I read the federal government’s Zero-Trust Memo so you don’t have to

Here in Norway we have BankID which uses MFA. To access any government, banking, or official system you have to authenticate with your BankID.

Its simple amazing.

There's significant bi-partisan resistance, in the US, to anything like a national ID, unfortunately, with the result that we have one anyway (because of course we do, the modern world doesn't work without it) it's just an ad-hoc combination of other forms of ID, terrible to work with, heavily reliant on commercial 3rd parties, unreliable, and laughably insecure. But the end result is still a whole bunch of public and private databases that personally identify us and contain tons of information—kind of by necessity, actually, since our ID is a combination of tons of things.

It's a very frustrating situation. Worst of both worlds.

I'm America, about 30% of the population would start screaming about the Mark of the Beast if we tried to roll out something like this.

What happens to the people who are not banked?

We have that in Sweden too. As an expat it's a complete nightmare for me from day one. Getting my bank to successfully issue it was impossible.

First, in the days before mobile bank-id, they sent windows-only hardware as I recall. Then came the days of letters/cards/hardware getting lost in the mail.

I gave up on it in the end. I have multiple things (banking-wise) I no longer have online access to because of it.

If you're going to make one system to rule them all you need to make sure the logistics actually work.

Which is why you ignore them. No reason for a nation to be held back by this type of person. Same reason you don’t take cancer treatment advice from someone who suggests juicing.

BankID: A system with a secret spec, where the bank holds your secret key, there is no transparency log whatsoever (so you have no idea what your bank used that secret key for), can be used to authenticate as yourself almost everywhere, and where you can get huge, legally binding bank loans in minutes (and transfer the money away) with no further authentication.

Oh, and if you choose to not participate in this system, enjoy trying to find out the results of your covid test :-) (I ended up getting a Buypass card, but they officially support only Windows and macOS.)

That 30% of the population translates to about 45% of federal elected representatives. Not quite as easy as "ignoring them," sadly.

That's all good except for the 'bank' part.

It was expedient but banks are not the orgs. that should be running that.

Every nation needs to turn their Drivers ID and Passport authorities into 'Ministry of Identity' and issue fobs, passwords that can be used on the basis of some standard. Or something like that, maybe quasi distributed.

Here in Czechia we have BankID and it is problematic:

1) No verification that the user trusts that particular bank to perform this service. Most banks just deployed BankID for all their customers.

2) No verification between bank and government ensuring that particular person can be represented by particular bank. In principle a bank could inpersonate a person even if that person have no legal relation with that bank.

3) Bank authentication is generally bad. Either login+SMS, or proprietary smartphone applications. No FIDO U2F or any token based systems.

Fortunately, there are also alternatives for identification to government services:

1) Government ID card with smartcard chip. But not everyone has a new version of ID card (old version does not have chip). It also requires separate hardware (smartcard reader) and some software middleware.

2) MojeID service (mojeid.cz) that uses FIDO U2F token.

Disclaimer: working for CZ.NIC org that also offers MojeID service.

There is a large contingent of non-religious people who are against it on civil liberties grounds. The resistance to it truly crosses both parties, and it requires the cooperation of the States, which makes it politically non-viable as a practical matter.

I've done some thinking about this, and a possible solution is a bunch of cross signed CA's like the Federal common policy / FPKI for cross trust amongst federal agencies, but done at a state DMV / DPS level. Driver's licenses / state IDs could have certs embedded into the cards and then be used for things like accessing government websites, banks, etc. Yes there are some access concerns, and some privacy concerns that this is in essence a national ID, but what we have now is horribly broken, and we're already being tracked. We get all the downside of pervasive tracking, but none of the upside.

Would that look anything like the REAL ID system?[0]

[0]https://www.tsa.gov/real-id

The thing I don't get about the non-religious arguments is that we already have a national ID, it's just a patchwork system of unreliable, not-particularly-secure forms of identification that are a pain in the ass for a regular citizen to have to deal with. And the REAL ID stuff essentially makes state IDs conform to a national ID specification anyway.

And regardless, if you do want a national US ID, you just get a passport, and it'll be accepted as a form of ID everywhere a state-issued driver's license or state ID is accepted. Of course, in this case it's technically voluntary, and many Americans don't travel internationally and don't bother to get a passport.

