| ▲ | rawgabbit 3 hours ago |
| It seems to me we must move away from worrying about ransomware, data breach, data protection as that ship has already sailed and everyone's PII has already been stolen. We should think of how to verify people's identities online (for things like government benefits etc). I have heard of the Dutch and the Japanese using national digital identity systems although I am unclear how they work. India is doing biometrics. I am curious what the US will eventually land on. |
|
| ▲ | afarah1 3 hours ago | parent | next [-] |
| Biometrics is just something else to get leaked, terrible idea because it's even more sensitive (can be used to track you through cameras for example, like used in the Iran war). This problem has long been solved with federated IdPs and MFA - something you own like OTP device/physical token besides something you know like SSN/tax id/password. Most governments prefer biometrics of course because citizen privacy is the opposite of what they want. |
| |
| ▲ | whyagaindavid 3 hours ago | parent | next [-] | | I would not go that far to say all govts are like that. The main problem is majority of citizens cannot easily remember such things. Even simple PIN that is included in EU ID cards - most people don't remember or use. people want frictionless use. | |
| ▲ | yladiz 3 hours ago | parent | prev | next [-] | | > Most governments prefer biometrics of course because citizen privacy is the opposite of what they want. Or... it's something that you always have on you which is incredibly hard to fake. | | |
| ▲ | jerf 2 hours ago | parent [-] | | You shouldn't model it as incredible hard to fake. It isn't. It's harder that typing a password you've stolen into a web site, but if you set out to do it, it's not that much harder. This is the primary reason I'm against biometrics used for identity. Yeah, the privacy invasion is a problem, but I think that's completely dominated by the fact that if everyone uses it, it will be leaked, and once leaked, can indeed be quite practically faked. If used as a password, it's a password you can never change. That is useless. The difficulty of overcoming a security measure should be greater in cost than the thing it is valuing. The cost of, for instance, replicating a fingerprint given a photo of it, is basically a home hobbyist project for the weekend. Check out Youtube for many people who have done exactly that and give instructions how. When the cost of bypass is "home hobbyist project on a weekend", the value of what it should be expected to protect is correspondingly low. (In fact I don't even use it on my cell phone, with all its access to bank accounts and amazon accounts and other ways to spend my real money. The idea of a password to all that stuff that I leave arbitrary copies of sitting right on my screen is completely absurd. Everything important is locked behind codes and passwords. It's less convenient than fingerprints but at least those offer actual security.) You also have to bear in mind the costs of the biometrics gathering. If you have a physical guard watching someone do a retinal scan and verifying that they have put their real eye up to it, you're at least on track to something that takes a lot of resources to overcome, especially if it's in combination with other techniques of identification. If you don't have that, now we're back to "how cheaply can we replicate whatever passes for a retina with this scanner" and that's likely to be cheaper than most people think. Real-world biometrics are in places where attackers can perform arbitrary attacks with impunity. |
| |
| ▲ | rawgabbit 3 hours ago | parent | prev | next [-] | | Maybe in the future, our driver licenses will become a physical token? | |
| ▲ | anonym29 3 hours ago | parent | prev [-] | | Biometrics are the only credential you can't roll after compromise. | | |
| ▲ | lostlogin 2 hours ago | parent | next [-] | | It depends what the biometrics are. There have been successful hand transplants, so new finger prints are possible, but completely impractical. https://en.wikipedia.org/wiki/Hand_transplantation | | |
| ▲ | ntoskrnl_exe an hour ago | parent [-] | | Thinking about it, I probably wouldn't remember to change my fingerprints to the new ones with all the services I use, I'd probably have to carry my "legacy fingerprints" wherever I go for some time to avoid a lockout. |
| |
| ▲ | tombrandis 2 hours ago | parent | prev | next [-] | | kind of but others are hard as well... most people don't change their name, date of birth or even email address when they are leaked. | |
| ▲ | artursapek 2 hours ago | parent | prev [-] | | this is exactly my problem with them |
|
|
|
| ▲ | bdashdash 25 minutes ago | parent | prev | next [-] |
| In the Netherlands, there's a single ID you use for all official government services. It's essentially username/password with MFA, issued by the government. What is neat is you can scan your passports NFC chip with your smartphone as a means to verify your identity through this system. Not sure how it solves any of the data breach issues, though. |
|
| ▲ | deltoidmaximus 3 hours ago | parent | prev | next [-] |
| Based on how things are, I feel like the US solution is just going to end up with me requiring a retinal scan to buy pants from Target online and then that scan will end up on the dark web along with my voice print and a scan of a my driver's license. |
|
| ▲ | sofixa 2 hours ago | parent | prev | next [-] |
| > We should think of how to verify people's identities online France already has that, in multiple ways. There is the France Connect SSO, which is kind of a federated SSO. You need at least one account which is physically proven (it could be with the Post Office which send you a letter with a code to confirm your address and idenntity / ask you to physically come to a post office for an ID inspection; the tax authority where there are also multiple physical verification hoops, the social security system, same), and can use that via the SSO to authenticate to all government services. Separately, there is an app proposed that scans your physical ID's NFC chip with your biomettrics, compares that to a selfie you take, and uses that identity to authenticate you to stuff. |
|
| ▲ | tomjen3 2 hours ago | parent | prev | next [-] |
| I can make a new password, hard to get a new eyeball. |
|
| ▲ | nip an hour ago | parent | prev [-] |
| [dead] |
