Who cares about (Spanish) eID security?

I continue to be amazed by Spanish accountants and lawyers who apparently couldn’t care less about the security risks of asking their clients to hand over their government-signed eID private keys to electronically file forms. This entirely negates the point of digital signatures (that the owner never shares the private key, so signed data can be treated as coming from them with high probability)!

Today, when I refused to send my (general govt eID) private key as requested to a lawyer via (unencrypted, un-DELETABLE!) Slack DM, or their second offer Gmail+password via Slack DM (!), they sarcastically responded: “Ok, perfect is better”. My “perfect” suggestion of Spanish favourite WhatsApp has finally been accepted 🤨 (I also offered iMessage or Signal).

I’m not sure how these advisers deal with clients who only use their ID card and a hardware reader to authenticate themselves to government websites (since you can’t export the ID card private key(s)). Although I’m guessing the number of hardware readers out there must be minuscule.

I’ve also been reminded by my ongoing adventures in Spanish bureaucracy that the most usable websites in the world are useless if you cannot be sure about the underlying rules you’re trying to comply with, which even for many Spaniards I imagine is rare 🫣

I’m fortunate I can afford to pay advisers to (largely) deal with these hassles. But it reminds me of the important policy question: how far do e-govt standards mandate support for delegation? Does #eIDAS2? Any of the EU’s “soft” standards for cross-border e-govt? This is a critical issue for anyone remotely supporting others interacting with government (family, carers…) and must be a widespread issue, as I’ve read even many Spaniards have to use “gestors” to manage their interactions with the state. Which enables (even encourages) the state to further complexify its rules 🤬

PS I then went back to trying to deal with the European Commission’s baroque two-factor authentication system. EIGHT challenge-responses later (to a SIM I had to dig out and put back in my phone) I installed the EU’s own 2FA app (because, of course, they can’t use standard passkeys or authenticators like everyone else).

20+ years on from the start of the “usable security” field, and still far too few system designers are listening 🤬