Where Man Wins over ... smartphones and PA

Jan 2026

The first method was called SPID.
For unclear reasons SPID was not managed by a central authority like a Ministry, but delegated to a multiplicity of private providers (or private-right ones, a chief one was the Post).

This was not so bad at beginning (may be the initial identification procedure was a bit heavy), since most PAs required Level 1 access (i.e. username and password).
Then for a security paranoia, most PAs moved to Level 2 access (i.e. 2FA).

The implementation is a bit clumsy. It requires at least to have a cell phone (even a dumb one as I have) but they are pushing to encourage smartphone apps (bad !).
The typical access occurs as follows:

• one selects SPID access in the PA site
• one selects the provider (e.g. PosteID)
• one enters username and password
• (the password has to be changed every 6 months and be uselessly complicated)
• then one gets a screenful with a QR code and other things, of which quite hidden at the bottom "proceed with SMS"
• a second screenful tries to convince you to use the app, but if one insists on the right link, one can get an SMS OTP
• one then types in the OTP and proceeds
• another PosteID screenful informs you they are transmitting such and such info to the given PA and you have to give consent
• finally you are in
• you are likely to receive one or two mail logging what you did

I found such limitation (and the smartphone encouragement behind it) irritating.

It is a very recent news that most SPID providers (including the Post) will apply a small yearly fee since next year. This is likely to move some people away from SPID.

Another identification mean is CNS.
The acronym means "Carta Nazionale dei Servizi" (national service card), but is commonly known as tessera sanitaria (health card), or codice fiscale (fiscal code). The card is jointly issued by the Ministries of Finance and Health. It is used for access to (regionalized) health services, and testifies your fiscal code (a SSSNNNYYMDDCnnnc code necessary to identify you with the tax offices, made up of three letters SSS from your surname, three NNN from your name, your YY year of birth, one letter M related to your month of birth and your sex, your DD day of birth, the Cnnn cadastral code of your birthplace [there are cadastral codes even for suppressed municipalities, since 1861] and finally a checksum c which is also used to make the code unique in case of homonymies).

Actually one could get a username and password associated to your card, and this originally could be used for level 1 access to regional health services.
Then they moved to 2FA wiht SMS OTP.
Then the Regional authorities decided to move to SPID ...

... unless ...

Unless you bought a smart card reader and inserted your card in it. This works effectively as 2FA.
The readers were in use even before (typically by doctors or pharmacists), but originally I did not get one, as support to non-Microsoft systems was poor.

As soon as SPID (with limited SMS support) became nearly compulsory, I got a card reader (in the meanwhile they got Linux support). The procedure to use it is relatively simple.

• the reader is connected via USB to the computer
• in the security device area of your browser you have to create a "module" associating it to a shared library. Then the browser autodetects the device.
• The choice of the ministries (and/or the Regions ?) is to support a multiplicity of CNS models, and each model requires a different library
• you insert the card in the reader
• from the browser you log-in using a six digit PIN
• on the PA site you select "access via CNS"
• then click "proceed"
• a popup shows the certificate stored on the card, and requests OK
• you are in !
• no annoying confirmations, no useless log messages
  a nice way to make 2FA via a physical card, not requesting any smartphone nor a dumb phone

So this seems almost perfect except ...
except that some PAs do not accept CNS. Actually of the ones I use often, the Regional health services, the tax office (AdE), and the social security (INPS) do work with the CNS. Only the Comune of Milan (municipal authority) does not recognise CNS, but only SPID or CIE.
For me this was not critical, as I needed access to Comune only 2-3 times in a year, and could well "spend" the precious SPID SMS OTPs.

What is a CIE ?
CIE stands for Carta d'Identita' Elettronica (electronic identity card). Identity cards (which bear a photograph) has always been the primary identification document in this country, and is also valid to travel abroad in the EU and other countries.
They were originally issued as paper documents on special watermarked paper, and were valid for 5 years. Then they were extended to 10 years with a stamp on the back.

In 2011 I had to make a trek across the Swiss border and was concerned about custom officers not recognizing the stamp, so I tried to renew my card. The clerk made objections on the photograph I brought (reflections on the lenses of my glasses). I was quite upset, and I mailed the Swiss consulate ... which in less than 3 hours sent me an official federal circular (in Italian, which is one the Swiss national languages) saying they accepted the stamp on the back. What they did not accept was the extension stamp on a separate ticket accompanying the few newer identity cards issued as plastic cards (CIE 1.0).