I hear people say all the time that, in the US, the Postal Service would be great for this, and I can't help but agree. Sure, they'd have to develop in-house expertise around these sorts of security systems (just as any new federal government agency put in charge of this would have to do), which could be difficult. But they have the ability to distribute forms, documentation, and tokens to pretty much everyone in the US, with physical locations nearly everywhere that can be used to reach those who don't have physical addresses.

Many State governments do not recognize a US passport as valid ID. This was unexpected when I first encountered an example of it, but apparently that is normal and I was just the last person to find out. The REAL ID legislation only regulates processing and format, there is no enforceable requirement to share that with the Federal government and many States (both red and blue) do not in practice. States recognize the ID of other States, as is required by the Constitution.

Because there is no official national ID system, you can do virtually everything Federally with a stack of affidavits and pretty thin "evidence" that you are who you claim to be. They strongly prefer that you have something resembling ID but it isn't strictly required. This also creates a national ID bootstrapping problem insofar as millions of Americans don't have proof that they are Americans because there was never a requirement of having documentary evidence. As a consequence, government processes are forgiving of people that have no "real" identification documents because so many people have fallen through the cracks historically.

Of course, this has been widely abused historically, so the US government has relatively sophisticated methods for "duck typing" identities by inference these days.

#2 and partially #1 are solved by regulation and reputation: banks are highly regulated business, and BankID support requires specific security audit.

Ad #3: FIDO is basically unusable for banking. It's designed for user authentication, not transaction signatures which banks need (and must do because of the PSD2 regulation).

> The thing I don't get about the non-religious arguments is that we already have a national ID, it's just a patchwork system of unreliable, not-particularly-secure forms of identification

Yes, and this unreliable patchwork is already being heavily abused by surveillance companies (eg Equifax, Google, LexisNexis, Facebook, Retail Equation, etc) involuntarily storing our personal information - creating permanent records on us that we can only guess the contents and scope of, sorting us into prescriptive classes so that we can be better managed, and completely unaccountable to even their most egregious victims.

Social security numbers were promised to only be used for purposes of administering social security, and yet now they're required by many businesses for keying into that surveillance matrix. The main thing holding back more businesses from asking for identifiers is that people are hesitant to give them out.

Before there is any talk of strengthening identification, we need a US GDPR codifying a basic right to privacy. Until I'm able to fully control the surveillance industry's dossiers on me (inspection, selective deletion, prohibit future collection), I'll oppose anything that would further empower them.

Here in the Netherlands we have DigID. It’s actually pretty awesome.

If banks were actually onboard with this stuff, I'm pretty sure you can either make this happen in FIDO2 anyway, or you could add a FIDO extension that does it and get big vendors like Yubico to support that extension. Notice that off-line authenticating a Windows 10 PC relies on hmac-secret in FIDO, which is not a core FIDO feature, but it got ratified because there's a use for it, and a Yubikey can do hmac-secret.

But I do not see any such engagement from banks.

Transaction signatures are good if well implemented, but I'm not seeing a lot of good implementations. To be effective the user needs to understand what's going on so that they're appropriately suspicious when approached by crooks.

e.g. if I just know I had to enter 58430012 to send my niece $12, I don't end up learning why and when crooks persuade me to enter 58436500 I won't spot that this is actually authorising a $6500 transfer and I should be alarmed.

So does the Social Security Administration, and they already administer the closest thing to a national ID number we have..

(3 years ago I moved to Norway) It took me about a month to get into the system, but once I had my national ID it took about a week for my MFA dongle to arrive. After that It has been a great experience.

There are alternatives. For example, MiniID and BuypassID.

I think the FIDO Alliance is already discussing solutions to these use cases. (And also this is a bit circular reasoning, isn’t it? “Why don’t you use the XYZ standard? Because it does not support our use case. So why don’t you cooperate on adding support to the standard? Why? So that you can use the XYZ standard!”) Also, I think there already are extensions supporting some basic forms of this, however, they are not supported very well.

But I’m afraid the basic prerequisite of secure transaction signing (“what you see is what you sign”) cannot be fulfilled on a generic “FIDO2 authenticator” – you need the authenticator to have a display. Sure, Windows Hello / Android FIDO / … might support this, but your common hardware Yubikey cannot.

I don’t know to which authentication method used by which bank in which country you refer in your “58430012” example, but this is definitely nothing which could be used as a method of transaction signatures in banks here, and it does not fulfill the requirements of the PSD2 regulation.

The problem with BankID is that for older accounts, there's no real guarantee you are who you claim to be.

