Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

This exists in some European countries, in Hungary for example you have an identity service (KAU) which authenticates you and operates as an SSO provider across a number of different government properties.


This exists in some European countries, in Hungary for example you have an identity service (KAU) which authenticates you and operates as an SSO provider across a number of different government properties.

The United States has it, too: https://login.gov

But with a government as large as America's it's going to take time to get everyone converted to the new system.


FWIW, as a regular user of login.gov, from the outside, it looks like a well-designed system. I am able to add strong forms of 2FA (e.g., security keys or biometric authenticators), it requires strong passwords, etc. It also has decent developer documentation, has a support process, and comes with a vulnerability disclosure form baked into the main website. However, I have not used their API, nor have I seen any of the code (although I wonder if a FOIA request would actually compel them to give it to you).


> although I wonder if a FOIA request would actually compel them to give it to you

I believe most of it is open source: https://github.com/18F/identity-idp


The first bullet point on the /partners page of login.gov (regarding who should use it) says:

> You are part of a federal agency or a state, local, or territory government

I'm talking about a more generic service that any random industry system or individual can use. The way many websites use Google's OAuth without using really using Google's APIs. Things that just want someone else (Google) to handle asking for and authenticating a name/password.


Not 100% sure how I feel about random companies being able to definitively identify me. I’m sure we’re drifting in that direction anyway, but it feels like it would negatively impact privacy online.


> Not 100% sure how I feel about random companies being able to definitively identify me.

But that is not what we are talking about. It is not that you are browsing the web randomly and some random company identifies you as d1sxeyes.

It is that you can identify yourself towards any company if you choose to. Then you can decide if that is in your best interest or not.


It also is not necessarily your actual ID. As far as the individual website needs to know, it could just be a random string of numbers and letters. As long as it's the same string each time they ask the authentication authority to confirm you.


Americans as a whole are so allergic to government doing anything that we can't even get a national ID system nor a centralized database of gun sales or ownership. The bogeyman of evil Big Government, privacy, and censorship gets invoked. It's fine if the Free Market does it, so Google, Facebook, Amazon, Twitter, Microsoft, et al get a free pass.


The "free" market, i.e., government-funded market.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: