End of September, Switzerland will vote for E-ID. A big threat for our privacy as it will widely used for tons of new use cases.
Behind the government pitch of an “open source project, completely optional” hides big tech industry… Which will make it mandatory to access their services.
What are your thoughts on that ?
#Switzerland #Privacymatters
It doesn’t matter whether it’s a private or public service if they both use the same auth provider (beId). I wouldn’t be surprised if the SMS/TOTP options went away completely at some point for our “security”.
A different issue is that itsme is often the only option when doing things on mobile. Sure, you can avoid it for now, but it’s getting increasingly inconvenient to do so, unfortunately. I try to express my disappointment to itsme every now and then about the fact that they require Google’s SafetyNet and that the Connective Plugin needed to activate itsme in the first place doesn’t even work on Linux, but to no avail. They sent me a detailed email about setting up a Windows VM to get it working so credit where it’s due for the effort, but the situation is still bad…
Indeed that’s why TOTP, via e.g. Ente Auth, was a good surprise. I didn’t see it until now and I believe that’s the mobile alternative to ItsMe.
I don’t think it is because there’s only one authority, one identity provider, and that’s the federal government. All authentications pass through them. Enthe Auth or any other application will never be able to prove your identity without making an online call to the federal servers.
That’s what I was saying — sometimes the TOTP option is not available at all for certain services. Ente, Aegis, Bitwarden, etc won’t save you there and itsme remains the only option on mobile when that’s the case.
That’s actually a choice made by the service. The onboarding document has the options listed and they get to choose, which is imho stupid. Just offer all options.
Service A has email enabled, service B doesn’t. Since ACM/IDM is SSO you can first authenticate with service A with your email code and then go to service B already authenticated.
Should be illegal IMHO
Not really. I signed several contracts using ItsMe. That only works if my identity can be proven. No regular 2FA will be able to do that.