I mean, sure, my bank in Norway has my account tied to a person number, but they don't actually know that when I log in with bankid that I really am the person associated with that person number. --Theoretically the post office was supposed to verify my identity before they gave me the packet containing the code brick, but they forgot to do so - this was over 10 years ago before they had to register the ID details.

So basically I have a highly trusted way of authenticating to financial and government services in Norway even though nobody actually knows that I am who I claimed to be when I opened the bank account, setup bankid, etc.

Which requirement of PSD2 do you think is so stringent?

I have three bank accounts here:

One of them (my good bank) has a chiclet keypad physical authenticator which needs these manual codes entering to get a value back that proves I used the authenticator.

The large European bank that handles my salary and so on, relies on SMS entirely, I ask to perform a transaction, they send an SMS with a code, I type it into a box on the web site. The SMS is trying to tell me what that transaction is, and has improved (it used to say things like GBP20000 which, yes everybody on Hacker News knows what that means but I bet my grandmother wouldn't, today it says £20 000 which is easier to understand) but notice that the code you get isn't related to the transaction details, it's just an arbitrary code. So I needn't understand the transaction to copy-paste the code.

The third bank is owned by the British government and so is inherently safe with unlimited funds unlike a commercial bank (they can and do print money to fund withdrawals, they're the government) but they too use SMS and their SMS messages are... not good. Of course unlike a commercial bank if they get fined for not obeying security rules that's the government fining the government, who cares?

FIDO would be obviously better than the latter two, and I don't see any reason that (with some effort) it couldn't improve on the first one as well.

From what I can tell, both of those are only for Norway?

Oh, I misunderstood. You enter the mentioned code into an authentication calculator which emits the signature code which is then used. Yeah, that probably fulfills the PSD2 requirements, though I agree it's not exactly good UX and very secure for common users. That (well, and mostly the cost) is the reason everyone goes to mobile authentication apps nowadays.

SMS authentication is... well by one reading of PSD2, it's not acceptable. But in real world, it is basically necessary, and not _that_ insecure (if you ignore SIM swapping attacks etc.). The WYSIWYS aspect comes not from the code but from the message text, which is crucial (and per PSD2, should include at least the amount and... receiver? I forgot). But sure, if people don't read or understand the message, it's not ideal...

While FIDO provides better phishing resistance (than SMS, not necessarily than authentication apps), it doesn't protect against transaction modification (e.g. man in the browser) and for people who care about and understand security, it is strictly worse.

> While FIDO provides better phishing resistance (than SMS, not necessarily than authentication apps), it doesn't protect against transaction modification (e.g. man in the browser) and for people who care about and understand security, it is strictly worse.

'man in the browser' seems like a situation where the user's device is compromised. In that case it is not big stretch that not only browser could be compromised, but also SMS reading app is compromised.

I.e., the reasonable security request should not be security against 'man in the browser', but security against 'user device is compromised'. In that case SMS is worse, as attacker could completely bypass it, while for FIDO it still need to phish the user to press the button.

> (than SMS, not necessarily than authentication apps)

Very dubious. The trick to phishing is that humans are easily confused about what's going on, and WebAuthn recruits the browser to fix that completely. Your browser isn't confused, the browser knows it is talking to fakebank.example because that's the DNS name which is its business, even if this looks exactly like the Real Bank web site, perfect to the pixel and even fakes the browser chrome to have a URL bar that says realbank.example as you expected.

I don't see bank authentication apps helping here. It's very easy to accidentally reassure the poor humans everything is fine when they're being robbed, because the authentication part seemed to work.

I'm somebody who really cares about and would like to think they understand security very much, and I don't think it's strictly worse at all.

One of the things banks have an ongoing problem with is insider facilitated crime. Which means secrets are a big problem, because the bank (and thus, crooked staff working for the bank) know those secrets. Most of these PSD2 "compliant" solutions rely on secrets, and so are vulnerable to bank insiders. FIDO avoids that because it doesn't rely on secrets†.

† Technically a typical Security Key has a "secret" key [typically 256-bit AES] baked inside it, but a better word would be symmetric rather than secret, there is no other copy of that symmetric key, so it isn't functionally secret.

> Many State governments do not recognize a US passport as valid ID.

Whoa, I did not know this. That's wild.

> Before there is any talk of strengthening identification, we need a US GDPR codifying a basic right to privacy.

That's a fair point, agreed. Privacy needs to be legally recognized as a strong right before we allow more centralization of this sort of thing. (Though sadly it's already pretty centralized, just not by the federal government.)