BankId and Digital Exclusion

by Martin Monperrus

Sweden is a very digitalized society, at all layers of society. Digital transformation happens everywhere and the Swedish banking sector was, and is still very much at the front line of this transformation.

In a digital world, the problem of authentication is key. How does a bank, a government agency or a company make sure that a user is the one she claims to be?

The primitive solution to this problem is that each company defines its own service with login and password. This was how the early Internet exclusively worked and how it is still working today in many countries. Yet, there are numerous problems with this login/password, both with respect to usability and security. How to avoid remember all passwords? How to enforce strong passwords and secure password storage?

Authentication is Core Public Infrastructure

To overcome those problems, one solution is to have a shared authentication service across institutions and companies. Authentication is generic, it goes beyond traditional boundaries, and as such can be shared across both private and public institutions, across government agencies, across companies, etc. A dependable and cost-effective shared authentication service is essential for building advanced fully digitalized societies.

There already exists shared authentication services. On many websites, you can click on “Login with Facebook” or “Sign-in with Google”: it basically means that Facebook or Google acts as an authentication service. Those services are reliable but controlled by private and American companies. Privacy is a problem there, knowing what digital services (which bank? which insurance? what restaurant booking portal? etc) are used by an individual represents a lot of private information. As such, it is not satisfactory to rely on Facebook or Google as authentication service.

In Sweden, the need for a shared authentication service was felt and addressed early, in order to unlock digitalization. It has resulted in a dominant, almost monopolistic authentication service called BankId. As the name suggests, it has been developed by a consortium of banks. (In Sweden, it is a tradition that banks provide authentication). BankId is used everywhere: to connect to internet banking, to government agencies (eg tax office, social security, etc), to e-commerce websites, etc.

This is great, Sweden is digitalized, with a shared authentication service that is not controlled by a private non-Swedish company (read non american big tech). Yet, BankId is broken. In this post, I explain why and how the current version of BankId is a bad solution, bad for the Swedish society and its core values. I argue that BankId is an example of what NOT to do in a digital society.

If you’re interested to translate this document in Swedish, drop me an email. –Martin

BankId

Short introduction: BankId has different flavors. It can be used with a Windows or Apple computer (desktop or laptop), and it can be used on mobile version devices (aka Mobilt BankId), on iOS, Android, and Windows Mobile see http://install.bankid.com/.

The major problems with BankId are monopoly and closeness, resulting in digital exclusion and security problems.

Monopoly

BankId has a huge market share of authentication in Sweden (>95%?). One sometimes see competitors (eg “Connect with Telia/Nordea”) but very rarely. In many services and websites, BankId is the only available authentication service. When this the only possible authentication scheme, if one has no BankId (for some reason), one is simply excluded from using those services. Period. Because of the monopoly, when one disagrees with something in BankId (say the principle, or the design, or the governance), there is no way to put pressure on the BankId consortium by using another service.

Closeness

BankId has decided to rely on closed protocols and implementations, as opposed to open protocols. In computing, when a system is closed, it means that it it impossible for others to inter-operate or to extend the system. For instance, since Microsoft DOC is a closed format, one can rarely correctly modify a DOC file when not using Microsoft Word (this is one of Microsoft’s trick to maintain a monopoly over Office software). In the context of BankId, closeness means that one cannot write a new piece of software to connect to the BankId servers. Nobody can interact with BankId outside the provided desktop and mobile apps.

Exclusion

The BankId consortium has decided to only support the mainstream computing devices: Windows Desktop, Android (phones, tablets) and MacOs and iOS (iPhone, iPad). By doing so, they undoubtedly cover the majority of the market. At the same time, it means that it directly excludes the rest of the population, the ones which do not own one of those devices for various reasons. Examples of excluded people are: owners of regular mobile phones (not smartphones), owners of Linux laptops, owners of old Android phones (where the version is too old for BankId). None of them can connect to services which use BankId for authentication.

It is to be noted that it would be prohibitively expensive for BankId to support all possible computing platforms. What makes this design choice particularly excluding is that the system is monopolistic and closed:

Security

Authentication must be secure. The BankId system is closed. In other words, it is based on security through obscurity. This is a notoriously bad solution, and rather ironic in the Swedish society which is so proud of being founded on transparency.

Cost

Each time one uses BankId, the service provider has to pay a fee to the BankId consortium (approx. 0.25KR today AFAIK). This is normal as developing and operating such a service costs real money. Now, realize that each time somebody connects to skatteverket.se (tax office) or forsakringskassan.se (social security), those government agencies pay something. Over millions of connections, the yearly fee must be huge. Put it bluntly, the taxpayer money goes into the pocket of the BankId consortium, which is privately owned. This is not a problem as long as long as the cost is a fair one, which is yet to be proven in the context of BankId.

No Public Control

When a service becomes part of the digital infrastructure of a society, the people must have some control over it. When significant taxpayer money goes into a private organization, there must also be some control. To my understanding, BankId meets those two criteria: it has become critical and it represents a lot of money. Yet, to my knowledge, there is no control at all of the Swedish people over BankId.

Future

Anne-Marie Eklund-Löwinder points that there is some hope:

Conclusion

There must be a better solution than the current BankId. That solution would be open, inclusive, secure and regulated.

For instance, the e-authentication of Estonia is fully open. One can access to the code to verify the security or to build new services that would inter-operate. The system is open even in its name, it is called open-eid (for Open Electronic Identy), see https://github.com/open-eid/.

Sweden, you deeply know that transparency and openness are essential. You have forgotten those two essential principles when building your core authentication infrastructure. Sweden, the power of transparency and openness applies to the digital world as well.

–Martin Monperrus
Professor of Software Technology at KTH Royal Institute of Technology
November 2018

Tagged as: 42? No: