I've been mulling over an idea that is essentially a combination of personal ID, secure digital authentication and online communications all baked into one.
There's a EU directive instructing on how citizens should be able to identify online with eIDAS. In my country, you can use eIDAS to authenticate in basically any governmental agency portal, but you can't get any eIDAS enabled auth method as a citizen. The current way of authenticating is done via bank accounts or a paid extra mobile service that requires a non-prepaid mobile contract.
This is a relatively huge issue. First off, the Finnish government pays the banks for each auth any user does when they for example want to log into their medical records etc. It's a few million euros a year just for verifying the users.
There's also obviously issues with whom the banks serve, there has been some cases with them not taking foreigners or people with bad credit as customers, making it impossible for them to authenticate themselves.
The current EU directives also indirectly require that the banks should provide a bank customer the possibility to authenticate without needing to have a banking account (which costs money), but to my knowledge this still isn't possible. I pay around 20 euros a month just for the luxury of having an account, not everyone can afford that on top of other bills.
Auth services are not accessible for impaired users.
It's also basically impossible to manage who has essentially the power of attorney and over which matters, for how long etc. Either you have to give them your login info (good luck resetting your SSN) or try to use the services over the phone and somehow convince the other side that you have permission to manage things for another person.
There's no ways of authenticating who is using your accounts online and actually verify the users.
Basically, my idea is combining biometrics, PGP and having the government running the identity management themselves. This would have added benefits of basically enabling hashed throwaway addresses and info for use online while providing a free and accessible way of authenticating strongly online.
It occurred to me the USA might do something similar in the future and let the banks authenticate and verify identities.
(The $1200 CARES Act stimulus payments were automatically wired to those who previously authorized the IRS to post their tax refunds to their banks.)
> actually verify the users
Maybe you can harness existing Public Notaries instead of using online banking? The USA has over four million Public Notaries who can "witness" and verify identities. For example, a user can pay for a Public Notary to come to his house. The Public Notary reviews the user's government provided identification and issue them an official E-ID and a encryption USB key like Google Titan Security key. The Public Notary can record this transaction in a government database so that there is a trail of who received the Titan key and who provided it.
We don't have public notaries as such and it would still 1. be a system that places trust in humans (which is easily exploitable) and 2. not free for the end users.
I mean, I think it's some ten cents per auth through a bank, if you'd have to invite a notary or visit them every time you want to auth, it'd definitely cost more than that.
I was thinking of a combination of biometric ID, physical card with NFC or USB and a pin or a password. Biometric info is hard to spoof, but not entirely impossible which is why ust stealing the ID card or biometric info shouldn't be enough, you'd need some type of password. Once the user provides all three, you'll know that physically that person carries the aforementioned identifications and is like whom they claim. These would be used to encrypt and unencrypt hashes, meaning that other individuals can also use the hashes to make sure they're contacted by or contacting themselves the correct person they meant to.
We'd also need to implement a way to manage permissions for other users to manage our own data. If you're for example physically incapacitated and want your caretaker to be able to access some services, you could add their hashed identity as an allowed entity and decide over which services and features they can see and/or edit.
Unrelated but speaking of throwaway addresses, it would be cool to be able to create a throwaway postal address (which is then translated by the postal service), so online shops don't get your personal address information.
Yeah exactly, this was one of the usecases I wanted to deal with.
Several brick and mortar retailers here require your address and personal info even when buying and picking up physically at their store and several have had their databases hacked and leaked.
Why do I need to give those when they're not shipping anything to me and I pay in cash?
We have an agency called Maistraatti which is our nation wide registry office which will have all of my postal information, family relations etc.,basicslly anything related to me as part of our society. Why can't I just provide online and physical retailers some ID that the registry can then translate into my actual info when it's actually needed, for example for shipping or if they want to check my credit etc. They could just save that ID for that purchase and temporarily check the necessary info through an API.
Hashed info would be one solution, the retailers would only get the hashes I provide and the registry office could then match those hashes to my info. In essence, I could basically create single use throwaway information for each retailer if I'd wanted to and they would be none the wiser.
