Identification is not Authentication

IdentificationI received a notification from my bank about the availability of my new credit card. This morning, I went to my local agency to pick it up. Because I don’t receive a new credit card every six months, I always discover the new procedure implemented by my bank.

This time, good surprise: the new procedure uses the Belgian eID! The employer asked me to insert my card in the reader but it did not asked me enter my PIN code!? As explained during the last OWASP Belgian chapter meeting, an eID has three main usages: identification, authentication and digital signature of electronic documents. A definition of identification and authentication could be:

Identification is the process by which the identity of a user is established, and authentication is the process by which a service confirms the claim of a user to use a specific identity by the use of credentials (usually a password or a certificate)” (source: ibm.com).

I asked to the employer why the PIN code was not required. The answer was: “No problem, I just checked your picture on the eID!“.  Sorry but this is NOT a valid mechanism to prove that I’m really the owner:

  • I may wear glasses or not
  • I may have longer hairs
  • I may gain or loose weight

And, the quality of the picture is really bad (black & white, poor resolution).  Dear bank, please implement correctly the eID in your applications and request the owner’s PIN code to authenticate him! (dual factors authentication – something you have and something you know).

One comment

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.