottom line, it’s not the phone number that’s the problem, but having a unique and non-changing number and linking it to everything else (including one’s phone numbers).
I disagree; I think the issue is people using a mechanism for identification as a mechanism for authentication.
If all it takes to drain someone's bank accounts is to be able to uniquely identify them, then there's an enormous issue with the banking system.
> Bottom line, it’s not the phone number that’s the problem, but having a unique and non-changing number and linking it to everything else (including one’s phone numbers).
Totally disagree. Linking it to a phone number is fine, but the entire point of such a number is that you should be able to print in on your business cards or wear it on your t-shirt. :) Knowing it should grant no privileges to anyone.
Of course, I think your underlying point is that the real issue isn't that we want a good way of identifying people, it's that we want a good way of authenticating them, and we're no closer to solving that. And people keep misusing ways of identifying people as ways of authenticating them. But maybe we should be focusing on that instead?
Knowing someone's True Name is half the battle won.
If you have a means of authentication, a shared identity means you can reuse that authentication on multiple other services. It greatly increases the power of keys, or conversely, increases the danger in loss of a key.
Estonia gives everyone a smart card they can use to digitally sign things. Obviously someone can steal your card but it's pretty hard to forge otherwise.
It's a solved problem, just nobody wants to fix it.
How much trouble are you in if your card gets stolen?
Would you call a number to temporarily block it, and a fine to get a new one? If so, how does the call authenticate you?
Second question, "pretty hard to forge otherwise", is about roughly how hard? Has it been proven possible / proof of concept? Or did you mean to say you're unaware of any successful forgeries but (naturally/obviously) can't honestly claim it's totally impossible, because you never know.
I'm real curious about the Estonian smart card thing. Does it work well? Can you only sign government things with it, or really just about anything that needs your authentication? (say, commercial contracts) Does it have a private/public key type of thing so that you could also encrypt something with someone's public key so that only that one individual cardholder can ever decrypt it?
Even the identification with the same ID is considered harmful. Someone might try mass login with your ID on various platforms and observe a pattern for future social engineering.
Compared to India, Estonia is so small that it is not even funny. India is too big, too complex (16 official languages plus hundreds of dialects). Estonia's population is ~1.3 million, India's is more than one billion. The sheer scale of it changes the equation dramatically.
Add to all this, corruption is a way of life in Indian government(s) - central and local. Even if a system is solid (technology wise), there are tons of social problems to deal with.
Comparing Estonia with India is not fair at all, at any level.
This is not to take anything away from Estonia's achievement. Kudos to them for setting a great example! But their small size, having to support just one language etc gives them a tremendous advantage
Aadhar has security flaws because people who are responsible for it (directors etc, not coders) are with their heads up in the arse. When a reporter asked an official how they are trying to secure data, the answer was: "The datacenter building surrounding wall is 13feet high & 2 feet thick. Nobody can come & break that wall & steal data." Mind you this datacenter is always online; & is known for pretty basic flaws.
The file they give you as a encrypted pdf of your ID is locked with first four capital letters of your name & then your birth year. It was very touted that this password range is from AAAA to ZZZZ & 0000 to 9999 making a brute force time to 52+ years. But then, nobody before 1918 is alive; & nobody born in 2019 & after. So 0000-9999 becomes 1918-2018. Then names: then most popular name lists are available from many sources. 52 year brute force was proved to be 3 something minutes. The authorities response: they filed criminal cases against who wrote about these flaws.
I've asked this elsewhere in this thread and tried to google it but didn't get/haven't gotten an answer, is there a reason Adhaar did not go with PKI to provide identification and signing? Did they have some extreme not-invented-here syndrome?
It is hard to understand the argument here. PKI is not identity.
Why is there a PDF of your identity card, and why is it encrypted? Surely nothing publicly visible on the identity card is private information.
Private identifiers on citizens would not be very useful.
It seems like a lot people here are confused as to what is an identifier and what is authentication. An identifier uniquely identifies someone (the uid), while authentication is the way to prove identity (the password). One is normally public while the other has a secret component to it.
Perhaps unwittingly, you just described PKI. Two keys: one is public and identifies someone (or something), and the other is private and can be used to prove your identity.
Encrypting with the public key can be done by anyone, but only the private key can decrypt. This allows encrypted communication.
But encrypting with the private key can only be done by someone with the private key. It can be decrypted by anyone, but only using your public key, thus proving your identity; or more accuractely, this proving you have the identified party's private key. So I ask you to encrypt some random OTP to prove your identity. Then I decrypt it with your public key to test your proof. This is how cryptographic signatures work.
Government-issued identification seems an obvious application of PKI.
PKI can be an important part of a system to authenticate your identity, but for that to work you need an identity to start with. You seem to need some sort of identity for a society to scale. Large countries tries to function without, and the result is ad-hoc identity systems instead.
A public key can be an identity, it's a perfectly workable outcome of Zooko's triangle, but it's not a very useful one for most use cases.
The article is about using phone numbers to uniquely identify people and the problems that brings.
Estonia's PKI is basically identity. Yes, you could build something on top of the public Personal Identification Number, but no reasonable provider accepts that as the username - it is a person using the certificate stored on smartcard/smart SIM(/phone) to identify and authenticate at the same time.
> It seems like a lot people here are confused as to what is an identifier and what is authentication.
I'd say it's you who can't fathom that the two things can work together and only together in some cases.
Pdf is so that Authorities do not need to print & deliver card at home( they take 20-90 days for that). They say people can download & print it as & when required.
Not all systems are online/electronic. Although explicitly prohibited, banks keep a paper copy of Aadhar & so do courier delivery, passport etc. Only mobile companies this year have done away with keeping a photostat. Law is, bank or mobile or any ask aadhar number, authenticate the request, fetch required data & store that resulting Boolean.
