The SPID according to Cassandra

This is a text automatically translated from Italian. If you appreciate our work and if you like reading it in your language, consider a donation to allow us to continue doing it and improving it.

The articles of Cassandra Crossing I'm under license CC BY-SA 4.0 | Cassandra Crossing is a column created by Marco Calamari with the “nom de plume” of Cassandra, born in 2005.

After our article on SPID (which received many comments and visits 🧡) we decided to collect Cassandra's thoughts, doubts and prophecies on the SPID. We note how some requests and needs have remained almost completely unanswered, such as theuse of physical tokens for the OTP code: currently it is only released by the provider Aruba! Finally, theNIST opinion (National Institute of Standards and Technology) of 2016.

Enjoy the reading!

This article was written on April 21, 2016 from Cassandra

Flashes of Cassandra/Is SPID stillborn?

Two-factor authentication systems operated via SMS suffer from structural problems, research from the University of Amsterdam suggests. SPID-2 is based precisely on this mechanism.

Probably even some of the 24 well-informed readers don't know SPID, acronym for "Public Digital Identity System", which defines itself as "The solution for accessing all online services of the public administration and private individuals with a single Digital Identity". Therefore, before moving on to gloomy prophecies, Cassandra is obliged to provide some information, which is also very easily available on the Internet. Therefore, SPID, also known to those with long memories as "Renzi's PIN", is a public creation and distribution system of digital identities, controlled by the Italian State and created by private suppliers certified by it and registered in a special register. It is in fact managed exactly as was done for Certified Electronic Mail with which, fortunately, both a useful tool have been created for the citizen than an honest business for some IT services companies. The problems that currently afflict the SPID are of two types: commercial and technical.

The commercial one, due as usual artfully packaged announcement (“only companies with at least 5 million euros in turnover”) seems to have been the case recently resolved.

The technical problems have only just begun, but they are already very worrying: let's take a moment to see why. Anyone who needs a digital identity buys it from a provider of their choice: there are currently three.

The suppliers, equipped with an adequate certified administrative and technical structure, recognize the person, verify their identity and issue the requested credentials. With these credentials the user can (soon) authenticate to all public administration sites and services, and to all commercial sites and services that wish to adopt it.

And for the first two years the credentials are also free. "All" and "Free". Nice huh?

Yes, but also no, and let's see why.

There are three types of credentials: SPID-1, SPID-2 and SPID-3. SPID-1 is a fixed username with a user-modifiable password: good for authenticating on a social network or an email list, but certainly not good for a tax return, a payment, a vote or the presentation of a budget. According to Cassandra it shouldn't even exist because it implements a culture of insecurity.SPID-3: digital token authentication. For now no one provides it, so it is difficult to give an opinion on it, except that it is the tripling of two other services that could be used with the same effectiveness, i.e. digital signature device and national services card (usually coinciding with the health card ). Since it is not a duplication but a triplication, SPID-3 should not exist either. SPID-2 is a two-factor authentication, username and password, combined with the generation of a temporary code that is sent via SMS or with a dedicated mobile app. Already widespread and used above all by banks, it can also be created in a different, safer and more expensive version, in which the temporary code is generated every minute by a small token with LCD display that is kept at home or on the key ring.SPID-2 However, it does not involve the use of a physical token, but only the SMS version. And here comes the pain.

In fact, a very interesting one has been published research of the University of Amsterdam entitled "How Anywhere Computing Just Killed Your Phone-Based Two-Factor Authentication", i.e. "How the integration of smartphones and PCs has just killed two-factor authentication via SMS". We are talking about the well-known synchronizations in the various clouds and between the various operating systems of our technological gadgets, which are so convenient but also very risky, and not just for privacy.

The 17 lucid pages detail the implementation of targeted attacks to crack systems with temporary code via SMS, in both Android and iOS environments, in precise and relentless prose, concluding that keeping two-factor authentication via SMS reasonably secure will be a difficult and expensive challenge. For those who will not find the time to read the paper (and it will hurt) it is important to underline that the reported problem does not concern the simple exploit of a couple of bugs, which will then be corrected in order to solve the problem itself. The problem outlined is more systemic and deeper, therefore also more serious and difficult to correct, given that it conflicts with the usability of products. It is the problem of allowing multiple devices to synchronize automatically and in various ways with each other and with the cloud. Mechanisms of this type, which continually multiply because they are increasingly necessary, can be hacked even without real software bugs, because having to make different devices talk to each other without disturbing the user too much (and therefore having more "beautiful" products) they will always be intrinsically weak because, for commercial reasons, they must first of all be flexible and easy to use. Thus security, which has always been the Cinderella of consumer electronics, will be considered even less, when instead the paper, in its conclusions, underlines that the problems intrinsic safety issues will become increasingly serious to the point of unmanageability. Read it, also because the Agency for Digital Italy probably didn't have the time to do it.

If SPID-2 were instead two-factor authentication with hardware tokens, even if susceptible to Man-in-the-type attacksBrowsers (MitB), it would however be far more difficult to crack and especially to crack on a large scale.

So what? So even if SPID-2 was not actually stillborn, it is unfortunately a very serious risk newborn. Cassandra considers it a decidedly inadvisable solution, like her two sisters. Nothing remains to be said about SPID as an Italian digital initiative. The broader problem of having a unique digital identity deserves some other consideration instead. The violation of your (hypothetical) credentials SPID involves much more serious dangers than simply emptying your bank account. Credentials are “you” everywhere. They must be safe and used with care. Being unique, they could be used to impersonate you and carry out actions on countless sites and services that you don't even know exist.

This is why, according to Cassandra, what was said at the time for SPID is valid for SPID CEC-PAC and other Italian digital horror stories.

Not even free.

This article was written on May 26, 2016 from Cassandra

Lampi di Cassandra 372/ SPID, a debate is essential

Cassandra's report on SPID's structural flaws has been collected, but doubts remain. It is for this reason that discussion between experts and institutions is a must. Maybe in the context of e-privacy.

SPID was the subject of theexternalization by Cassandra from a few weeks ago. Digital Agenda, an online information newspaper that tracks Italy's steps towards digitalisation, today publishes a item response and clarifications.
First of all, Cassandra thanks the authors of the article, two representatives of a company that operates in the field of digitalisation, and the newspaper for the interesting dialectic, and takes the opportunity to invite aspiring speakers, representatives of the newspaper or of AgID all 2016 edition of e-privacy which will take place on 24 and 25 June in Pisa and whose theme "SPID and Digital Identity" is entirely dedicated to these issues.

Having said this, and entering into the merits, the clarification article by Digital Agenda is interesting, but in the writer's opinion it does not respond to any of the points raised in Cassandra's article, nor to those of the paper of the University of Amsterdam that the article cited. In essence, the authors' response contains an excellent detailed explanation of how “Man in the” attacks work Browsers”, and the reductive and not very useful conclusion that if the PC is infected there is nothing that can be done; also mentions a interesting article on the legal responsibilities of a situation of this type.

However, it leaves unanswered most of the issues raised by Cassandra's paper and article: let's summarize and clarify them briefly.

The paper concludes by essentially arguing that, with the increase in complexity of the personal IT ecosystem, two-factor authentication is starting to be insufficient, and that in any case that with software tokens (SMS on mobile phones) is much more weaker than the one with hardware token (key ring with the number that changes every minute), and for this reason the first must be discarded in favor of the second. In fact, the most advanced malware, after infecting the PC, also attempts to infect the mobile phone. When the operation is successful, instead of having to wait for the user to carry out a single transaction to make one and only one fraudulent transaction, they can begin to operate in the name and on behalf of the user in an unlimited number of transactions completely invisible to it. If the compromised method is not that of a single bank, but that of a digital identity such as the SPID-2, malware can operate not only on the compromised site, but on any other site that uses the SPID-2 with SMS , always without the user, who in the meantime may even be in bed sleeping, being able to notice anything. Quantitatively the difference in risk is abysmal, and unfortunately the article does not mention it. The countermeasure would be very simple: it would be enough that the SPID-2 suppliers were obliged to offer only the version with One Time Password Generator (key ring with a small number that changes every minute) and all these risk profiles would disappear. But it costs more, and coincidentally none of the three current (and future) providers ) of SPID offers it, just as no one offers the even safer SPID-3.

