You are right, its so much shitty show; your auth is attached to your fingerprint n SMS. Everything, tax, bank, post, school, passport, hospital everything is attached. Even your phone too where you receive the SMS. Imagine the horror for people who lost their SIM card; to get a copy of SIM they need the SMS code which was sent to their registered number; wait for it.. which was lost.
I agree with you that this is not the best system, but I think its still better than any that was currently available. Earlier everything was linked to your drivers license, ration card, passport, etc which was also equally easy to fake and less secure. Now with biometrics and SMS based 2FA, its at least more secure than the previous authentication mechanism.
With an authentication mechanism intended for a billion people, which include some of the most poor and illiterate you have to have a balance between security and ease of use. This is unfortunately a compromise, but should at least be x times better than the previous standard.
> Imagine the horror for people who lost their SIM card; to get a copy of SIM they need the SMS code which was sent to their registered number; wait for it.. which was lost.
Oh, please. They can go to the store and use their biometrics to get a new card. That's how I got a new sim card when I lost mine.
Please try that again, first lock your biometrics as Aadhar App & Website agressively push to secure it, then pretend for this experiment's sake that your SIM is lost, then go to the store asking for a new sim.
In earlier systems of Ration card for food, it was very rare to hear that somebody dies because they couldn't get ration because they bio were not getting authenticated. In Aadhar case there has been these cases in double digit.
Because there was no authentication earlier? And one would easily replicate a fake ration card/passport to steal?
Maybe ration is a system where adhaar should not be applied, or a system of quick appeal should be created. But how is relying on peice of papers like birth certificate/ration card/passport a better system for authentication and identification?
Can you please read it again & think how many people you know or read about who had fake passports to get ration? Heck people who need subsidized ration most probably do not even have the Original passport & not even the need for that.
Only ration cards were used for ration, if you know, & someof them were specific. Light green A5 size booklet were the common one, anybody could have it, but not everybody could get ration on it. So most of the time it was used as address & ID proof as it had address, photo of all family members. Only kerosine oil, sugar, soap was available on it. Then there were blue books, yellow cards etc for people below poverty line, enabling them free wheat, rice, salt etc.
Nobody could fake a ration card because the depot incharge also had a master register, where the card details need to be matched.
yep, and wouldn't it be a paradise for a malicious person to install software on that authentication machine which sniffs off the biometrics and sends that to his server?
> yep, and wouldn't it be a paradise for a malicious person to install software on that authentication machine which sniffs off the biometrics and sends that to his server?
Sure. But, using that data to impersonate someone by creating a 3D or silicone model of your fingerprints/iris need a good amount of resources that your average Joe does not possess. Given enough resources, any means of authentication could be easily exploited.
Honestly, I am not being snarky, but could you please suggest a better authentication mechanism, that is more secure, but can be used easily by people who can't read/write or live in slums, or in small villages, and don't run into issues like forgetting the crypto key or losing the auth device?
If someone guesses a password, you can change the password. If someone gets a viable replay of a fingerprint or iris scan, you can't change it.
I wonder if a formalized "delegation of identity" system could solve the "missing key" problem.
When you have your key, you'd be able to issue a "I trust this person/firm to reliably identify me" certificates to others. This could potentially be trusted friends/family/co-workers or even official "recovery services" that had different means to verify identity.
So if you lose your key down the road, you can bring one of these people along, and the fact they had your certificate, and vouched that they had identified you, and that would be considered legally equivalent to presenting your actual key, or allow the start of a key-reissue process.
Registering other people who are able to identify you is an interesting idea, although it would fail for the hermits/paranoid who don't know/trust anybody and who would be screwed if they lost the key.
On the other hand, people trusted by other people are not necessarily trustworthy. If desperate or estranged they may sell out their friends/family for a little cash.
Really, not losing documents (at least not frequently) is one of the core requirements of bureaucracy. Permanent and semi-permanent documents are the basis of a modern society. It's no use trying to institute any laws when you can't count on people taking care of important items.
