How to future proof a national eID scheme where 13 registered commercial IdPs, 1 government IdP and several brokers operate?
Petteri Ihalainen, Senior Specialist, National Cyber Security Centre, Finland
KuppingerCole's Advisory stands out due to our regular communication with vendors and key clients, providing us with in-depth insight into the issues and knowledge required to address real-world challenges.
Unlock the power of industry-leading insights and expertise. Gain access to our extensive knowledge base, vibrant community, and tailored analyst sessions—all designed to keep you at the forefront of identity security.
Get instant access to our complete research library.
Access essential knowledge at your fingertips with KuppingerCole's extensive resources. From in-depth reports to concise one-pagers, leverage our complete security library to inform strategy and drive innovation.
Get instant access to our complete research library.
Gain access to comprehensive resources, personalized analyst consultations, and exclusive events – all designed to enhance your decision-making capabilities and industry connections.
Get instant access to our complete research library.
Gain a true partner to drive transformative initiatives. Access comprehensive resources, tailored expert guidance, and networking opportunities.
Get instant access to our complete research library.
Optimize your decision-making process with the most comprehensive and up-to-date market data available.
Compare solution offerings and follow predefined best practices or adapt them to the individual requirements of your company.
Configure your individual requirements to discover the ideal solution for your business.
Meet our team of analysts and advisors who are highly skilled and experienced professionals dedicated to helping you make informed decisions and achieve your goals.
Meet our business team committed to helping you achieve success. We understand that running a business can be challenging, but with the right team in your corner, anything is possible.
How to future proof a national eID scheme where 13 registered commercial IdPs, 1 government IdP and several brokers operate?
How to future proof a national eID scheme where 13 registered commercial IdPs, 1 government IdP and several brokers operate?
If you haven't been gone, if you haven't gone through Y 27 K audit audits and you don't have the certificate, that alone costs minimum tens of thousands of euros, and it's a lengthy process, it has other benefits as well. And we created a, let's say an audit criteria that partially include the ISO 27 K, but it was, it wasn't not enough. So we had to augment that one a little bit, add some things so that when you actually audit a, an identification system, you go through the ISO ofk parts, but also loads of other parts like technical inspections and these kind of things.
And also when you are deploying an authentication method or identification method, or means in the lingo means that you have a, a smartphone based app or you have a something else. You also include that into the audit.
And this, like I said happens every two years. And in the beginning it was a bit cumbersome, but we are getting our act together, hopefully, and it's gonna be improving in the future. And for the service provider, it was also good because now we have competition in the field, all of the identity providers in Finland, more or less are private sector companies, banks, and mobile network operators. The government has the ID card, but for the citizens, we don't see that much use. It is widely used in healthcare sector and in organizational use in the government sector.
But as for the citizens, the E I D is not that popular. It's a good travel document. I have won, but I have never used that for authentication.
And yeah, regulation changed quite a few things in the, in the, in the marketplace, let's say. And it had also in impact on the protocol used, like I said, the banks made a homegrown protocol, but it was not secure enough.
So we had, we implemented a local national regulation at the level where we actually dictated quite a few technical aspects of the system. And one of these things, for example, was what kind of crypto suits or, or C first you have to use. And the homegrown protocol from the late nineties, early two thousands though, updated along the years was a bit too difficult to modernize. So the actors needed to search for something else. And we didn't mandate a particular pro protocol.
And it led to a situation where actually the homegrown protocol was replaced predominantly by open ID connect by year 2016, it was mature enough. However, there were some issues with the security, with the open ID connect at that time. So we had to create a specification or recommendation, let's say, on this, on this open ID connect profile for the participants of the finish trust network. And it was taking the open ID connect core and tightening the security in some places.
Now we have FPI and FPI two in the open ID connect, and they do kind of similar things, but in our scenario, FPI was investigated just recently. We are renewing the regulation, but was seen as unfit for our purposes. And the mobile authentication mostly changed to open ID connect. So online service providers will connect to mobile app PKI services through open ID connect, but they do have a roaming protocol within inside the mobile network operator that is still using the legacy legacy protocol, but it's not visible for the service providers and the government services they started with.