>It seems like a lot people here are confused as to what is an identifier and what is authentication. An identifier uniquely identifies someone (the uid), while authentication is the way to prove identity (the password).
The problem is how the average person working in the bureaucracy will see this, not how a smart programmer like you on hackernews would see it.
The world is full of average people doing average mistakes in average bureaucracies. Everything that can be abused, will be abused.
That’s also just information you know about many of your acquaintances, and that people often publish online. Join a dating site, and you have the password to the PDFs.
Of course, you still need to obtain the PDFs. And there is that wall in the way...
Yes, for acquaintance ok, but these files are available for Rs ~1000 on internet, locked. People are not computer savvy, they just go to a printer shop, ask them to print a copy, the guy download a copy, keeps it on his hard disk fot "next" time. Last time I went to get some printouts of my documents, I locked the pdf with complicated password & keyed it in myself, as they insist our printer does not work from USB saved files.
Even the delivery boys of various courier companies sellbyour phone number for $1 to local spammers.
That is irrelevant you can get information contained in the PDF just by taking a photo of the card, so nothing that wasn't meant to be public is in that PDF.
But UIDAI itself tweets so many videos saying share your Aadhar number with banks n such, but not on social media aka internet; i.e. treat it like your wallet, use it with caution & dont flaunt it. & leaked/stolen pdfs most likely end up on internet.
It's ok for it not to pass the smell test, because what you have stated is not actually the argument being made. The number of languages and dialects was (presumably) brought up to emphasize the many differences in scale and culture (especially government corruption) between India's population and Estonia's that might introduce complexities, incentives, and opportunities for bad actions in one situation that are not applicable in the other.
Either it’s secure or it isn’t. If it isn’t secure then it doesn’t matter if there are only 1.3 million people in the country; I promise someone from outside the country will try to break it.
Not sure what you mean. Nothing is secure, ever, in a binary sense of being just one thing or the other. It's all a balance between level of security and level of practical usability. Often we've made things easy to use but hard to secure. Like SSNs. But regardless of the source of an attack, the reward for breaking 1 billion targets on the same system vs 1.3 million on a different system is probably much higher. So the inconveniences of more secure systems must be weighed in context of the desirability of the information within them. More attractive targets need more secure, less easy to use, systems.
> More attractive targets need more secure, less easy to use, systems.
That seems to me like a justification for doing the least amount of work needed. Sure, it's true to some degree, but (taking this case as an example) PKI is objectively uncountably better than a PSK-like structure. There's a base security level and until that's reached, there's no need to expend money and time or inconvenience users to gain greater security. Anyone who doesn't get to that level while designing a project of any importance is a lazy idiot.
Yeah this is a fair point, didn't mean to suggest that easy security wins that dont't inconvenience the user or add cost in some other way aren't worth making.
Just to clarify, the Estonian national personal ID number is considered public data, only thing that proves identity or authority is the crypto in the cards/SIMs(/phones).
> made more people vulnerable to many kinds of attacks, including phone number hijacking, draining people’s bank accounts, etc. To say that it’s been an unmitigated disaster would be an understatement.
The problem is not really with Aadhar, but how people and companies use it. Bank accounts are drained because people share their OTP's with the people they don't know, when they should not. Phone number hijacking would have been a problem even without Aadhar since a lot of financial institutions across the world use to for 2FA.
Without Aadhar though, it was even easier to steal someones identity by using a false id. At least with Aadhar based biometric authentication, that't not easy now.
> Bottom line, it’s not the phone number that’s the problem, but having a unique and non-changing number and linking it to everything else (including one’s phone numbers).
A unique and non-changing number and linking it to everything is not the problem, IMO, but with treating that said number as a secret number (akin to the US SSN). With people not being educated about correctly using Aadhar, and entities just using the SMS based 2FA as the authentication mechanism for critical transactions like banking.
> The problem is not really with Aadhar, but how people and companies use it.
But the way people and companies use it is predictable. They'll tie everything to it in a way that isn't secure (because who are we kidding) in a way that information can't be updated if wrong (because even if the identity is centralized the data isn't).
And it will be used comprehensively to coordinate surveillance.
But that isn't even the major problem. The problem is that if someone compromises your bank they can steal your money; if they compromise your vehicle ownership info they can steal your car; if they compromise your phone they can invade your privacy; if they compromise your corporate ID they can get inside your company.
If they compromise your One True ID, they get all of that all at once and the ability to take out credit in your name, enter contracts in your name, commit crimes in your name, etc.
Correspondingly it increases the payoff (and so volume) of attacks and the harm caused by each attack, for a polynomial increase in total damage with the size of the identity system. Creating one system for an entire major country means... you can do the math.
On top of that, what if someone were to compromise the system itself, for everyone all at once? Armageddon, basically. Possibly literally if the system is used to control access to weapons of mass destruction.
All centralized identity systems are inherently insecure. We don't know how to build something that can withstand the attacks that such a large payout attracts.
It's the same category of problem as trying to provide secure law enforcement access to encrypted data. It's too much power to put all in one place. That much centralized power inherently draws in an insurmountable level of corruption and crime, and is a catastrophe as soon as it touches the normal background level of incompetence.
And what's so bad about having one ID for your bank, another for your employer?
> including phone number hijacking, draining people’s bank accounts, etc. To say that it’s been an unmitigated disaster would be an understatement
Can you give sources for that. It's a big claim.
> linking one number to everything in one’s life increases the attack surface and the severity of the threats.
I think looking bank accounts is absolutely necessary to prevent tax evasion. Intrusive linking with phone numbers etc is undesirable, but it's only for authentication, not surveillance. And having single Id is better than having 10 different disparate ones. Finally, I don't see any evidence that adhaar has been compromised, but that's it's improperly used.
It's inherent isn't it? A secret number, that you also need to disclose to dozens of organisations repeatedly for various purposes. You might have to give it over the phone, but not if they have initiated the call.
The director RS Sharma literally posted his number on personal twitter saying no harm if this number is public. In few minutes people found his school transcripts, bank statements, call logs, amazon orders with cash on delivery were on its way to his house. Few days later official Twitter handle of Aadhar had to say please keep it safe the way you do your wallet or home key. Use it but don't flaunt it.
Cash on delivery just means address was qualified. But address is normally available from other services, and is not achieved by impersonating someone in authenticaiton.
Even if all you claimed is true, it just means that the school, the bank, and the telephone company shouldn't take adhaar id as authentication, which it was never intended t be. Use OTP/Biometrics for authentication.
A famous aadhar-opposing French Security specialist posted to his tweet with that aadhar, although Sharma deleted that tweet soon I think. It was on Twitter, I will try to find tomorrow the exact tweet.
Biometrics are highly problematic in this context. IF someone steals your private key, you can jump through some hoops and get a new one issued, and regain control over your identity.
If someone steals your biometric data (and that is a thing that can happen through a variety of methods), there's no form you can fill out be issued new retinas. Your identity is permanently compromised.
A moderate increase in security[1] in the average case in exchange for catastrophic failure modes isn't good tradeoff.
(And given the very, very troubled history of biometric security, I'm being charitable assuming it's even an increase.)
This is just wrong. They found that out using Google search and social engineering. A lot of his details like his phone number were available online and were available with a Google search. Amazon, being stupid, uses a copy of Aadhar as an authentication mechanism. The Aadhar number is not supposed to be secret. That's the reason you need to use biometrics along with your number to authenticate you.
Estonia's system uses crypto to authenticate users to sites/services and the UID is considered public data. How does Aadhar handle online authentication?
And now we know why it's so broken. None of those methods should be used for true security (especially when you're talking about a billion people). Biometrics are not much better than SSNs - once they're stolen, it's game over (for life).
The reality is the government chose biometrics primarily so it can more easily track people. It wasn't to make it easier for them to use banking services.
Biometrics as a third factor to password and otp would be ideal. However biometrics as a second factor to otp is good enough, to make it frictionless.
If that's why it is broken, then I would be happy with it. Nobody is using fake biometrics to authenticate yet. And even then there is the second factor of otp.
Please see my other comment below with a few starter links and search terms. There are many people who have lost a lot of money from their bank accounts (including pension money) because Aadhaar provided a new way to defraud people.
UIDAI also says Aadhaar is not compromised. The point is that nobody would try hacking the UIDAI database directly when there are far easier and cheaper ways to get to the data through other means because it’s linked with almost everything (depending on the state one lives in).
Also please read up on Rachna Khaira’s exposé (in Tribune) on how cheap and easy it was to get access to people’s information from the UIDAI database. That could also be called “hacking”, but the UIDAI won’t admit to that.
All this can be blamed on “bad actors” to avoid taking responsibility, but it’s clear that the system and its usage never went through a proper design and test implementation. But all along, there was (and continues to be) a lot of coercion to get people to register for it and link it everywhere.
It doesn't mean that adhaar is intently insecure, or it has been compromised. It merely says that people are not using it for authentication as they should.
The attack vectors already existed without a central source of authentication, say with fake birth certificate and no authentication.
I still don't see adhaar as a negative, merely being misutilized by different people.
Apart from being technically bogus, access to the entire database is/was available for 500 rupees. The quality of the bureaucrats running it, the opaque way the government pushing it, the lack of actual data to support the IDs, the deaths of people due to denial of life sustaining rations, and the lack of recourse to hold people responsible for life, monetary, and ID theft related losses makes it punishing for people who aren't connected to people in power. Aadhaar cannot be sued for anything!
To add insult to the injury, Aadhaar officially allows people in the upper crust and political class to avoid it entirely insulating them from the potential damages of an experimental system. To add even more insult to injury, the UIDAI goes after people who point out the flaws in their "scheme."
The only winners seem to be tech providers, contractors, some bureaucrats, and the IT contractors who seem to be making loads of good money on this.
> access to the entire database is/was available for 500 rupees
Not the biometrics. And the leaked information doesn't allow one to impersonate someone.
Is the alternative of relying on passports/birth certificate better? Are you against any universal id scheme in general?
All the criticism of adhaar seems shallow. If your home address is leaked somehow, say by a customer service representative in a bank, would you say that is the failure of the post office? It is a privacy risk to have one's address out in the public, but is that a reason to oppose post offices, or stop living in houses?
As it happens in security, something isn't secure by default, you need to verify it is so. I have ZERO way of knowing that UIDAI is following good practices in securing MY[] data. Its not secure till I have proof its secure (well, as secure as we know today).
Well thats the other problem with Aadhar. According to the Aadhar Act (2017?), all Aadhar related data (including my biometrics) are property of UIDAI. So I don't even own any rights and hence (as explicitly stated in the act) have no legal recourse if that data is compromised.
That is very strict requirements. You do not know if your bank, or google account has not been compromised. You do not know if the govt has not secured your passport details safely. Somebody might obtain a fake passport in your name, create a bank account in your name, and conduct fraud? Is it not better to have a central authentication scheme with two factor authentication instead of just a passport?
> Well thats the other problem with Aadhar. According to the Aadhar Act (2017?), all Aadhar related data (including my biometrics) are property of UIDAI. So I don't even own any rights and hence (as explicitly stated in the act) have no legal recourse if that data is compromised.
Yes, that is a concern. Impersonation in authentication can lead to ruin for people, and the govt wants no liability. But is there any liability currently, in say, a fake passport?
Nothing is 100% secure and protected, security is a measure of effort it takes to break it, so what is secure from casual observer, or small organized group can be insecure from a state level actor who has the manpower and equipment to breach it.
So there, you have proof that your data is not secure.
For almost all uses of Aadhar, 2 factor authentication is required with a one-time-password sent to your phone. It is already far better than SSN which has caused millions people's identity to be stolen and they have lost a lot of money because of it. Aadhar is new and people need to be educated on how to keep it secure but the system is better than a lot of other countries already.
You are right, its so much shitty show; your auth is attached to your fingerprint n SMS. Everything, tax, bank, post, school, passport, hospital everything is attached. Even your phone too where you receive the SMS. Imagine the horror for people who lost their SIM card; to get a copy of SIM they need the SMS code which was sent to their registered number; wait for it.. which was lost.
I agree with you that this is not the best system, but I think its still better than any that was currently available. Earlier everything was linked to your drivers license, ration card, passport, etc which was also equally easy to fake and less secure. Now with biometrics and SMS based 2FA, its at least more secure than the previous authentication mechanism.
With an authentication mechanism intended for a billion people, which include some of the most poor and illiterate you have to have a balance between security and ease of use. This is unfortunately a compromise, but should at least be x times better than the previous standard.
> Imagine the horror for people who lost their SIM card; to get a copy of SIM they need the SMS code which was sent to their registered number; wait for it.. which was lost.
Oh, please. They can go to the store and use their biometrics to get a new card. That's how I got a new sim card when I lost mine.
Please try that again, first lock your biometrics as Aadhar App & Website agressively push to secure it, then pretend for this experiment's sake that your SIM is lost, then go to the store asking for a new sim.
In earlier systems of Ration card for food, it was very rare to hear that somebody dies because they couldn't get ration because they bio were not getting authenticated. In Aadhar case there has been these cases in double digit.
Because there was no authentication earlier? And one would easily replicate a fake ration card/passport to steal?
Maybe ration is a system where adhaar should not be applied, or a system of quick appeal should be created. But how is relying on peice of papers like birth certificate/ration card/passport a better system for authentication and identification?
Can you please read it again & think how many people you know or read about who had fake passports to get ration? Heck people who need subsidized ration most probably do not even have the Original passport & not even the need for that.
Only ration cards were used for ration, if you know, & someof them were specific. Light green A5 size booklet were the common one, anybody could have it, but not everybody could get ration on it. So most of the time it was used as address & ID proof as it had address, photo of all family members. Only kerosine oil, sugar, soap was available on it. Then there were blue books, yellow cards etc for people below poverty line, enabling them free wheat, rice, salt etc.
Nobody could fake a ration card because the depot incharge also had a master register, where the card details need to be matched.
yep, and wouldn't it be a paradise for a malicious person to install software on that authentication machine which sniffs off the biometrics and sends that to his server?
> yep, and wouldn't it be a paradise for a malicious person to install software on that authentication machine which sniffs off the biometrics and sends that to his server?
Sure. But, using that data to impersonate someone by creating a 3D or silicone model of your fingerprints/iris need a good amount of resources that your average Joe does not possess. Given enough resources, any means of authentication could be easily exploited.
Honestly, I am not being snarky, but could you please suggest a better authentication mechanism, that is more secure, but can be used easily by people who can't read/write or live in slums, or in small villages, and don't run into issues like forgetting the crypto key or losing the auth device?
If someone guesses a password, you can change the password. If someone gets a viable replay of a fingerprint or iris scan, you can't change it.
I wonder if a formalized "delegation of identity" system could solve the "missing key" problem.
When you have your key, you'd be able to issue a "I trust this person/firm to reliably identify me" certificates to others. This could potentially be trusted friends/family/co-workers or even official "recovery services" that had different means to verify identity.
So if you lose your key down the road, you can bring one of these people along, and the fact they had your certificate, and vouched that they had identified you, and that would be considered legally equivalent to presenting your actual key, or allow the start of a key-reissue process.
Registering other people who are able to identify you is an interesting idea, although it would fail for the hermits/paranoid who don't know/trust anybody and who would be screwed if they lost the key.
On the other hand, people trusted by other people are not necessarily trustworthy. If desperate or estranged they may sell out their friends/family for a little cash.
Really, not losing documents (at least not frequently) is one of the core requirements of bureaucracy. Permanent and semi-permanent documents are the basis of a modern society. It's no use trying to institute any laws when you can't count on people taking care of important items.
Your claim is blatantly false. Exhibit A: The United States of America.
Exhibit B: United Kingdom
And so on.
Please do not get confused with social security numbers (or equivalents) as universal or national identifiers. They are not, although their use in such a manner has caused issues (as pointed out in my comments here).
To me it is interesting that proving you identity in the UK could for many years be done with an electricity bill with your name on it and an address, or you driving license, which was a piece of paper which wasn’t hard to forge (no photograph). Cheques where stolen by the postman and used to claim cash at the bank. Nobody could tell me against what identity, as the signature on the cheques wasn’t even close to mine. It was essentially a mess. It is improved now.
Coming from a country, Sweden, with no mandatory ID card and a national identity number, it was both quaint and a real hassle to deal with the odd notion that a national ID number in the UK was a threat to me, but in Sweden it wasn’t. I had more trouble because of it in the UK than I ever had in Sweden. And in the UK you often had to use a passport to identify yourself, which in practice is a national ID.
No ID cards are to be issued by the Secretary of State at any time on or after the day on which this Act is passed.
The UK equivalent of a SSN is a National Insurance number, but it’s totally possible to be a citizen without one (e.g. naturalised non-working spouse). NI numbers also aren‘t guaranteed to be unique (if a person is assigned a temporary NI number it’ll be non-unique with other people with the same birth date).
That applies to absolutely anything a government could decide to want to do though. If you want to be picky then yes, the UK government currently isn’t allowed to issue ID cards.
> That applies to absolutely anything a government could decide to want to do though
Mmm, that’s not true. Courts recognise EU supremacy over the British parliament, although it would be possible to ant-fuck this point if you were feeling truly pedantic.
