Smart-ID

Last updated

Smart-ID is an electronic authentication tool developed by SK ID Solutions, an Estonian company. Users can log in to various electronic services and sign documents with an electronic signature. [1]

Contents

Smart-ID meets the European Union's eIDAS Regulation and the European Central Bank's standards for a secure authentication solution. [2] Smart-ID is a Qualified Signature Creator Device (QSCD) that can issue a Qualified Electronic Signature (QES). [2] The Smart-ID app is compatible with both iOS and Android devices and does not require a SIM card. [3] By 2021, the Smart-ID application was launched in the Huawei AppGallery. [3] As of May 2023, Smart-ID has 3,298,969 active users across the Baltic States (Latvia, Lithuania, and Estonia). [4] Every month, the Smart-ID processes 79 million transactions. [5] In March 2023, Smart-ID users made an exceptional 85 million transactions. [6]

History

In November 2016, SK ID Solutions debuted the Smart-ID tool for the first time at its annual conference. In February 2017, eKool, Starman, and Tallinn Kaubamaja Grupp were the first to implement Smart-ID authentication in their e-services. [7] In March 2017, Smart-ID was added as an authentication option to SEB bank and Swedbank's online banking in all three Baltic States. [8]

Dokobit, previously known as DigiDoc, began offering its clients the ability to use e-services using Smart-ID in April 2017. [9] More than 100 service providers had implemented Smart-ID as an authentication solution for their services by November 2019.

At its annual conference on November 8, 2018, SK ID Solutions revealed that Smart-ID had been certified as compatible with the QSCD[8] level, the highest level of qualified electronic signature in the European Union, following a rigorous certification process. [10] As a result, the Smart-QES-level ID's electronic signature, the digital counterpart of a handwritten signature, is now available to all users who have registered with the tool. This signature is accepted by all European Union member states. [11]

On August 26, 2019, Estonian Information Systems Supervisory Authority experts reviewed Smart-ID (ISSA). Based on the methods provided in the eIDAS Regulation, the expert committee concluded that Smart-ID offers a high level of electronic identification assurance. SK ID Solutions and RIA struck an agreement in September 2019 that allows Smart-ID to authenticate Estonian state e-services via RIA's central authentication service, which is used by over 60 public authorities. [12] [13] Smart-ID accounts created three years ago have expired in January 2020. Therefore, renewing them and performing mandatory updates was necessary. [14] [15] [16]

In February 2020, SK ID Solutions announced that Smart-ID could be used to give digital signatures in the national digital signature software DigiDoc4, which up until this moment was only possible with ID cards via Mobile-ID. Users must have at least version 4.2.4.71 or later of the DigiDoc4 software installed on their computers to use this feature. [17] [18]

Since February 2020, Smart-ID accounts can now be created with biometric information from an ID card or passport, but only by users who have previously used a Smart-ID account. Since October 2022, 13–17 years old minors in Lithuania are able to create a Smart-ID account using biometric information too. A parent or legal guardian must approve the registration. [19] SK ID Solutions collaborated on the new solution with iProov from the United Kingdom and InnoValor from the Netherlands. TÜV Informationstechnik GmbH, a German certification company, assessed it. [20] [21]

Since May 2023, Smart-ID can be used to submit company's annual reports in Estonia and digitally sign anything in the e-business register using your PIN2. [22]

Overview

The Smart-ID app is available for download on Google Play and Apple's App Store. Android 4.4 and iOS 11 are the oldest supported operating system versions for Smart-ID. [23] Smart-ID works on the premise of two-factor authentication, combining an intelligent device (something the user owns) with PINs (something the user knows). [1] A new user must first authenticate themselves with an ID card or a mobile phone number and then confirm a PIN1 and PIN2 code, either manually or automatically produced. The first PIN is used to authenticate a person's identity when accessing e-banking or e-services, while the second PIN is used to support electronic signatures and authenticate transactions (e.g., transfers). [24] The PIN1 code must be four digits long, while the PIN2 code must be five digits long. [25] To log in to an e-service, the user must use Smart-ID as the authentication method and enter their unique Smart-ID user ID. A notification will open on the user's smart device where the software is installed and display a verification code. If the code matches the code presented to the user by the e-service, then the user can confirm the match by entering their PIN1 code. The user must verify the action with their PIN2 code when giving digital signatures. [25] A Smart-ID account is valid for three years. The report can be updated, changed, and deleted at any given time, free of charge. Smart-ID is available in five languages: Estonian, Latvian, Lithuanian, Russian, and English. [26]

An international survey conducted in 2021 revealed that Smart-ID is the most reliable authentication solution in Baltic countries. [27] In January 2023, the number of times Smart-ID was used to access State Authentication Service (TARA) in Estonia has surpassed those of Mobile-ID and ID-cards for the first time since July 2022. [28]

Security

Smart-ID is based on Cybernetica's SplitKey authentication and digital signature platform technology, for which the company has filed a patent application. [29] [30] Public key cryptography, digital signature methods, and critical public infrastructures are all used in the technology. [29] The user's PIN is not saved on the device and is only needed to decrypt the private key in the Smart-ID app. [29] When the user inputs the PIN, the private key is cracked, and the answer is transmitted to the Smart-ID server, where a portion of the key given by the app is joined with the server's encrypted key. [29] The app will block the user from accessing it for three hours if they input the incorrect PIN three times in a row. If this happens once again, the app will lock for 24 hours. If this happens a third time, the account will be permanently disabled. PINs cannot be changed or recovered once an account has been created. The user must create a new account if the account is permanently blocked. [31] Smart-ID uses the Apple and Google messaging networks to notify the app when new data is saved on its servers. [32]

Phishing

In February 2019, unknown criminals attempted to create Smart-ID accounts with stolen IDs obtained via phishing customers' text messages and website addresses, according to a monthly report by the Estonian Information System Manager in April 2019. The Latvian Information Technology Security Incident Assessment Body Cert was also notified of these intrusions on March 1. Fraudsters sent emails to potential victims pretending to be bank representatives. The mails linked users to a phishing page after redirecting them to a phony bank login page. Victims were asked to log in using their identification information and PIN1 code. The fraudsters then began the process of generating a new Smart-ID account. As a result, the victim had to input a PIN2 number, which permitted the fraudster to finish setting up a new tab with the victim's personal information. Fraudsters in Estonia were able to log in to multiple e-services utilizing Smart-ID using a Smart-ID account and the victim's data. On behalf of the victims, fraudsters also employed online banking services. Later, the Estonian Information System Manager identified several victims, some of whom had also experienced financial losses. [33] The Estonian Information System Manager requested a full report on the event from SK ID Solutions. The organization opted not to criticize the corporation after receiving the information, although it did propose that the procedure of creating Smart-ID accounts be reviewed. According to the Estonian Banking Association, Estonian banks have not discontinued using Smart-ID and do not think it is required. Smart-ID was exposed to a thorough review process in September 2019 to determine this authentication instrument's level of security. Reviewers discovered no flaws, and SK ID Solutions and the Estonian Information System Manager signed a contract. Estonia later introduced Smart-ID and other authentication mechanisms to the central public services portal. [34]

Related Research Articles

<span class="mw-page-title-main">Digital signature</span> Mathematical scheme for verifying the authenticity of digital documents

A digital signature is a mathematical scheme for verifying the authenticity of digital messages or documents. A valid digital signature on a message gives a recipient confidence that the message came from a sender known to the recipient.

<span class="mw-page-title-main">Smart card</span> Pocket-sized card with embedded integrated circuits for identification or payment functions

A smart card (SC), chip card, or integrated circuit card, is a card used to control access to a resource. It is typically a plastic credit card-sized card with an embedded integrated circuit (IC) chip. Many smart cards include a pattern of metal contacts to electrically connect to the internal chip. Others are contactless, and some are both. Smart cards can provide personal identification, authentication, data storage, and application processing. Applications include identification, financial, public transit, computer security, schools, and healthcare. Smart cards may provide strong security authentication for single sign-on (SSO) within organizations. Numerous nations have deployed smart cards throughout their populations.

<span class="mw-page-title-main">Mobile payment</span> Payment services via a mobile device

Mobile payment, also referred to as mobile money, mobile money transfer and mobile wallet, is any of various payment processing services operated under financial regulations and performed from or via a mobile device. Instead of paying with cash, cheque, or credit card, a consumer can use a payment app on a mobile device to pay for a wide range of services and digital or hard goods. Although the concept of using non-coin-based currency systems has a long history, it is only in the 21st century that the technology to support such systems has become widely available.

