Dutch digital identity verification system DigiD has announced the phasing out SMS as second factor. That way they require citizens to install a smartphone app in order to use digital services from the government, municipalities, the health sector and others. These applications only work on iOS and Android phones, with reliance on third party services.
Plenty of members of our community choose not to use a device that is tied to vendor-specific services. There is a threat our community will practically be locked out of the digital infrastructure the government has set up for us to use. Official alternatives are to ask a friend with the app for help or go back to snail mail and physical meetings.
This is dreadfully bad, and illustrates just how badly we need rules and regulations in place to force governments to make access to its digital services completely platform-agnostic. The linked article references the German verification system, which published its code as open source, and allows anyone to make an application that uses it. The end result is a variety of open source alternatives, available on various platforms.
Thom Holwerda,
I very much agree with you. In the US the IRS is guilty of this too with some of their properties blocking linux browsers based on the user agent string. A plugin defeats that but it is such a bad faith way to serve the public. It’s not just governments either though, many private corporate services do it too.
Last week FIDO passwordless authentication came up here on osnews and I’m very concerned that it may have the potential to do the same by taking the owner’s choice out of the equation and giving it entirely to the remote services. I hate the idea that they should choose what hardware and software I am able to use for authentication. More often than not they’ll only support the IOS and Android duopoly.
> In the US the IRS is guilty of this too with some of their properties blocking linux browsers based on the user agent string.
Which ones? I don’t recall ever encountering this. (I believe you – I’m just curious.)
> Last week FIDO passwordless authentication came up here on osnews and I’m very concerned that it may have the potential to do the same by taking the owner’s choice out of the equation and giving it entirely to the remote services. I hate the idea that they should choose what hardware and software I am able to use for authentication. More often than not they’ll only support the IOS and Android duopoly.
Isn’t FIDO open source? My understanding is that FIDO / U2F hardware keys work pretty much anywhere, and are based on open standards, and there are even entirely open hardware versions available (SoloKeys).
atrocia,
Well, I was referring to the account login on the irs.gov website, but since then the IRS announced that they would no longer permit tax payers to access their own accounts without an ID.me account starting in 2022 and it appears that old login is completely blocked for me. With that said, the new id.me system gives the following unsupported browser notice with FF 91.7.0esr on linux.
https://ibb.co/kJdwCHg
The last time I tried ID.me it was completely broken on both linux/chrome and linux/firefox and I had to give up. I couldn’t get into my account at all and it was a hard fail. And many others complained as well.
https://www.theverge.com/2022/2/11/22928082/id-me-irs-facial-recognition-overworked-employees
I hate that the ID.me BS is still going to be required going forward, ugh.
Yes, but it’s my understanding that standard gives websites and not the owners control other which authentication methods to accept. In practice this could mean we’ll probably all be limited to using the dominant providers as chosen by the mainstream websites. The choice being theirs rather than ours leaves real concern for alternatives but I hope I’m wrong about this.
This is such a huge step backwards and does not bode well for similar digital identity mechanisms around the world. Reliance on a mega-corporation’s proprietary[1] device is a recipe for disaster and renders a good portion of the populace to second class citizen status. You can’t afford an approved smartphone or choose not to use one? Well too bad, you get sent to the back of the line for any government services.
SMS isn’t perfect, but any phone connected to the cellular networks can receive and send that basic format, hell I can build a device[2] for $50 that will send and receive SMS and make phone calls, and (at least here in the US) one can get a prepaid basic flip-phone for free with buying as little as a month’s service. That’s all that should be needed for access to basic, necessary government services.
[1] Yes, even Android devices are mostly proprietary, and the few that are mostly open source may not be available to the general public in certain countries.
[2] https://hackaday.io/project/19035-zerophone-a-raspberry-pi-smartphone
Morgan,
You put an emphasis on price, but IMHO duopoly coercion is a huge obstacle to competition even when devices can be had for cheap. The network effects can make it impractical and even impossible to choose alternatives. This is something I’ve encountered many times and while I am quite determined to choose alternatives where possible, most people will give up on alternatives when they are treated as second class citizens because of it.
I hope the Dutch government gets the message and tries to do better, but it’s a battle that’s being fought everywhere and unfortunately alternatives are loosing or have already lost.