The article by Digital Agenda does not even respond to the claim that SPID-1, supplied together with SPID-2, is so risky, for similar reasons, that it should not (in this writer's opinion) even exist, and that the only digital identity infrastructure reasonably the SPID-3 one is safe.

SPID-3, however, not only does not yet exist, but it is not even necessary, as there are two systems already implemented, the CSA - National Services Card (health card) and the Certified Electronic Signature (normal signature devices). there was still discussion, and e-privacy would be an excellent channel to serve the public well by providing complete information on the opportunities and risks of a public digital identity system. I therefore renew the invitation to discuss in Pisa on 24 and 25 June. We are waiting for you.

This article was written on July 28, 2016 from Cassandra

Flashes of Cassandra/ SPID2, the NIST opinion

In the USA, two-factor authentication via SMS is rejected and will soon disappear from circulation. And it's not just about malware.

SPID2 has already been the subject of Cassandra's comments: our friend claimed that the current SPID offer, limited to SPID2 with SMS, was insecure and counterproductive for security purposes, particularly due to the possibility of smartphone infections by advanced malware .

Digital Agenda, an online information daily, published an article in which, in essence, it was argued that if a device is infected, it is an attack Man-in-the-Browsers or Man-in-the-middle it's ongoing, there's no double factor that matters.

While it is certainly true that not having malware on your smartphone is a good and right thing, in the SPID context this is a simplistic, misleading and technically incorrect statement, because it does not address the crux of the problem.

In these hours, NIST (National Institute of Standards and Technology), US body that takes care of technological standardizations and which is not exactly the latest arrival in the sector, has published The final draft of the document “Digital Authentication Guideline — Authentication and Lifecycle Management”. Part B of the document (Cassandra apologizes for the pedantry) hammers the final nails into the coffin of two-factor authentication with SMS (2FA-SMS). A concise summary of the issue can be found on Slashdot. But we directly quote the recommendation contained in this upcoming legislation. NIST recommends that applications use physical and cryptographic tokens. The document provides, almost "reluctantly", that they can currently also take the form of mobile phone apps, therefore devices that can be stolen or "temporarily borrowed".

NIST then highlights the fact that 2FA-SMS has another weakness that has eroded its reliability, that of VoIP services: “If out-of-band verification is to be performed via an SMS message over a public mobile network, the carrier of the process must absolutely check that the pre-registered telephone number in use is truly associated with a mobile network and not with a VoIP (or other software-based telephone system)”. It also adds that “changing the pre-registered phone number should not be possible without a true two-factor authentication, to be used when changing number. Changing your number via SMS is deprecated, and will no longer be allowed in future versions of this guide.”

Basically, in addition to the problems related to advanced malware that can infect a smartphone (and certainly will), making two-factor authentication via SMS insecure, NIST identifies two other attack vectors: VoIP networks and problems related to exchange of the telephone number on which to receive the SMS, which prevent using 2FA-SMS as a secure authentication method. Let's remember the basic definition of 2FA: "Something you know, plus something you have". Smartphones and GSM networks are not under the control of the user but of third parties, legitimately or illegitimately, so they do not represent “something you have”. And this is further confirmation that SPID2, created with SMS and not with hardware tokens, should not exist at all.

But in Italy it would take a catastrophe for the convenience of 2FA-SMS, chosen to facilitate the "take-off" of Renzi's SPID PIN, to be called into question.

This article was written on November 7, 2016 from Cassandra

Flashes of Cassandra/ SPID or not SPID?

“To be or not to be digital” is the big question that we Italians must answer. There is a risk of identity theft but until SPID is truly secure it is better to wait.

Today the Hamlet-like doubt contained in the title, particularly evident for readers who already know Cassandra's previous utterances on the subject, will be resolved rationally without resorting to divination, don't doubt.

Summary of previous episodes: in Cassandra's opinion only the level 2 SPID with OLTP token or the level 3 SPID with cryptographic token can be trusted.

Since no one still provides them to date, we must not (at least for now) use or request the SPID because it is too insecure from an IT point of view: it represents a high risk (a large attack surface) to one's "digital identity" in the sense of in an extended sense.

An article was recently published on Fatto Quotidiano online video very well done, which explains how to use illegal but simple, even banal, means to obtain the digital identity of another person. It's worth repeating: to obtain the digital identity of another person. The video in question, as well as being terrifying, is also funny, and Cassandra strongly recommends watching it before continuing.

Video summary: The journalist obtained a person's public personal data, crudely and quickly forged two identity documents, and used them to obtain the SPID, deceiving the SPID provider's operator who examines and authenticates them using the laptop's webcam. Well, let's overlook the fact that during the making of the video, so far as we can see (Cassandra plays the prophetess and sometimes the engineer, not the lawyer), at least three far from minor crimes were committed. Leaving aside these "pinzillacchere" as mentioned, quoting the great Totò, let's directly analyze the "procedure" followed.

What was violated is not the IT mechanism of the SPID as such, but one of the various methods for obtaining it from a certified supplier (currently there are 4), methods that are partly left to the discretion of the individual SPID provider.

The crux of the problem is that if falsifying identity documents that are to be "used" in the traditional way is very difficult, falsifying them to use them in front of a webcam is ridiculously easy. It is no coincidence that to facilitate the diffusion of the SPID, the various methods of issuing include not only the traditional visit to a specific office or the use of a digital signature (equivalent to the still non-existent SPID level 3), but also very simple and “friendly” (but certainly not safe) online modes like the webcam. And it is not even a coincidence that traditional and inconvenient operations are usually free while online ones, which are simple and convenient, require a fee. Let's not forget that SPID suppliers are companies, and that like any company they must, after having been certified and operating according to precise technical rules, generate profit. But just repeat already known concepts, which risk becoming boring. If you have considered the possibility of adding the SPID to the other digital identities that you probably already have (Health Card, Electronic Identity Card, National Services Card, Digital Signature) and you have not done so because you were negatively influenced by Cassandra, now you should ask yourself a question and find the relevant answer: "I wouldn't want to have the SPID, but given that it is possible that others could obtain it fraudulently in my place, perhaps it is better for me to ask for it first and then maybe not use it, anyway it's also free.” A very sensible question, especially since having the SPID you could ask for the list of accesses made at any time and find out if someone is using it in your place.

To help find an answer, and also to realize how complex the problems to be faced are, Cassandra recommends reading the FAQ page on the Agency for Digital Italy website. Just consult it and maybe even browse through the other SPID regulations a little, to give yourself the answer. The answer is no".

The SPID in fact belongs to that class of digital identities that can be multiple; in short, you (and others in a fraudulent manner) can obtain more than one. You cannot obtain two digital identity cards, just as you cannot ask for two health cards, but you must report the loss, theft or destruction of the first and have a second issued. However, it is possible, reasonable and in some cases necessary to have more than one digital signature, as has always been the case for handwritten signatures, for example the administrator of a company who signs in one way for company documents and in a different way for personal ones. And since the fact of having requested the SPID does not prevent others from requesting a second one, using imaginative methods like the one illustrated above, you can safely (not so much) continue to do without it. You can therefore continue patiently to wait for a SPID level 2 with OLTP or level 3 tokens, secure and issued with equally reliable methods, at least until having the SPID becomes mandatory.

Obligatory?!? Cassandra does not want to venture further prophecies of misfortune today, but only to point out that, at least according to the media, it is already so now in particular cases, for example to obtain the "18 year bonus” of 500 euros, which can only be requested by first obtaining the SPID.

In short, the Hamlet-like doubt whether "To be or not to be digital" has an easy answer in this case.

This article was written on February 27, 2017 from Cassandra

Cassandra Crossing/ Let's defend SPID3

A secure Public Digital Identity System cannot do without user-controlled hardware tokens. But to make life easier for lazy people and Identity Providers to remain anchored to insecure passwords, we can try to distort it.

As the 24 readers will remember, having already undergone 5 expressions in this regard in this column, according to Cassandra only the SPID2 with hardware token and the SPID 3 with cryptographic token would have the right to exist. Why? Because the information society requires a culture and practice of security; and a national infrastructure connected to everyone's cybersecurity cannot have anything less than two-factor security (something you know, plus something you have). The regulation of the SPID, similarly to the now well-tested one of the Digital Signature, provides that the operators who will implement it and who will provide the service are companies, qualified by AGID and operating under a free market and competition regime. The balance between public interest and interests private, when it works, it is a very good thing, but to be established and maintained it requires continuous attention and loving care.

In fact, one could think in an Andreotti style that the current absence of a SPID2 offer with physical OTP token and of SPID3 is caused by the fact that creating them free of charge is not sustainable on a business level. That's probably true. The result, however, is that the maximum security that can be obtained today as a SPID is the SPID2 with software token.

Cassandra, the NIST and many others (not in order of authority) have already demonstrated that this solution is not sufficiently safe. A smartphone with an app is too complex an object to be safe. But will hardware token enthusiasts be satisfied when SPID3 arrives? It's not certain, and explaining why will be a bit heavy. The 24 readers are warned…

AgID created in 2015 a working group in order to to define a UNINFO standard for the security requirements that a SPID Identity Provider must meet to be accredited.

Currently the adequacy of the Identity Provider is in fact left to the discretion of AgID's evaluation and audits. This document which will define the standard, which was discussed during theXIX edition of e-privacy, is now being voted on in the technical body UNI/CT 510/GL 02 and is entitled “E14.J1.G62.0 Information security Verification of IT authentication assurance levels Assessment of compliance with assurance levels 2, 3 and 4 of the UNI CEI ISO/IEC 29115 standard”.

SPID3 corresponds to assurance level 4 (LOA4) of ISO 29115, That requires (we repeat “requires”) the use of devices physicists (we repeat “physical”) under the control of the user.

To create SPID3, the standard currently being evaluated does not allow the use of two solutions which would be particularly easy and economical (did someone say "attractive"?) for the Identity Provider to implement: - the use of Apps "entirely software” to be installed on the user's smartphone. Does this remind you of anything? - the use of remote signature devices as SPID authentication tools. And here the donkey could fall! Parenthesis: the remote digital signature is another example of dematerialization of the token, conceived only for very particular needs such as the IT systems of public administrations, but today successfully sold to lazy private individuals, who are very happy to not having to carry the smartcard with you and getting by with a password. Half of the digital signatures active in Italy have unfortunately become of this type, because it is a "convenient" product for both private individuals and companies. Too bad they are less secure; and long live the culture and practice of safety! Let's go back to SPID3. In practice with this solution, the SPID3 requirements would apply to the remote device located at the Identity Provider, and the user's access to the authentication device could also take place (but guess what!) with a simple password. And it wouldn't be "something you have" anyway. Oh mama!

As a result, some parties are, legitimately, pushing to make this part of the law ineffective standard or to modify it. Am I among those who are voting for the new standard? Ask yourself the question, give yourself the answer.

We hope that in this case it will be possible to know who they are, even if the voting process (which ends these days) is not public. The fact that the issue is being voted on would make the attempts at modification traceable, but would not allow them to be prevented. On the other hand, the process foresees the possibility that AGID may ultimately not take it into account. Therefore, no prophecies today. Let's just hope for the best!

This article was written on December 22, 2020 from Cassandra

Cassandra Crossing/ Spid creepshow, the suspension

If we have to live with Spid, it is better to know its darkest stories.

Cassandra's diehard 24 readers know well that our prophetess, after having maintained a highly critical position on Spid for years, has reluctantly begun to recommend it, given its almost obligatory nature in relations with public administrations.

But recommend Spid (Piped links) also carries the responsibility of having to report the problems that its use often causes; so here is a new series of articles on the dark sides and surprises that owning a Spid can cause. The first article in the series is a very recent story of real life. But let's go in order.

Spid is a centralized authentication system; for this reason its availability becomes a doubly critical resource. It is critical for the nation, because a Spid debacle impacts all public administration services at the same time; this was demonstrated by the recent collapse of part of the national Spid infrastructure during the cashback "click-day", as well as the previous collapse (Piped links) due to the Mobility Bonus.

It is critical for those who own it; Spid, when it becomes indispensable, becomes critical not only for the nation but also for the individual user. Yes, because the various PINs and passwords for accessing sites, particularly those of public administrations, are no longer used, and therefore "expire" or are simply lost and forgotten. And the SPID becomes, as it must, the only key to access the realm of public services.

And suddenly... suddenly Cassandra, on a quiet Sunday, tries to authenticate to the INPS website with her Spid2, and receives a cryptic error. Thinking that the password may have expired (but shouldn't a warning email arrive first?), or in any case something strange has happened, he boldly extracts the digital signature smartcard and repeats the procedure using his Spid3, which does not require any password. Ooops… even more cryptic error from the INPS website, which reports a non-existent timeout; authentication denied again.

Oh yes, Cassandra exclaims, we see a different site; repeating the operations on the Revenue Agency website (more stable and "square" than that of the INPS), first with Spid3 and then with Spid2 you get two more error messages of failed authentication. Did some Russian compromise Cassandra's credentials?

Well, it's difficult to subvert the Spid3, however we go to the credentials management panel and... surprise, the Spid credentials are accepted, but we are directed to the forced password change mask, because the password seems to have expired. The password should not have expired, because it lasts 6 months, and because the expiry is announced by an email 30 days before, but a change of password is not denied to anyone so we change it, click on send and... “Operation not allowed for password in suspended state”.

The message actually says "suspended" not expired. Passwords “expire”, only credentials are “suspended”. What if it was Cassandra's Spid that was suspended? Why the possibility of "suspending" Spid exists and what this is for will perhaps be the subject of another article.

So Spid was suspended, but by whom and why? Could someone have managed to disable my Spid3 credential and then enter the Spid management panel by guessing or stealing the password? But he should still use the Spid2… The worst thoughts cross Cassandra's mind.

After a series of empty trips on the website of the manager of Cassandra's Spid, let's pretend that it is the Aruba.it website, arriving at pages of information that are as generic as they are useless, Cassandra finally reaches a page of explanations, only apparently generic but in final reality which announces in detail:

Digital Identity suspended: procedure for reactivation
Following the monitoring activities carried out as Digital Identity Manager (art. 11 of the Prime Ministerial Decree of 24 October 2014), we have temporarily suspended the digital identity registered to you.
The suspension, carried out for precautionary purposes, proved necessary because the telephone number or email address associated with his identity is shared with other digital identities.
We remind you that the email address and mobile number represent a confidential contact channel and important authentication factors that must be traceable to a single person.
To reactivate your digital identity and continue using it as usual, you must perform the operations described below within 30 days of attempting to use your Spid credentials following suspension.
We inform you that after 30 days without the changes indicated above having been made, your digital identity will be revoked.

Very true: Cassandra's cell phone and email, checked and certified, appear in multiple credentials since they were issued, never modified, perfectly regular. Suspend the identity for this without even noting that the telephone number and email address are associated with the credentials since their issuance?

If the thing seems suspicious it may be reasonable to suspend the credential by contacting the interested party immediately, even credit card managers do it, but suspending the identity without communicating it, and moreover permanently revoking it after 30 days is... never mind what he would say Fantozzi, let's just say it's absurd! An insult and serious potential damage to the customer.

And now how to get out of it? The password cannot be changed because the Spid credential is suspended, without the password the telephone number and email address cannot be confirmed, and if you do not confirm them the identity cannot be reactivated. There is no solution, it's a nightmare.

However, two extreme but practicable possibilities remain. The first one may seem strange, but it is reasonable, free and quite fast; get another Spid and get around the problem. Didn't you know you could have more than one Spid? The second is long and a harbinger of unexpected events; open a support ticket, without being able to enter the user area, but having to use the "generic" portal. A perilous journey but one that could quickly solve the problem. Well, given the situation, it's better to do both things at the same time: let's see which one finishes first.

After half an hour of browsing a customer care portal in which the pages time out two out of three times, I finally manage to post a ticket, and immediately proceed to request another Spid, this time not from Aruba but from Poste Italian. Using my digital signature as a recognition method, and this time with a bit of luck, I manage to request the Spid, identifying myself through the digital signature on the contract, downloaded in PDF format and uploaded as a signed PDF. I go to see if the new Spid has been released at the post office and, surprised, I find a message from Aruba saying that the problem has been resolved. Ah… but what should I do?

I try to go back to the customer support portal, and after a quarter of an hour of trying I find the response from the consultant who says he has sent me a temporary password. I'll go back to the email. No password. However, the emails from Poste Italiane are starting to arrive, which mark the various phases of the release process of the new Spid. Having chosen online recognition, everything is much easier and it also works on Sundays.

I return to the Aruba customer care portal, and with a further quarter of an hour of effort I manage to open a second password failure ticket. While I'm at it, I won't confirm the closure of the first ticket and I'll also report the failure to receive the password as a comment on the first ticket. I go back to my inbox and find the email confirming the creation of the Poste Italiane Spid with instructions on how to proceed with the first authentication. After a while the temporary Aruba password also arrives, followed closely by the second announcement of resolution of the problem.

Let's try. I manage to change the password and enter the Spid management panel, where I discover that in the meantime (but why?) the suspension of the Spid has already been cancelled. Did anyone agree with the horrible loop that he had created and that was swallowing up his customers? I check the Aruba Spid credentials, both of which now work, and move on to creating and testing the new Poste Italiane Spid. It should be very fast, but instead it takes quite a while; the procedures are different and you need to familiarize yourself, but after another hour I reach the end; we'll talk about it again in another episode of our column. This prank cost half a day of trouble and work.

What can we say, other than reporting the situation to Aruba with this article, which will certainly be able to recognize which of their clients is hiding under Cassandra's identity? That Spid is still unmanageable for users who are not long-time surfers, savvy and hardened in the daily use of the Internet and frequenting help desks? That Spid is not a place for old pensioners? Too obvious.

Instead, we underline that Cassandra, like any other Spid user, should have foreseen the possibility of unforeseen events; after all, the quality and reliability of IT services in Italy have never been particularly good. Therefore having a second Spid with a different supplier becomes necessary. Why? In order not to depend on a single credential that can suddenly be a "victim" of user errors (this is not the case) or supplier problems (this is precisely the case).

The same goes for another IT resource that can become indispensable and critical: the digital signature. What happens if your signature device breaks down, or you realize you have lost it, when you are preparing to add an urgent signature? Potentially a tragedy. Maybe you inadvertently miss a deadline to file an appraisal or respond to a tender. By having a second digital signature, just like a second Spid, it is possible to use the "spare" one and then, calmly, restore the one that failed.

So, do it! Get yourself (horror!) not just one Spid but two. And also get two digital signature devices, not one. Furthermore, Spid2 is still free until the end of 2020, and with certain suppliers also Spid3. So not one Spid, but two, are the solution in this country where IT is often made up of poorly implemented services and traps with good intentions.

Then don't say that Cassandra didn't warn you.

Marco Calamari

Join communities