And they are still sticking with se, but they are also, I think, in the midst of starting to provide also open ID connect based interfaces. That's due to the fact that for an application to go to the cloud, it wasn't, or is it isn't really straightforward to implement a stem stack, for example, on Azure. So open ID connect is something that will developers of the applications are asking for. So open connect for the service providers, that is something that well specifically for the private sector, all the connections are open ID connect. So it's developer friendly.
And also let's say mobile app friendly much more so than Sam or the mobile PKI legacy protocol, which is standard, but it's from 1999. So it's kind of old at the same time. PSD two happens. And for us users of these online services, it meant that previously we had one time password lists lists. So we had a scenarios, a scheme where the strong litigation was based on a knowledge based factor and the position based factor, which was the one that had password list. And those lists were mailed out by the banks to the customers when we were running out of the OTPs.
And of course we had the smart card based solution, but PSD two bandaid, something that kind of like made the OTP list difficult to use. So 2016, 2017, we saw a, a lot of mobile apps emerging from the banks and also alternative alternatives to the onetime password list, meaning OTP, tokens that generate the OTPs and calculate the type of things. And I don't know what's coming it's field that is innovating constantly. But right now I'd say majority of the users are using either the onetime password list, augmented with the SMS password or onetime password or the mobile app.
And of course there's the mobile PKI. So for resilience purposes, I have my banking ID, but also the mobile PKI ID. So if one of them is available, I can still use the other one. So for the users, the choices became much more, let's say variant and the mobile app is actually pretty convenient for the lessons we came together. We didn't mandate any protocols or anything. The stakeholders chose open ID connect, and it's proven to be a very, very good choice. It's important protocol. It's a developer friendly, it's moving forward.
They are specifying more and more use cases, Federation, and these kind of things. I recommend you take a look at the material that is available from yesterday, from the opend connect workshop, and also for the end user, it became a little bit more user friendly with the more, more alternatives as for the actual authentication means what you have in your hand, what you use. And it's also open and EI too, that is coming up. I was kind of hoping to discuss about that, but it's still early days to be, to draw any conclusions.
But the situation that we have in Finland is kind of similar that E S two is proposing where E I D providers are certified at some level and they get the status that may be similar to the trust service providers that we have right now within the E regulation. We also require these kind of two year audit cycles and registration and these kind of things. And that's kind of like the situation where that, where we stand right now, we are renewing the regulation due to the fact that we are playing catch up with bad guys. So the bad guys are doing something all the time. They are innovating.
They are a couple of major cases where the bad guys have been able to take advantage of this situation. It's not just the finish market, but it's global problem. And due to the fact that we have the capability, and let's say we can do things through the regulation, we are now taking, taking up a couple of cases where we hope that we can curve some of the things that are happening in the market, the bad things without sacrificing user convenience too much, but lessons, regulation is not evil. The legacy system was stagnant.
There was no competition due the regulation we see now that there's a competitive market out there. We see new players centering and the online service providers are reaping the benefits of lower prices, easier integration. And hopefully we, when we do our market survey, we can see the growing numbers of authentication transactions and online services that are using this scheme. We did this incorporation with the stakeholders. So there's a lot of things that we, and quite a few meetings with the stakeholders that we held.
So we didn't want to mandate too much, but if it comes to security versus their business interest, we go with the security because we want to provide the secure environment to do citizens, keep technology out of if possible. Well, this is what the year staff, but it's goes maybe a little bit too far. So there's a lot of room for interpretation. There are implementing acts that would do help, but not in the ER side. Yet. One thing that we created and you can see that from the criteria and Excel template, is that to create a common way to measure and audit these things this had to be done.
And one thing that was seen as that supervisory actually supervision actually improves things. So we saw the audit reports and results, and we saw that there was a ton of things to correct, and they are being corrected all the time. And one thing that I want you to take away from this presentation, if you buy a mobile authentication absolution, are you really sure that it's secure 2016? They were not.
And our let's say work for the audits and assessment does improve things globally because these vendors, mobile authentication app vendors are global vendors and last least TLS 1.1 is not secure, but a lot of people still want to use that. Even TLS 1.0, our mandatory requirement is 1.2. That's it for me. Please do contact me through LinkedIn. If you want to, or send me an email and I'll let you know more about this scenario system that we have implemented. Great. Thank you very much, pet that wasn't.