[jve]

It's a solved problem in a minor baltic state.

We have id card, which contains client authentication certificates. The procedure on acquiring ID card is the same as passport and carries the same legal power. You have to show up in real life and they take your fingerprints, photo and issue you ID card. ID cards will actually be mandatory for everyone beginning 2023-01-01 - up until now they are optional but very much favored around my circle. There is a fair amount of stuff you can only do with ID card (remotely):

- Set up smart-id for 2FA for banking app in your smartphone. No, I don't have option not to use 2FA.

- Official communication with .gov entities.

- Signature & timestamp service

- Remote notary services (requires video presence and showing ID card additionally to actually using it to put digital signature)

- Logging in various sites (banking, government entities)

- Recovering from lost second factor at national TLD DNS registry.

This is the ultimate authentication mechanism that services use to allow you to perform so much.

To authenticate & put down signature, you must use dedicated PIN code for each of those operations. And of course you must possess the card (use card reader).

[specialist]

This is The Correct Answer™.

CA issued GUIDs unlocks the Translucent Database technology, enabling all PII to be encrypted AT REST at the field level.

Translucent Databases 2/e: Confusion, Misdirection, Randomness, Sharing, Authentication And Steganography To Defend Privacy Paperback [2009]

https://www.amazon.com/Translucent-Databases-2Nd-Authenticat...

PS- Just spotted ftrotter's question for the first time. I also worked in healthcare IT and prototyped a PII protecting schema. Alas, my POC also flew like a lead zepplin. No password recovery. This strategy requires GUIDs, aka RealID in the USA.

https://stackoverflow.com/questions/2109451/translucent-data...

"I am building an application with health information inside. This application will be consumer-facing with is new for me. I would like a method to put privacy concerns completely at ease. As I review methods for securing sensitive data in publicly accessible databases I have frequently come across the notion of database translucency. ..."

I could have written that. Oh well. Someone in much the same situation, having the same questions, and then reaching about the same answer is somewhat validating.

10+ years later, I'm sure there's now dozens of us advocating Translucent Databases techniques.

[MayeulC]

I long wondered about this... How does card reading work?

Are regular smartcard readers compatible? Does the card have NFC for phones? Can you use them under Linux/mac? Do regular browsers work with it? (FIDO/webauthn).

Or is the card reader a standalone device, like my bank uses, where you key in your PIN, and it gives you a one-time code, or a response to a challenge?

[jve]

It's a smartcard. I have DELL Business class laptop with built-in smartcard reader. Otherwise you can get a compact device that reads smartcard chip. Some keyboards have card readers. https://m79.lv/arejiedatuneseji/atminaskarsulasitaji/id-smar...

No NFC. Don't think smartcards has anything to do with FIDO.

As for phones, there is an application that has to be setup using computer/smarcard reader and from then on, I can use app to authenticate & sign.