SSN is a superkey. Just because the USG doesn't permit one to use SSN as a key in your system (see HIPAA) doesn't mean it doesn't act like one for the purposes of exploitation or data aggregation.
How is a personal identification number a security risk? It's only so is it's considered a secret. If it's considered to be "public information" ( like eg your name), it's not problematic at all
A number of other countries have unique identifiers available for various purposes (people, companies etc. etc.) and somehow they work? So I'm not buying it that a single flawed implementation means all of these systems are flawed too.
The law which implemented this ID, says, nobody can use it to malign purpose; The authority is found to use this clause against anybody who wrote about its flaws.
The law also says that only Authority can disable this ID, anytime. So once somebody's ID is dead, they suffer civil death. No job, hospital, travel, mobile, taxes.
Every week they switch from ID number is secret: ID number is not secret.
This number can not be changed even for a person. To keep it safe, they introduced a virtual ID number, which, again is permanent for one's life.
> while ignoring the fact that linking one number to everything in one’s life increases the attack surface and the severity of the threats.
Yet from the looks of it, this will happen anyway - the only difference being whether that number is a designated government ID or your phone number, e-mail address or facebook account.
Just because India (India, of all places) can't do things right doesn't mean that a universal ID is a bad idea. Most countries in the world have a universal ID that hasn't been hacked to oblivion.
It’s not the ID that’s the problem, but having one single ID linked to everything else.
Look at how almost all adults in the U.S. have been made vulnerable to identity theft because of the Equifax breach and the leak of SSN and related information. These are irreversible damages.
The problem is not having one single ID linked to everything, which most countries do. The problem is pretending that ID is a secret, which it is not. It's stupid to treat SSNs as passwords.
Aadhar is meant to be private but it cannot be used for anything without MFA (unlike SSN). In that sense, Aadhar is not really treated as a password like SSN is.
Aadhar is not meant to be private. It should not be treated a s a private key when you need to give a copy of your card everywhere like your bank, getting a new cell phone sim card, employment, etc. The problem with Aadhar (among other things) is that people think its a secret. Its not supposed to be that way.
SSN is meant to be a secret but it's required at all the places you mentioned. At least with Aadhaar, if someone got a copy of my number, it can't be used without MFA.
What kind of private it is when DHL holds your international incoming document parcel hostage asking for Aadhar copy for Customs Clearance; then delivery boy insisting on Aadhar photo in his phone for making sure to deliver to right person.
Bootstrapping identity is a very hard problem, and implementors can't resist the easy path of piggy-backing on someone else's identity or authentication system -- social security numbers, email addresses, telephone numbers, etc.
AT&T is being sued by someone who lost $24M in cryptocurrency because someone decided to piggy-back authentication on AT&T. While AT&T should certainly be called out for having sloppy security, I can't help but feel that they never really signed up for the job of protecting such a valuable asset. It's like trying to protect Fort Knox with a consumer-grade padlock, then going after the padlock manufacturer when someone cuts it open.
The fundamental problem is this concept of "identity" is a bundled abstraction that is being used in order to ignore every way in which scaling to the Internet is intrinsically difficult. Because sitting down face-to-face with someone yesteryear was completely and totally safe, so if only we can replicate that and "know" the other person, then all of these newfangled problems will just disappear!
This is a partial list of actual problems "identity" is purporting to solve and an example of someone heavily relying on it: user-device security (Coinbase), cross-medium access (banks), Sybil problem (Google / IRS), persistent tracking (commercial surveillance), offline transactions (healthcare industry).
Each one of these is an area of research unto itself, but yet "identity" is going to solve all of them together! Really, it is just a crutch that allows organizations to pretend to have solved the issues, and then act entitled when their "solution" falls apart. After having architected their systems as if their identifiers are entirely reliable, any action purporting to have been done by you is then your mess to clean up! Because "your" identity was "stolen", see? Problem solved!
This article ultimately seems like a submarine for the industry consortium of the week. The primary reason a "good" identity system hasn't taken off is that the main thing demanded by users is to create arbitrary unlinkable nyms. Meanwhile these backwards-thinking organizations are looking to "identity" mainly to prevent people from doing just that!
The main thing demanded by users is cheap credit, which is diametrically opposed to a system designed to optimize the ease of fraud, as you suggest.
Use all the scare quotes you want. You are one person, not several, and are accountable for your actions regardless of which pseudonym you wish to present them under.
Only two of the five aspects I listed involve credit. And I'm pretty sure at this point people would be much happier getting healthcare without implicit credit, and thus not end up receiving kilodollar nastygrams in the mail for months afterwards.
There are plenty of contexts for which there is nothing to be "accountable" for - I would say most general Internet use. And sure, it's possible to disagree reasonably about this, perhaps asserting that you only want to read comments that are policed by some authority. But it is an explicit tradeoff, not merely implicit that we should live in a world without some absolute privacy.
There are plenty of current reliances on "identity" that don't pass the smell test - for example the seemingly common flow of setting up online banking by going home, going to a website, and entering in your public identifiers. In the context of a brick and mortar bank, this is utterly backwards!
Describing an identity system based on nyms as having been "designed to optimize the ease of fraud" is utterly disingenuous. Fraud requires the other party to buy in to assumptions which are then invalidated. Most uses of identity, say online user accounts, don't need to carry such strong assertions in the first place.
Also, highlighting that a term carries a loaded defintion is not using "scare quotes".
This is fundamentally a regulatory and economic problem. The exact challenge-response flow and physical artifacts/electronic credentials we use to assert identity and request access with change over time. Businesses are only motivated to prevent fraud if they will be liable for losses. They have managed to label it "identity theft," as if you forgot to lock up your bicycle, and give ironic post-breach advice to their customers like installing anti-virus software and not surrendering information to unsolicited callers.
Incentives need to be aligned. The Trump Administration cancelled the investigation into Equifax. Target's stock price barely budged. Regulations may not be a panacea as the OPM breach suggests. "Cyber insurance" is an interesting market. Ideally insurers would require best practices to be followed for policy issuance and claim payout. But that can lead to compliance box checking, and litigation/coverage struggles instead of actual security.
What you say about Target's stock price is true, but markets exist to price assets, not to punish malefactors. What this shows is that the market decided losing a ton of data wouldn't affect Target's bottom line; this supports your point about incentives but is itself not something in need of adjustment. The market is literally signaling that losing customer data isn't going to cost a company anything.
I think we'd probably all be using private/decentralized identity systems if it wasn't for KYC/AML regulations. The problem is that decentralized and some private identity systems are all "vulnerable" to pseudonymization, so it make KYC/AML impossible.
I'm surprised a company that already has a lot of personal info like Equifax hasn't stepped up and created an online ID system (like how you have DUNS numbers for businesses).
As a counter-example, Sweden has national personal ID number system where everyone is assigned a number at birth. This is fine as a primary key in databases but it's not exactly a secret so can't be used to authenticate someone.
The banks stepped up to this challenge and created a common digital signature system called "BankID" where you get either a certificate/private key file (PC) or app (mobile). BankID is used for online filing of taxes, filing change of address, signing up for stuff like insurance, anything that traditionally would require a physical signature. ID verification is done by bank branches when you sign up for internet banking.
I recently signed into a medical-related service that used a verification system like this.
They asked three questions. All of which were multiple choice and populated with a lot of obvious wrong answers.
Two of them were the year and model of a car I (no longer) leased, and one was a direct "what county do you live in?" which is trivial from the address.
If you physically drove by my house any time when the garage door was open in the last three years, you had a decent chance of knowing the right answers. If you had access to the DMV records, you had the right answers. And on the flip side, I hate to imagine how this would have worked for, say, a scholarship student at age 20 with no credit file.
Enjoy reading my lab test results. I feel so secure.
Nitpicking (but what do you expect with a board that's majority programmers): only people born Swedish get one at birth. I got mine at age 23 when I studied there :) It still used my dob though.
> It's like trying to protect Fort Knox with a consumer-grade padlock, then going after the padlock manufacturer when someone cuts it open.
Well in this particular case, it's like protecting it with a consumer grade padlock, and then having someone who works for the padlock company give the thief a key to the lock. The reason he's suing is because AT&t failed to follow their own protocols for identifying the customer.
They gave their employee the ability to bypass the security PIN code locking the account. If they hadn't touted it as account security, their case would probably be better.
Oh come on. Bootstrapping <anything> is hard. Identity isn't special. When bootstrapping, you base initial migration work off of existing systems, until you reach critical mass and the adaptation on top of existing systems are no longer relevant or necessary. You might as well argue that passports are worthless because it's not that theoretically difficult to fake the foundations of identity to a good enough level in order to get a genuine passport. As long as passports are unique-enough (no two people are identified by the same passport), they're good enough. And so is any other system which succeeds at consistently identifying the same person.
Phone numbers are obviously flawed as identifiers, but so are social security numbers, drivers license numbers, etc. If the United States introduced a national ID it, how would it avoid the same problems as the de-facto national ID, the social security number?
Biometric data can be replicated, e.g. fake fingerprints and synthesized voices. Good facial recognition is still a step ahead of scammers but they may catch up at some point. And you can't easily change your biometric data if someone manages to make a copy.
At this point everyone knows passwords by themselves are not good enough.
Physical tokens like Yubikeys can be stolen, although that's clearly more difficult than stealing some of these other identifiers.
If everyone had a cryptographic private key, they would have to store it somewhere -- how would they keep it secure without resorting to one of the flawed systems I just mentioned?
So, I find it difficult to blame companies for using phone numbers as identifiers -- it's easy, and all of the alternatives are also flawed. I haven't seen any foolproof identifier, probably because it's not possible to create one.
> If the United States introduced a national ID it, how would it avoid the same problems as the de-facto national ID, the social security number
Everyone gets a national ID number. This number is considered public and is used for signing up for public and private services.
Everyone gets a ID card, issued by the government. This ID card holds a private key, used to enter legally-binding agreements, and the card is printed with the photo of the holder. Attempts to use the card to authorize purchases online redirect to a government-managed identity provider (think SAML 2.0), where the user must provide either a password (preferable) or, if there is no password, some other knowledge proof that is not discernible from the physical ID card, either of which were set up when the card was issued. When people become incapacitated for publicly-known reasons (incarceration, hospitalization, etc.), their public certificates are temporarily added to a revocation list. When issued, the card comes with three one-time-use secret codes, each of which triggers a 24-hour temporary revocation, which must be kept secret-enough to prevent abuse. Obtaining more temporary revocation codes, or permanent revocation (in case of loss or theft), or password/knowledge proof reset without the previous password/knowledge proof, is handled in physically secure government facilities, by providing DNA and other biometrics, that were registered when the card was issued and are not used for any other purpose. Corruption is combated at the DNA-collection stage by requiring the secure facilities to actually collect fresh physical samples each time - this constitutes a biological sort of paper trail for auditing revocation requests.
No, it's not impossible to game the system. People can be bribed to overlook the photo; DNA can be stolen and used to continually permanently-revoke victims. Paper trails are not magic cure-alls. There are serious ethical concerns with entrusting the government with a populace's DNA (particularly, the potential to re-index it for the purposes of ethnic cleansing). And yet, when compared to modern-day systems, I'm hard-pressed to complain. If you ask, quite simply, which is better, the system proposed above or the contemporary system, one or the other, I have a hard time imagining people defending the contemporary system.
What you have described is (mostly) how Swedish society already works. Even the SAML part — we'll be forced to support eIDAS as of next month!