It does NOT impact a good portion of the populace. Almost everyone has a smartphone. There are about 10% of households in Denmark without one, clearly a minority. And people with smartphones but avoiding Google/Apple services are a fringe (I’m talking about general population, not audience of this site. But I believe “Google/Apple free” smartphone users are a fringe here, too).
SMS today provide ZERO security. It should not be used for any 2FA purposes, let alone doing business with government. Having a choice of no 2FA (SMS counts as “no 2FA” in 2022) or using an app (excluding 10% of household which wouldn’t be using e-government probably), Dutch government made a right choice. It would be a perfect choice if they had also published specification and allowed third-party implementations.
I don’t think the FSFE is rooting for SMS 2FA. I guess what they want is a 2FA app that relies only on AOSP APIs and doesn’t depend on the Google Play Services APIs. Unfortunately for them, most people don’t even see where the problem is. As you say, anyone who has a smartphone but avoids Google/Apple services is a fringe minority among the general population. This is what happens when the FOSS community lets Google, Microsoft and Apple run loose because the FOSS community is too busy preaching about the evils of binary blobs and the like (aka, “we want everything to be done our way now, or we won’t play at all”).
So, the question is now more important than ever: Who takes the reigns of Desktop Linux and FOSS? The FSF is too purist and isolationist for the task, with the results you are seeing in the article.
And how do we break it to the Stallmanites that they cannot have FOSS purism and mainstream relevance at the same time? I am of the opinion that mainstream relevance for an OS is essential to avoid being locked out of the ability to communicate with other people and the ability to use e-services.
“Having a choice of no 2FA (SMS counts as “no 2FA” in 2022) or using an app (excluding 10% of household which wouldn’t be using e-government probably), Dutch government made a right choice.”
No it did not, and it is highly misleading to pretend that those two options were the only available choices when even aforementioned google supports platform-independent 2fa protocols.
zdzichu,
The same could be said of fingerprints, which we literally leave traces of everywhere. The idea behind 2FA is that it’s supplemental. Most 2nd factors are weak by themselves but can help in a more cumulative way.
Anyways kurkosdr is right, people aren’t complaining about dropping SMS specifically so much as not having support for alternatives in some way. That’s the issue.
Do you believe in the concept of minority rights?
Bahahaha! This should be a huge wake-up call for people who subscribe to Stallman’s isolationist approach, aka the idea that it’s OK to use an OS that’s irrelevant in the marketplace as long as it’s 100% pure from a FOSS perspective.
The problem with this approach is that it leaves the battlefield clear to the likes of Apple, Microsoft and Google to do as they please. The FSF (and friends) got their taste of that during the late 90s and early 2000s, when a Microsoft near-monopoly led to the dominance of Microsoft-specific proprietary standards everywhere. WMA and DOC were everywhere, and some sites even required ActiveX to work (at least one radio station here in Greece did for its web radio functionality). Fortunately, with the rise of Firefox and the resurgence of Macs, the threat subdued (plus OpenOffice started offering DOC compatibility), and as a result, most people in the FOSS community thought the threat was over and gradually went back into their “from the developer for the developer” safe zone and preaching about the evils of binary blobs. But now that we have proprietary App Stores, proprietary apps for content delivery, and proprietary messaging protocols, the threat that everyone not using a specific OS will be locked out of content and out of communicating with other people is back with a vengeance.
The “solution” to this problem according to the FSF is that those app ecosystems and content are stupid anyway, and so are people using proprietary messaging platforms, so you shouldn’t care anyway. But ooops! a government is now also requiring the use of proprietary OSes to use their services. Now what? Seriously, now what Stallmanites?
The FSF is nice and all as a charity and advocate organization, but they are holding Desktop Linux back at this point (and yes, most of them see them as defacto leaders of the thing). The question is: Who should take the reigns? Valve (with SteamOS) and Google (with Android) have done more to advance OSS to the masses (but not FOSS) the last 10 years, but they rely on proprietary services too much to be trusted. So, the question of “who should take the reigns?” is more pressing than ever.
PS: Also, this will come as a surprise to the fsfe, but most people don’t see a crisis here.
kurkosdr,
Obviously this is bad for FOSS, but it’s worse than that. Coercing users to buy into a duopoly is bad for competition in general. I don’t know if you noticed, but even as a linux user I’ve complained about the lack of adequate open source competition for linux because competition is critical to choice regardless of if something is open or closed. And even when I was predominantly an MS user, I complained about the lack of competition there too. It’s a problem for everyone who believes that competition is the fundamental underpinning for capitalism, not just FOSS.
