undefined | Better HN

0 pointsMashimo9d ago0 comments

> what's stopping my friend's 18 year old brother from lending his ID to every 14 year old at school?

MitID is 2fa. You log in with username, then you have to open the app, enter password or scan biometric, then scan the QR code of the screen* and you are logged in.

He would need to be next to you every time you log in. I think that is too high friction to make it feasible on large scale.

* Assuming you open the website on the Desktop, and MitID on phone. If both on phone, skip this step.

0 comments

marcta9d ago

If people have to go through OS auth flow each time they open a website, that will drive everyone mad. One of the key motivators for politicians is not making everyone mad, so the polls don't drop.

Also, I reckon most children know the password for their parent's phone or computer, and many more will find out if there is a highly motivational factor for doing so. How many exhausted parents just toss their phone to their child to stop them whining?

I suppose it could be a biometric sign-in with facial recognition or fingerprint, but again, that's a tonne of friction for the whole web.

MashimoOP9d ago

Most people use biometric for MitID, but yes you can set up pin login. Hopefully not the same as your phone login :D

It's already the single sign on for government websites, banking, healthcare, digital post, insurance, law (sign contracts) etc.

Shit man, you can get divorced through that. I really hope most parents don't give their kids access to it.

Ajedi329d ago

That's how the user interface works. What is it doing at the protocol level? What stops someone from building a service that mints anonymous verification codes on a massive scale and distributes them to anyone who asks? Maybe with the user interface being an app kids can download to scan any QR code and pass verification.

MashimoOP9d ago

I don't know. I would assume the account gets blocked if you do it on a larger scale, so you have to rotate account, which gets expensive fast as it's not easy to steal them?

snackbroken9d ago

> He would need to be next to you every time you log in.

Or you can just text him a screenshot of the QR code. You could probably even automate this.

MashimoOP9d ago

No, the QR code is changing every couple of seconds.

~Maybe~ you can video call, but again it's adding so much friction. Nothing is 100% secure.

snackbroken9d ago

The automated attack setup I'm envisioning is something like: 18 year old buys a cheapo laptop + phone and connects the two over ADB or some purpose built automation app (think appium). 18 year old puts the phone on a tripod pointed at the laptop screen. 14 year olds at school pay $10 a year for use of the service and install a browser extension that forwards the QR codes from whichever service they wanna use to the 18 year old's computer. Changing every couple of seconds is not an issue here, they all live in the same city and have <10ms ping.

The only high friction part of this is that someone needs to write the software for it, but that doesn't seem like all that difficult of a project and open source solutions are likely to appear within weeks of social media requiring it. If there really is no information shared with the other party beyond "yup, user is over the age of maturity" you could even run this as a free public TOR service without fear of ever getting caught.

1 more reply

j / k navigate · click thread line to collapse

0 comments

marcta9d ago

If people have to go through OS auth flow each time they open a website, that will drive everyone mad. One of the key motivators for politicians is not making everyone mad, so the polls don't drop.

I suppose it could be a biometric sign-in with facial recognition or fingerprint, but again, that's a tonne of friction for the whole web.

MashimoOP9d ago

Most people use biometric for MitID, but yes you can set up pin login. Hopefully not the same as your phone login :D

It's already the single sign on for government websites, banking, healthcare, digital post, insurance, law (sign contracts) etc.

Shit man, you can get divorced through that. I really hope most parents don't give their kids access to it.

Ajedi329d ago

MashimoOP9d ago

I don't know. I would assume the account gets blocked if you do it on a larger scale, so you have to rotate account, which gets expensive fast as it's not easy to steal them?

snackbroken9d ago

> He would need to be next to you every time you log in.

Or you can just text him a screenshot of the QR code. You could probably even automate this.

MashimoOP9d ago

No, the QR code is changing every couple of seconds.

~Maybe~ you can video call, but again it's adding so much friction. Nothing is 100% secure.

snackbroken9d ago

1 more reply

j / k navigate · click thread line to collapse