Switzerland narrowly approves plan for digital ID

Privacy and Security News
,
41

If I can’t do things with my physical ID that my digital ID allows me to do, then that means the government lied on them being equivalent to one another.

And how should a physical ID work for SSO logins?

Just because different companies may have been contracted to create the IDs doesn’t change the fact that they are both government issued documents. Same if they are delivered by different departments.

No, because the ID-Austria as well as the E-ID and E-ID (Germany) are not documents. They are a IDP services.

I am just saying that on principle, if any government says that digital ID is not mandatory but then prevent people who don’t want to opt in to from working, then the government lied

That’s a good point.

Increasingly, there are a lot of places that don’t accept cash, when it should be accepted everywhere when it’s in reasonable amounts. To me, this is the same form of discrimination.

That’s an entirely different topic and I agree that is worrying, and I have my own terrible experience (Amsterdam) with it, but at least here in Austria every shop needs to accept cash.

42

My claim is not that physical ID should work for SSO logins. I don’t even know what SSO means.

My claim is simply that if governments say that physical and digital IDs are equivalent and accepted in the same places, and it turns out not to be true, then they lied and were deceiving their constituents.

What is IDP?

Are digital IDs not digital documents ie digital versions of physical documents?
In other words they are digital records of physical records. Do you disagree?

I am glad we can agree on that.

I was just trying to make a comparison to illustrate my point because I think the issue is similar, and people may have a better understanding with the cash analogy. It’s possible it doesn’t fit perfelctly, but I think it’s similar enough.

43

My claim is not that physical ID should work for SSO logins. I don’t even know what SSO means.

I will try to explain it, but if you don’t understand something I would suggest copy my message and ask an LLM to explain it better.

SSO Login (with Google):

image
image1738×1682 59.5 KB

As you can see here there is a Button called “Login with Google” that’s an SSO-Login.
if you now click on it you will be redirected to Google and forced to sign in.
image
image3638×2150 102 KB

If you now sign in into google you google account will be used to authenticate you on Grok. Grok itself gets your e-mail and a authentication token (similar to a session token), but no password or MFA information.
Google handles the data, security, identification, and authentication.
Grok handles authorization.

What is now the big benefit of SSO Logins like that? You don’t give Grok sensitive data in the Registration and Login process and Grok can outsource things.

What is the big benefit of SSO Logins inside an organization or government? You don’t need to have multiple logins for multiple services.

If we oversimplify it, it would look like this:

image
image1344×692 28.7 KB

My claim is simply that if governments say that physical and digital IDs are equivalent and accepted in the same places, and it turns out not to be true, then they lied and were deceiving their constituents.

The problem lies that not everyone understands this and now what it is. So the goverment can’t just go here and say that this is an IDP. No one would understand it, so people try to explain it to the public with tangible examples that are not false or wrong, but if you look a bit deeper they aren’t good examples anymore.

Are digital IDs not digital documents ie digital versions of physical documents?

No they are not.

In other words they are digital records of physical records. Do you disagree?

Yes.

If you have questions, please just let me know.

44

I know the privacy community is divided on this, and it’s not clear to me where the majority lies, but I’m not a fan of A.I. I’m amongst the A.I. skeptics who don’t trust it not just for privacy reasons, but also ethical reasons. I’m not convinced that even a private AI like Proton’s Lumo is a good thing. That’s why I try to avoid it.

Thank you for explaining. I think you did a great job. Visuals always help!

But doesn’t Grok or any other service you may sign in to via Google’s SSO get some data from your Google account?

E-Mail aliases were probably not as popular back then as they are now, but I have been avoiding social media SSOs for over a decade. I personally think that most people use them out of laziness because it’s faster to use an SSO than create an account with a username/email and password.

Correct me if I’m wrong, but it seems like you are suggesting that digital IDs are MORE than the digital versions of physical ID documents, they are a form of SSO, or at least they can be used as such.

If that is what you’re saying, you may be right I would argue that physical ID are kind of a physical SSO in that they are used to authenticating yourself in the real world, and sometimes in the digital world. Is that a fair analogy?

45

I know the privacy community is divided on this, and it’s not clear to me where the majority lies, but I’m not a fan of A.I. I’m amongst the A.I. skeptics who don’t trust it not just for privacy reasons, but also ethical reasons. I’m not convinced that even a private AI like Proton’s Lumo is a good thing. That’s why I try to avoid it.

No problem, it was just a suggestion.
But lets focus on the main topic and not drive away.

Thank you for explaining. I think you did a great job. Visuals always help!

Thank you.

But doesn’t Grok or any other service you may sign in to via Google’s SSO get some data from your Google account?

For public SSO like the one example from above uses OAuth, which doesn’t really give sensitive data, it only gives an authorization token. (see it like the session token).

But this only applies to public SSOs. If you go into the Organization level IDP there is OAuth, SAML, LDAP, Radius, Kerberos and many more.

ID-Austria provides OAuth and SAML2.0 for the SPs. OAuth a bit simpler and less granular, SAML2.0 complexer and more in the direction of enterprise use case.
Without an real-life example where I can research what it uses and which data it transfers. I’m unable to answer if the IDP gives the SP sensitive data.
One principle of the ID-Austria is data minimalization.

E-Mail aliases were probably not as popular back then as they are now, but I have been avoiding social media SSOs for over a decade.

I can’t say for sure about public IDPs, but on an organization level (NGO, Government, Company and nation) it provides easy and secure logins, and it is a real lifesaver for security.

Correct me if I’m wrong, but it seems like you are suggesting that digital IDs are MORE than the digital versions of physical ID documents, they are a form of SSO, or at least they can be used as such.

They are an IDP and they aren’t a form of SSO, they are SSO.

If that is what you’re saying, you may be right I would argue that physical ID are kind of a physical SSO in that they are used to authenticating yourself in the real world, and sometimes in the digital world. Is that a fair analogy?

There are three stages:

  • Identification
  • Authentication
  • Authorization

Now it depends on the viewpoint if your statement is correct, and it is more of a philosophical question than a technical.

1 Like