When my card expired 5 years later, I decided I wanted a CIE. At the time one could get a CIE only at one office in Milan, booking an appointment months in advance. They took the picture themselves, so, when they suggested me to take a picture without glasses (which I do not like, I wear glasse since I was 9 and they are part of my face), I put on a pair of glasses with a mount without lenses.

While the paper identity cards were issued (printed) by the Comune, the CIE are at least nominally issued by the Ministry of Interior.

However when later I tried to insert my new CIE in the reader, it was not recognized. The ministerial help desk said it was a CIE 2.0, and their software supports only CIE 3.0. So I had to wait until the expiry.

Last year, as soon as I was close to the expiry date, I booked an appointment (now you can go to the zonal office, take the picture, astore the fingerprints, pay and then get the CIE via the Post in a few days.
I was lucky to apply soon, since in the next months there will be long queues, because all paper cards are being dismissed in August in advance of their expiry.

So now my problem was to get a Linux-compatible CIE reader.
The old one (with a slot) does not work with CIE 3.0, which require a NFC reader.

• The Ministry does not mantain an official list of readers per OS
• The Ministry tries to encourage use of smartphones instead of readers
• I went to a shop and they sold me a reader of the brand they commonly sell (Trust CETO) which proved not Linux-compatible. So I gave it back.
• I bought via Amazon a Bit4Id reader (Linux-compatible per word-of-the-net), apparently not sold in shops by major consumer electronics chains.
• I plugged it in
• I downloaded the ministerial middleware (a .deb which I unpacked)
  this includes a shared library, a jar file, and a desktop file
• The first operation to do is a mysterious "coupling" of the CIE.
  I am not sure what it does exactly, but anyhow you enter the full 8-digit PIN and it stores something somewhere so you can use only the last 4 digits later.
• By the way, as a demonstration of ministerial paranoias, they give 4 digits of the PIN and PUK numbers when you pay for the CIE, and send the other 4 in the post with the CIE
• Anyhow, the "coupling" is managed by execution of the Java jar file
• Once the coupling is made, one has to attach the CIE reader to the browser, similarly to the way done for CNS. One has to "load" a new module with the CIE specific library
• For unknown reasons the browser detects both readers and attaches them to all modules. After which the old (Alcor) device does no longer work with the CNS, while the new NFC reader works also with the CNS, provided one calls it from the appropriate module with the CNS specific library
  So the best thing is to get rid of the old reader, and use the NFC one with both CIE and CNS, calling the appropriate "module"
• As a further ministerial paranoia, on your first access to a PA site, some una tantum steps are interleaved which require you to validate your phone number (you receive an SMS OTP), your e-mail address (you receive a mail OTP), etc.
• After that the procedure with the CIE is
  • you put the card on the reader
  • from the browser you log-in using a four digit PIN (the last four of 8)
  • on the PA site you select "access via CIE"
  • You are shown a screenful which offers username/password login, QR code, use of smarthone app, and (last but not least) use of a reader (bottom right)
  • then choose "continue with a computer"
  • a popup shows the certificate stored on the card, and requests OK
  • you are shown a SPID-like paranoic screenful informing they are transmitting such and such info to the given PA and you have to give consent
  • finally you are in !
  • You would also receive some e-mail log messages (more paranoia, possibly because it is considered level 3)
  • Anyhow it works, though with some more nuisance wrt the CNS, and you do not need any smartphone or phone
• It is not clear to me whether the "coupling" limits your access to your computer IP (likely not, as it works all the times, and my IP is CGNAT), or whether it limits your access to your computer tout court (likely yes). I do not know if one can "couple" more than one computer.
• Anyhow there is another (backup) access mode for sites requiring just level 1-2 access, which is to define an username and password, and eventually (level 2) an SMS OTP on a dumb phone
• this has to be activated once (e.g. from the initial login screenful, the one with QR code and all the rest)
• the procedure is long and paranoid, for me it failed repeatedly in timeout on the last step (the one where you choose SMS instead of app), it requires validation, reading all the GDPR blurb to end, and creating a complex password (the username is fixed, and is either your fiscal code, your CIE serial number or your e-mail)
  At the end I succeeded (not sure whether the failure were due to my adblocker hiding the cookie acceptance popup - I disabled the adblocker - or to a wrong password (I used two consecutive identical digits, assuming that only consecutive alphabetic characters were forbidden, and in fact I got no error - but finally I changed them)
• So now I have two ways to use the CIE (with card reader, and with SMS OTP) and one further way using the CNS ...
  ... all without smartphone as I want !

Mit der Dummheit kämpfen Götter selbst vergebens	Against stupidity the gods themselves contend in vain
F.Schiller, Die Jungfrau von Orleans, III, 6	I.Asimov