cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Kohtala
Making moves
Status: New idea

Some background first: Many countries and organizations issue smart cards that carry a certificate that can be used to authenticate the user. To log in, a service implements an https endpoint that asks for a client certificate. The client certificate is used only on this one endpoint to log in. After receiving the certificate, it creates a usual session that runs without the client certificate.

This is very nice since it is free for service providers. Technically very simple. And for the user very safe. If the smart card gets lost, the certificate can be revoked. There is no fear of loss of access to an account because authorities verify the person and issue new card to regain access. The subject identifier has a serial number to identify the user even in the case that the subject has been issued a new card after name has been changed (marriage etc.). And use of the card stays between me and the service provider. Authorities do not know where it is used. I wish more services accepted these cards so I could be me at the services.

You can see an example how it works at https://dvv.fi/en/test-the-use-of-a-certificate. You may not have a card, but you find everything up to that point there. Documentation is also close by.

You sometimes need to access these services over mobile phone. Mobile phones do not have slot for smart card reader, but fortunately they often have NFC and the card can also be used over NFC.

It of course requires the card be held against the phone when being accessed. And selecting one of the many certificates on the card. And typing a PIN to get the card to use the private key. But since the service asks for the certificate only once during login, there is only this one moment during the one TLS handshake accessing the endpoint where this acrobatics need to be performed.

Curious mind can find the identification in production at https://www.suomi.fi/frontpage and clicking the Identification. The endpoint used for asking the certificate is at https://kortti.tunnistautuminen.suomi.fi/certcheck.

I found a list of European countries where this would be useful at https://www.readid.com/blog/european-identity-cards. I believe India also has issued some cards, but am not sure if they would work with this. I expect it to become more common day by day. Has some potential in number of users.

2 Comments
Status changed to: New idea
Jon
Community Manager
Community Manager

Thanks for submitting an idea to the Mozilla Connect community! Your idea is now open to votes and comments.

Please feel free to use this space (the comments below) to add any more details to your idea—this helps when our product teams review everything.

Drew
Making moves

This post is technically over my head, but it sounds like it's advocating for a feature that I really need. I work for a small organization you may have heard of, the United States Government. We have smart cards called PIV Cards (Personal Identity Verification) which we use to authenticate into all kinds of things throughout the day (buildings, computers, VPNs, web-portals). In particular, there are a bunch of web-based services that we use in our daily work duties.

I use Firefox as my primary web browser, but I necessarily need to keep a Chromium based browser around for all of the things I need my PIV card for. When I try to authenticate using my PIV card in Firefox, I end up with this message asking me to connect a smart card when one is already connected and cannot continue.

Drew_0-1663861968868.png

Please build in, fix, support, look into or whatever you have to do so that I can use Firefox to authenticate using my PIV card.