Everyone resident in Sweden must be registered in the Swedish Population Register, and receives a personal identity number. Due to the Swedish constitution, information held by the government must be publicly available, so people's names, dates of birth, addresses and indeed identity numbers are not secret (though the last of these isn't on Google). This means that in order to prove your identity, people use ID cards and corresponding digital ID issued by the government and banks. Said digital ID is a passcode-protected certificate, either on a phone, a computer, or a physical ID card.
The government doesn't have your DNA here though, although citizens' passports and ID cards contain fingerprint data.
Also, there are cases of people with multiple DNA signatures in one body (chimeras). Really rare, but it goes to show that there will always be a corner case ;)
> how would they keep it secure without resorting to one of the flawed systems I just mentioned?
It's small, hard to exploit flaws vs. large easy to exploit flaws.
> If everyone had a cryptographic private key, they would have to store it somewhere -- how would they keep it secure without resorting to one of the flawed systems I just mentioned?
Physical smartcard/smart SIM/phone. You have to steal something physical + get the PIN. Definitely possible, but really hard and if that gets lost you have to go to the Police, get yourself re-identified and get a new card. Compared what bullshit of an identifier a phone number is Estonian system is miles ahead.
You start by not giving everyone an "ID" but a hardware token with a chip in it. The person who has that chip and the corresponding private.
The only real attack against that is supply-chain attacks, which is why the government buying such tokens should audit the whole supply chain, and they should either pay for a replacement if the tokens are ever compromised or make the manufacturer pay if it's their fault.
I think if you combine the existing formulas and add a few new ones with similar issues it can add up to something.
Personally, while I understand no one can take it seriously, I think our private components would be a better fit than faces. It would make for an interesting future to say the least.
Tieing 2fa directly to the phone is much better than tieing it to a phone number, until you don't control your phone. Then, how do you recover? You can't go down to the local Google (or whoever) kiosk, prove your identity, and get a new device added to 2fa, but you can get a new sim (downside, so can pretty much any carrier kiosk employee, or social engineer).
Also, phone numbers are pretty useful for contacting people, and most people have an address book with their friends and family and other important contacts. There's tremendous social value for people in those numbers continuing to work, to the extent possible. You're never going to be able to tell everyone who might want to know when your number changes, especially if you for a new number when yours was assigned to someone else.
In case this is not a rethorical question: Using the backup codes or a copy of the barcode you printed.
Regardless of what method you use I assume you want a secure backup method.
> but you can get a new sim
Maybe easily if you are a private person and happen to lose the phone in your home country during opening hours. I tried this method once but the company just forwarded me to the internal helpdesk of the company I work for (this is a good thing, but previously they issued SIM cards to me). Got a sim like a week later.
Even if I do this, and most people reading this do this, I suspect there’s still a large number of people who don’t know they should be doing this (like older relatives).
The iCloud backup of my phone when restored to another phone didn’t bring over any of my authenticators. I don’t know if a physical backup would or not but it’s worth noting.
They are tied to the phone, at least for Google Authenticator, if you do an iCloud backup. This is a security flag the app has set on the database file. If you do a local, encrypted backup the codes can be restored. Alternatively you can use a client like Authy that also allows you to sync them with your other devices (encrypted ofcourse).
You're right. I'm not criticizing, just noting it for anyone that might think the online backup would be sufficient after reading the comment I replied to.
And what happens when those backup codes don't work? You are now locked out of an account with 3000 dollars, and have to literally send a photo with your ID, and a note saying you need it reset. Google authenticaor should never be used for anything that matters.
You download or screenshot that QR Code while subscribing for 2fa with GA. Also keep the subscription key; & save both in a password database seperate from your usual password database.
2fa on phone totp is safe; SMS 2fa is less safe, prone to easy attacks. For phone somebody need to come n physically snatch your phone, get app lock password from you. For SMS, in few countries, not in India(in India either you need to prove that you own that existing SIM by getting a code there, or by seeing a customer service desk) a bit of social engineering & few answers from Facebook profile enables hackers to get a copy of SIM.
Years ago, I had to physically show up at Verisign to get my domain changed. It was locked to an email address I no longer had. What a cluster that was.
In theory. In reality, people will sacrifice security for simplicity in these situations thereby financially incentivizing the opposite of "how it should work".
> Tieing 2fa directly to the phone is much better than tieing it to a phone number, until you don't control your phone.
This is worse. (edit: i.e. easier for the attacker since they don't need physical access to your device.) You still control your phone, but the attacker takes your phone number.
I implemented number porting for a startup I worked for. It's all pretty scary: yes, it's easy to impersonate someone if you have some information about them, but some carriers don't check any sort of porting pin at all. That is, attackers sometimes do not need to impersonate you, they just have to ask for your number.
It would be great if we all had something big more secure, but in the meantime understand your carrier's port out process and that you have your number secured.
My UK NI number is burned into my brain. It might be because it was given to me at a highly emotional time (transition from school to unemployment and university) or because I had to know it to complete forms (UB-40 and P-45 employment status).
From thirty years distance, trying to re-connect to my UK pension rights, as a non-resident migrant, it floated back up into my consciousness instantly. I suspect even with dementia its one of the digit strings I'll hang onto.
FWIW former forces probably have their serial number forwards and backwards because of hazing. I only have my NI number because of money.
We should more than ever be teaching everyone not to use their real name on the internet, not to give out their phone number or private email address. In the internet and for businesses for advertising or any other avoidable purpose. This would eventually prevent the assumption that everybody has a phone number that can be used as authentication, or even worse, a Facebook account!
Every factor is vulnerable.. phones, phone provider, gmail accounts, yubi keys and even yourself. What if someone points a gun at you and asks you to transfer all the bitcoins?
Why not distribute the authentication factors among multiple trusted parties instead of a single person? This would not scale for normal use cases, but could help for mission critical updates. For example, if I change my gmail password or port my phone number or update my auth factors (which are all considered major/mission critical changes), then the change has to be verified by at least 51% of my trusted contacts. So, instead of verifying authentication just with me, the provider has to send 2fa tokens to all my trusted parties (my spouse/partner, close friends, family members, etc). If 3 (out of 5) have verified and approved the change, then the provider would implement the change.
I repeat this on related threads: taking over any US phone number's inbound/outbound SMS traffic with the ability to intercept inbound SMS as well as send SMS originating from a particular number is dangerously easy. It takes one minute, and ALL numbers are vulnerable. Worse, there is no fix for this. Never ever use SMS for authentication, or sensitive communication of any kind.
I believe this is being exploited on a regular basis and people just have no clue. This is likely used for anything from gaining access to email accounts to insider trading to political leverage to who the heck knows what else.
There are a couple of vendors out there who at least try to detect SIM swapping and traffic hijacking. It's better than nothing and eliminates the simplest attacks, but still has it flaws, including happy path case support (like only working on the network and needing a smart phone).
Happened to my number at least (I live in Sweden). A person sent me a text message saying he had my previous number and that he got frequent calls from my friends.
I see no problem with using phone numbers can be used as an ID. They should not be used for authentication though.
For some reason it has become fashionable to force 2-factor authentication on users using SMS as the 2nd factor. That is a terrible idea, and yet it proliferates, especially at most calcified institutions (banks, DMV, twitter). This has to end.
Lebanon was fun. When I arrived and purchased a SIM card, after getting on the different smartphone instamessage systems everyone that knew the previous owner started contacting me.
Well, Germany could have provided a (relatively) easy solution with the new (ah well, 10 years old by now) Personalausweis identity cards - they're RFID capable and contain crypto functions.
Actually, there is a solution for using them to sign stuff - but it's proprietary in any case, and requires expensive certificates.
Nearly all Germans do have one (yes, I know, having a passport is sufficient... but, anecdata, never met anyone with only a passport), and iirc the Elektronischer Aufenthaltstitel required for non-German residents of Germany has the same functions.
It's a perfect model of "the tech would be there but government is incompetent/corrupt and so it is not freely available for the benefit of citizens".
> The use of phone numbers as both lock and key has led to the rise, in recent years, of so-called SIM swapping attacks, in which an attacker steals your phone number. When you add two-factor authentication to an account and receive your codes through SMS texts, they go to the attacker instead, along with any calls and texts intended for the victim. Sometimes attackers even use inside sources at carriers who will transfer numbers for them.
We're seeing more biometric authentication with fingerprints, face recognition, perhaps retina scan. How do these methods perform in practice, considering both their contribution to security and their practical application?
I currently authenticate on my iPhone with fingerprint. How hard is that to crack? If you had the victim's fingerprint, it's apparently trivial [1]. But accessing my fingerprint is not something that a random hacker/thief on the Internet would reasonably be able to do.
Since our phones are becoming our life-key. Would a 3-factor authentication sufficiently protect us?
You can't change them and you leave them everywhere!
They're good against stopping your nosy family members from seeing your password, but what am I supposed to do when dining or paying someone? Wear gloves?
If the cybersec game turns into "collect physical fingerprints" then the gangs are going to collect physical fingerprints and then what?
What we need is something dynamic that's hard to fake, like a human voice or face, tied to a government issued cryptographic device with no input ports / volatile memory / inbound network adapter.
You say a challenge sentence out loud. The device validates. Then the device signs or authenticates or whatever. For integrity it could optionally encrypt and broadcast what happened.
You lose the device, you get a new one just like you get a passport. In person with other documents, etc.
This really isn't that hard. We could have done it decades ago.
> You say a challenge sentence out loud. The device validates. ...This really isn't that hard.
Last year Lyrebird (https://lyrebird.ai/) released a demo that cloned several Presidents' voices. So while I agree with you that fingerprints are a poor choice, voice isn't better.
Well I didn't want to get bogged down in the details, but obviously I'm aware of this project and there is a ton of funding into adversarial ML and the artifacts that are generated by false voices are detectable. Even so, I appreciate the concern and it is one I share in the long run.
Regardless—possession of the device is half the battle. Authentication of the individual is the other. Even if the authentication portion is broken at worse what this means is that someone that stole your device can impersonate you. Not great, but not enough of a reason to completely disqualify voice as a mechanism.
Biometrics make sense when there's a trusted human there to oversee collection. Good luck giving the cops fake fingerprints when you're arrested for example, or trying to show the gate guard on a military base just a photograph of a regular visitor instead of your actual face.
They're useless when you try to substitute some primitive bit of electronics, like those built-in print scanners. And so nobody should expect to use biometrics for Internet security.
We know for certain that we're getting hacked daily with constant identity theft and rather than have the same people that we entrust with our tanks, bombs, guns, lasers, and satellites to be competent at a simple key signing / rotating physical device we're going to what, use our fingerprints with our bank?
No.
A physical device that everyone has is going to be torn apart by everyone. The last place they'd put something malicious would be in something that diffuse.
Oh, please! No! No! No! India bulldozed a national identification number (called Aadhaar) on its residents and it has made more people vulnerable to many kinds of attacks, including phone number hijacking, draining people’s bank accounts, etc. To say that it’s been an unmitigated disaster would be an understatement. As with things related to government, the governing organization for Aadhaar, called UIDAI, always claims that it’s completely secure, while ignoring the fact that linking one number to everything in one’s life increases the attack surface and the severity of the threats.
So please research on the number of ways Aadhaar has failed, and is making some feeble attempts to recover, before getting into a “let’s create a new static number to identify people with instead of a phone number or SSN”. That’d just be changing the narrative without achieving anything.
Bottom line, it’s not the phone number that’s the problem, but having a unique and non-changing number and linking it to everything else (including one’s phone numbers).