I fully agree with Thom on this one…
Basically the government is forcing people to use smartphones, even from specific vendors.
From another perspective, the latter proves the former. Google and Apple are so dominant in the market that consumers have no choice but to use their services. As such, the services require public oversight.
Yes, the dutch government is itself perpetuating the situation, but they’re only doing what private industry has for years.
BeginerX,
Yes, that’s exactly it.
There comes a point in a heavily consolidated market when dominant entities are so dominant that people just give up on alternatives all together, thus shutting down the viability of competition. Once consolidated, given the lack of meaningful choice, it often becomes a decision about which option is least bad rather than an outright endorsement.
This has close parallels to (US) politics where 38% of the population identifies as independent and yet they resign themselves to registering and voting between the two dominant parties simply because the two party duopoly is so powerful.
https://www.pewresearch.org/fact-tank/2019/05/15/facts-about-us-political-independents/
The fewer meaningful choices we have, the greater the odds of people not being represented by any of the available choices. 🙁
.
In this world we are already very highly dependent on corporations and countries.
We can see it clearly with China, Russia, etc. right now. Those problems are only going to get worse.
Anyone with half a brain can figure out: we shouldn’t create more dependence.
At least some EU countries have chipped national ID cards so you only need a card reader and the digisign software.
Funny this is Dutch IDs have a chip, but not sure what functionality it has (I think only used for checks at the border).
Governments won’t protect anybody in this case. In western countries surveillance state can’t build the infrastructure and services on its own hence it needs surveillance capitalism to do that for them. Surveillance capitalism gets the much needed data, like medical information among everything else and legal framework for minor technical details such as the means of authenticate you. Surveillance state in return gets means of control and things like granting access and applying policy. For example currently companies like Twitter already can and do decide if you can use their service or not. State wants the same level of control in general. That is is you can access things like certain stores, not only on the internet, web sites or internet altogether. And much more than that. Corona crisis was basically a first real test on how this will work in public life. But this was done on a much smaller scale compared to the future. As for the social rating systems. People are used to this and chase likes and stars on the internet. No reason they wouldn’t chase some state awarded points that enable them to get access to something or certain benefits or a public or any job. In addition China is ahead of the west on this front and hence west is in a bit of hurry and envy. That is why we just get this things without any public discussions. We are way behind the schedule. From EU point of view likely there is huge amount of lobbying from big tech companies in regards to European commission. Commission that is not elected by public. Anyway i wouldn’t worry about such apps too much. As this is just the first step. Like the TPM was optional at first. And now everybody is fine if it’s mandatory. No need to push it too hard. Better to do it in a couple of steps. In the future mobile phones will have such authentication built in. Likely citizens will be awarded with such phones free of charge. That is if they like it or not. This is i guess the so called “digitization revolution”. That is a revolution when our governance and economical system has turn us in 0 and 1. Into perfect digital slaves.
In short i could agree this is the age of identity crisis. Or better the age of the death of identity as we know it. And the birth of the digital identity.
But as always there is some irony in ti. Isn’t it? As both surveillance state and surveillance capitalism made political correctness the norm. They removed the terms like master and slave. When it comes to the hard drives. But what they did after is they built the whole social and economical system where they are masters and we are slaves. Slaves being to politically correct to call it for what it is. Brilliant.
It looks like the same will happen in Norway, except with a system called BankID instead of SMS. The point is the same: BankID was platform-agnostic, while they currently want to switch to platform-specific apps.
I very much agree with Thom here!
Don’t we have a proper standard these days called FIDO2 ? Which has build in secure storeage (like TPM) support in Android, Windows, MacOSX, Apple iOS and also Linux I believe. Supported by devices Yubikey and it’s competitors.
I happen to be Dutch and I never looked into obtaining such device. I’m afraid it would be a significant expense to just file taxes. In the past I never had troubles, the first year I had to file taxes, they provided a native GNU/Linux application to do it and a similar application each following year. In the end they switched to using a web-based application. Unfortunate that their applications were not free, but at least they worked.
I hope I can at least bike to the library and do it there. I never ran into problems using my regular computer before though. Is it legal to require purchasing a specific device for things like taxes?
The Dutch COVID related applications are all on GitHub with a GPL compatible license, so I would expect this to become the case for any applications related to taxes as well.