The future of the BSN and Dutch identification

The future of the BSN and Dutch identification
Ruben
Ruben

You might have seen the logo above on your identity card or passport. If you have it on there, then your card contains a NFC chip that allows it to be read by a computer. This way airport customs is supposed to more securely determine if your passport is really yours. But of course we could also try to read it ourselves with our own NFC reader.

This is exactly what we did for IRMA, an identity wallet that allows you to store personal information on your personal phone and then selectively share some information with other parties. In the past few months we've been working on an open source project 1 for the city of Amsterdam that allows a user to read the details of their passport, identity card and driving license and store them in their IRMA wallet.

Reading a passport with the IRMA prototype

Reading a passport with the IRMA prototype

The difference between passports and driving licenses

Passports and identity cards which have the logo shown above use ICAO 9303 for machine readable travel documents. Driving licenses however aren't travel documents, so we can't use that standard for reading their NFC chip. For our Dutch driving license however the European Union does have us covered with EU regulation 383/2012. That regulation loosely bases its implementation on ISO/IEC 18013-1, which in turn uses many implementation details of ICAO 9303. Unfortunately we could not find any actual implementation of EU regulation 383/2012 nor any up to date implementation of ISO 18013, so we created our own implementation based on JMRTD, which implements ICAO 9303 for passports and identity cards.

Driving license: where is the BSN?

Something else catched our attention while we were implementing our reader software for driving licenses: our Dutch driving licenses were missing the administrative number (BSN or burgerservicenummer in Dutch). While this did not stop our implemention it made us wonder what the reasoning for this omission was.

The Dutch government decided to remove the BSN from all chips and MRZs (machine readable zones) in the future. This policy has already been implemented for their driving licenses. The reasoning behind this change is that it would be too easy to read the BSN unnoticed. Having your BSN 'stolen' can actually cause some real world problems and this is all to do with what purposes the BSN serves.

The BSN was never a true secret

The BSN is a dual purpose number. On the one hand it serves as an identification number, it uniquely identifies who you are. There might be multiple people named Jan Jansen, they might even be born on the same day, but in the end they will always have a unique BSN. Unfortunately that is not the only purpose of the BSN, because it also serves as an authentication mechanism. Dutch governmental organisations (and some institutions such as banks) assume that only the person who is assigned a specific number will know that number and that being able to provide it is proof that you really are who you say you are. That all only works if the BSN is as secret as possible.

The reality is of course more harsh. The BSN is printed on id cards, passports and driving licenses, and was previously also included in the MRZ and chip data. Once shared with some organisation the BSN is also often stored in their databases, which will only increase the number of places where it could be read.

Example of BSN on Dutch identity cards

Example of BSN on Dutch identity cards

Removing the BSN from the MRZ and chip data will decrease the number of places where it can be read, and will also prevent some forms of automated reading of the number. But given that the number is still printed on the back of the card, it could still be read by a hidden OCR camera just as easily.

Safe chip access to the BSN

A better way to still include the BSN and thus not limit functionality is to prevent access to the card by using the EAC (Extended Access Control) feature that is already in the ICAO 9303 standard. This feature allows the chip and the terminal to authenticate to each other and allows only authorized terminals to read certain information from the chip. This way we could only allow BSN access to legitimate users of the information such as the IRMA project.

Conclusion

We think it is a good idea to allow privacy-friendly identity platforms like IRMA to provide full authentication and attribute-sharing features. We suggest to reconsider the decision to completely remove the BSN from chips on identity cards, as it is - at best - only a half measure. Of course even better would be to remove the need to use the BSN number as an authentication method, but that discussion will be for another time.

Notes

[1] The project will be open sourced by the city of Amsterdam in the near future


Ruben

Software Engineer

ruben@tweedegolf.com


Stay up-to-date with our work and blog posts? Follow us on Github, Twitter or LinkedIn.


Next article

Learning Rust, Svelte, and IRMA building a chat application with strong authentication