The province of Ontario, Canada, is pursuing phone based identity

Here’s the user guide:
https://docs.bluink.ca/eid-me/guide.html

I wonder if this is the same sort of thing that the Apple and Google both appear to be working on for upcoming versions of their mobile phone OSes.

Reading the manual, it appears to be quite a pain to set up, but I suppose it’s good that they take pains to get it right. I thought the requirement that you be home at the address on file with your drivers license was an interesting additional requirement. The requirement for a passport seems a bit much though… I assume added simply because they think it would be harder to spoof the ePassport chip. (Everything else seeming to be picture taking, and subject to spoofing by a clever Photoshop artist.)

The use of Bluetooth for in person verification seems a lot better of an idea that having to hand over your unlocked phone to some stranger. I’m not sure I understand the security of the online version though, because they claim to keep no information on their servers. I gather the idea is they have a proprietary protocol between you and their server, and between the server and any service verifying your identity that replaces the Bluetooth protocol.

2 Likes

I forgot to note that they claim to allow passwordless login to supporting sites:

2 Likes

I suppose I’m just cynical, but I can’t shake the feeling that this is like putting up an enormous neon sign saying “New Hacking Challenge!!!”…

1 Like

For the most part, identity validation in Canada requires a photo ID or SIN number as a copy or data entry requirement. This is sufficient for legal purposes and for validating account creation for banking and mobile phone operators in accordance with Provincial and Federal Government regulations. Local regulations usually do not require this step but Privacy laws are applicable and must be made clear in the presence of electronic or printed forms.

The passport validation is never a requirement in Canada but often used for international parties. We still cannot use it to validate an ePassport, however, some Federal agencies can use it to validate your identity and other Government records by using its own identifier along with other forms of identification.

Aside from that, Government entities like to use passports as validation because it is very difficult to forge or duplicate a Canadian passport because of the complexity in creating them. This is also why our passport application may be a much longer process and could take 3-5 days to print a Canadian passport. In some situations such as Airport screenings we can use a special reader to validate the ink and use an ePassport reader to validate the chip readout in an electronic passport.

No doubt, if this is the only security method. AES is still vulnerability to cipher cracking.

Your eID-Me identity is secured in a digital wallet within your eID-Me app. Your identity information is protected using AES 256-bit encryption and the strongest security mechanisms available on your phone.

https://docs.bluink.ca/eid-me/guide.html#overview-2

The correct way would be to encrypt the database itself with a key and in turn give you another key to access it. Very few companies have learned this one.