Compass Security Blog

Offensive Defense

ASFWS – SuisseID talk

Due to a canceled presentation, a slot became available Thursday afternoon and Dominique Bongard used this time for an improvised talk about SuisseID. Without any slides but by dynamically switching between different websites and documents, he started an interesting and interactive discussion with his public around the goals, limitations and risks linked to a SuisseID, a by-(Swiss)-law recognized electronic signature device.

Dominique started with an inventory of all the usages and abilities provided by SuisseID, as marketed on various websites. His focus was on how SuisseID could help a small Swiss startup to authenticate users and confronted this view to the current reality of e-commerce in Switzerland. He explicitly excluded from the scope of his talk all advantages of SuisseID for e-government tasks, as it gives no benefit for B2C interactions for a small company.

His observation was that all e-commerce websites having implemented SuisseID used it at best to replace the username/password authentication scheme, without any further data extract (e.g. name or address). His investigations also showed that several merchants who implemented SuisseID removed this feature since or plan to do so in the near future.

So why use SuisseID just as a login/password replacement, and not leverage further all the information contained within this famous electronic ID card? Well, this is exactly the issue in his opinion: while the marketing of SuisseID tries to sell it as an electronic ID card, it does just contain enough information to generate digital signatures, recognized by the Swiss law as an equivalent of your analogic signature.

Dominique investigated further and went ordering SuisseID devices from several providers, doing some social engineering at a Swiss Post counter, Mobilezone or at the desk of the local community administration. His conclusions are harsh, as some registration authorities did not run adequate identity checks before delivering a SuisseID.

The discussions and interactions of the public were really interesting, as it’s definitely a controversial topic. On one hand we have the fear of a Big Brother where all our data is recorded, on the other side there are many reasons why such a device should include as many data as possible for the sake of simplicity and convenience.

Swiss government instances are trying to push SuisseID as it’s (in my opinion) a required step for good e-Government solutions. As a final thought, a participant mentioned that the probable entry of Swisscom as SuisseID provider, combined with an offer based on mobile devices, may accelerate the trend and result in a tighter and more convenient integration between a digital signature, customer details and payment features.

2 Comments

  1. I see what I have missed, even without the slides. As a owner of a SuisseID, I’m still disappointed by its limited use to me – standing here on the personal (consumer) side.

  2. Alexandre Herzog

    December 25, 2012 at 12:20

    I’m also an owner of a SuisseID, and use it from time to time but almost exclusively for eGovernment tasks (ordering official extracts or filling out my taxes). In this regard I’m really happy about the time I win in the official ordering procedure, as I don’t have to make copies of my ID, send it per post etc.

    But I also agree with you – I barely used my token on any B2C website and never signed any electronic document or contract using my digital signature. Fact is that this type of transaction is never yet required.

    I’m looking forward to the changes planned by the Swiss legislator as announced less than a week ago, especially the feature authorizing the usage of signatures not bound to a physical person but to moral entities:
    http://www.news.admin.ch/message/index.html?lang=de&msg-id=47264

Leave a Reply

Your email address will not be published. Required fields are marked *