That would be a nice service that the postal service could charge for. Virtual po boxes that could be created or re-routed on demand. You would just have a one line address, and when the address is digitized it would be converted to the current address.
PO boxes cost and I still need to provide my name, SSN, email, phone etc even if I'm not ordering online.
If PO boxes were free, it'd solve one part of which I take issue with, but it costs like 4 euros per pickup. If your income is low, the 4 euros on top of the some 20 euros for banking and another 20 for a cellular plan will quickly add up.
So you're thinking like a virtual mailing address as a service. You receive and forward people's mail. Seems interesting. Also kind of high risk for the service provider. People will use something like this to buy guns and drugs and other stuff on the black markets. But I guess they do that anyway. You would have to be prepared to deal with a lot of subpoenas to unmask the real mailing addresses. Could be a useful service though. Be sure to charge a lot for it.
My idea would have to be implemented on a national level. I take issue with the socio-economic injustities in the current identity and personal management solutions as they're not technically accessible nor free while still being simply a must have in order to do anything in Finland.
Isn't this essentially a URL shortener for post? The post operator generates an ID for your address, sender uses it to post stuff, the post office maps it back to the address. One additional challenge I see is that if the fees vary by distance, the sender would still get some sort of an idea as to how far away you are, but that is probably acceptable.
In my european country we can use the Personal identity card with the use of a USB to ID card converter?, to log in to governmental resources. although people mostly use the SmartID because its on the phone and free, unlike the SIM card authentication which is a bit more cumbersome.
It's interesting that Finland took that approach. In Portugal the government just created its own ID provider (https://www.autenticacao.gov.pt/), which lets you login with your ID card (which is a PGP smartcard) or a two-factor PIN + mobile phone token.
The relationship is actually opposite: banks will let you login on their sites using the government's ID provider. It's not mandatory, though.
I work in healthcare in the US, and using banks to perform auth is a fascinating concept. I also don't see the US ever adopting it due to nuances in American concepts of privacy. We don't mind sharing literally everything with a single entity, but once you get more than 1 entity involved, everyone freaks out. Using banks for auth would also eliminate the wide array of third party auth services, like Auth0. Eliminating the middle-man is very un-American.
I’m very interested in doing this as well, and have been trying to get the Login.gov folks (US centric) onboard (with Estonia’s electronic ID system as the model). We should chat!
You should take a look at SingPass[1], which is the Singapore government’s version of this. Most people[2] with a valid Singaporean ID card can register for it, and we use it for all kinds of stuff - signing in to government websites, opening bank accounts, checking in for covid contact tracing, etc.
Hi! I’m working on a similar thing aiming at bringing a digital identity to everyone. I’d love to hear more about what you’re working on. You can reach me at fabian (at) flapplabs.se
There's a EU directive instructing on how citizens should be able to identify online with eIDAS. In my country, you can use eIDAS to authenticate in basically any governmental agency portal, but you can't get any eIDAS enabled auth method as a citizen. The current way of authenticating is done via bank accounts or a paid extra mobile service that requires a non-prepaid mobile contract.
This is a relatively huge issue. First off, the Finnish government pays the banks for each auth any user does when they for example want to log into their medical records etc. It's a few million euros a year just for verifying the users.
There's also obviously issues with whom the banks serve, there has been some cases with them not taking foreigners or people with bad credit as customers, making it impossible for them to authenticate themselves.
The current EU directives also indirectly require that the banks should provide a bank customer the possibility to authenticate without needing to have a banking account (which costs money), but to my knowledge this still isn't possible. I pay around 20 euros a month just for the luxury of having an account, not everyone can afford that on top of other bills.
Auth services are not accessible for impaired users.
It's also basically impossible to manage who has essentially the power of attorney and over which matters, for how long etc. Either you have to give them your login info (good luck resetting your SSN) or try to use the services over the phone and somehow convince the other side that you have permission to manage things for another person.
There's no ways of authenticating who is using your accounts online and actually verify the users.
Basically, my idea is combining biometrics, PGP and having the government running the identity management themselves. This would have added benefits of basically enabling hashed throwaway addresses and info for use online while providing a free and accessible way of authenticating strongly online.