I wrote earlier about the threats that are currently attacking our computer systems in the society, and we can also see that there are new attempts at increasing the security in the systems. However, there is an inherent problem in computer security, namely the transparency and usability of the systems. It seems that it is very difficult to create security systems that are easy to use. We have been used to writing our passwords on sticky notes and paste them on the screen, and we put our PIN codes on small paper notes in the wallet so that we will not forget them when we really need them. The reason for this is of course that the passwords, in order to be strong, have to be more than impossible to remember. Even worse is that in order to be really safe (according to the professional advice), you should have different passwords everywhere. And there are also all the many PIN codes to all the cards we have.
One important property within the human being is the delimitation of the memory. We have problems remembering meaningless things, such as the recommended password: “gCjn*wZEZK^gN0HGFg4wUAws”. So people tend to not have that kind of passwords, which of course leads to a decreased security. Well, in some sense we also solved this problem by adding two-step verification, i.e., the “if-you-don’t-have-your-phone-you-are-lost”-verification. This, of course, has to be interleaved with “find a motorcycle” or “find the traffic lights” games, to prove that you are not a robot (!).
Now it has become better, we have biometric security. We use the fingerprint or facial recognition methods. Only problem is that after a day of work in the garden, the fingerprints are no longer recognizable, and after a severe accident, the face may not look at all like yourself anymore, so you cannot call your family to say that you are OK. Well, at least it is safe, isn’t it?
Yes, but not when it comes to the current means for BankID, the virtual identification used in Sweden. Yes, of course it works when you want to log into your bank in order to handle your affairs. It is an accepted identification method. BUT not when you want to move your BankID to a new telephone! To do so, you now (after the last change) have to scan your passport or national ID-card. The most common means of identification, which in Sweden is your driver’s license, is on the other hand NOT accepted.
You might think that that should not be any problems, since everybody will surely have a passport today? But, no, that is not the case. As an anecdotal evidence I will relate my fathers situation:
My father just turned 90 years old. He is still a young man in an old body, so he has an iMac, an iPad, a laser printer, etc. at home. He is in fact a quite heavy tech user for his age. He also had an old smartphone that started to lose its battery charging, so he was given a new smartphone as one of the birthday presents. The transfer of the data went smoothly and without any hiccups, until it was time to use the BankID on the new phone. It was of course not transferred. Thus, we ordered a new BankID on his bank and signed it with his BankID on his new phone. But now…
Who is being excluded by the design?
My father decided to quit driving several years ago. However, he still kept his drivers license and even had it renewed without problems. Although being an ex-globetrotter he also reckoned that he needs no passport any more. So, when I asked him for an ID, he produced the drivers license. That did of course not work, although it is valid as identification in most other places. It was not an option to go to the bank and identify himself. They cannot validate the BankID. It has to be done through the web page and the app. Sorry!
So, now I have to take my father through the heavy cold and snow to the police station to have a new passport, which is only going to be used one single time, that is, in order to install the BankID. Where is the user friendly procedure in this?
I would think that my father is not the only person who is using the driver’s license as identification. I assume that many older people, for example, will have a similar problem when they need to get a new BankID (provided that they even use a smartphone).
Where is the human-friendly procedure for establishing the identity? Why can we, for example, no longer trust the people at the bank to identify a person with a valid identification and flick a switch to accept the ID? To make the issue a bit more general: Where has the consequence analysis gone when we make this kind of decisions? Or even better stated:
Who is going to be excluded by the new design or decision?