<span class="mw-page-title-main">Universal integrated circuit card</span> Smart card used to uniquely identify a mobile device on a cellular network

The universal integrated circuit card (UICC) is the smart card used in mobile terminals in 2G (GSM), 3G (UMTS), 4G (LTE), and 5G networks. The UICC ensures the integrity and security of all kinds of personal data, and it typically holds a few hundred kilobytes.

<span class="mw-page-title-main">One-time password</span> Password that can only be used once

A one-time password (OTP), also known as a one-time PIN, one-time authorization code (OTAC) or dynamic password, is a password that is valid for only one login session or transaction, on a computer system or other digital device. OTPs avoid several shortcomings that are associated with traditional (static) password-based authentication; a number of implementations also incorporate two-factor authentication by ensuring that the one-time password requires access to something a person has as well as something a person knows.

<span class="mw-page-title-main">Security token</span> Device used to access electronically restricted resource

A security token is a peripheral device used to gain access to an electronically restricted resource. The token is used in addition to, or in place of, a password. Examples of security tokens include wireless key cards used to open locked doors, a banking token used as a digital authenticator for signing in to online banking, or signing transactions such as wire transfers.

<span class="mw-page-title-main">Electronic identification</span> Digital proof of identity

An electronic identification ("eID") is a digital solution for proof of identity of citizens or organizations. They can be used to view to access benefits or services provided by government authorities, banks or other companies, for mobile payments, etc. Apart from online authentication and login, many electronic identity services also give users the option to sign electronic documents with a digital signature.

A digital identity is data stored on computer systems relating to an individual, organization, application, or device. For individuals, it involves the collection of personal data that is essential for facilitating automated access to digital services, confirming one's identity on the internet, and allowing digital systems to manage interactions between different parties. It is a component of a person's social identity in the digital realm, often referred to as their online identity.

<span class="mw-page-title-main">Gemalto</span> International digital security company

Gemalto was an international digital security company providing software applications, secure personal devices such as smart cards and tokens, e-wallets and managed services. It was formed in June 2006 by the merger of two companies, Axalto and Gemplus International. Gemalto N.V.'s revenue in 2018 was €2.969 billion.

A mobile signature is a digital signature generated either on a mobile phone or on a SIM card on a mobile phone.

Electronic authentication is the process of establishing confidence in user identities electronically presented to an information system. Digital authentication, or e-authentication, may be used synonymously when referring to the authentication process that confirms or certifies a person's identity and works. When used in conjunction with an electronic signature, it can provide evidence of whether data received has been tampered with after being signed by its original sender. Electronic authentication can reduce the risk of fraud and identity theft by verifying that a person is who they say they are when performing transactions online.

Mobile identity is a development of online authentication and digital signatures, where the SIM card of one's mobile phone works as an identity tool. Mobile identity enables legally binding authentication and transaction signing for online banking, payment confirmation, corporate services, and consuming online content. The user's certificates are maintained on the telecom operator's SIM card and in order to use them, the user has to enter a personal, secret PIN code. When using mobile identity, no separate card reader is needed, as the phone itself already performs both functions.

<span class="mw-page-title-main">Estonian identity card</span> National identity card of Estonia

The Estonian identity card is a mandatory identity document for citizens of Estonia. In addition to regular identification of a person, an ID-card can also be used for establishing one's identity in electronic environment and for giving one's digital signature. Within Europe as well as French overseas territories, Georgia and Tunisia the Estonian ID-card can be used by the citizens of Estonia as a travel document.

<span class="mw-page-title-main">Credit card fraud</span> Financial crime

Credit card fraud is an inclusive term for fraud committed using a payment card, such as a credit card or debit card. The purpose may be to obtain goods or services or to make payment to another account, which is controlled by a criminal. The Payment Card Industry Data Security Standard is the data security standard created to help financial institutions process card payments securely and reduce card fraud.

<span class="mw-page-title-main">Multi-factor authentication</span> Method of computer access control

Multi-factor authentication is an electronic authentication method in which a user is granted access to a website or application only after successfully presenting two or more pieces of evidence to an authentication mechanism. MFA protects personal data—which may include personal identification or financial assets—from being accessed by an unauthorized third party that may have been able to discover, for example, a single password.

The Lebanese identity card is a compulsory Identity document issued to citizens of the Republic of Lebanon by the police on behalf of the Lebanese Ministry of Interior or in Lebanese embassies/consulates (abroad) free of charge. It is proof of identity, citizenship and residence of the Lebanese citizens.

Electronic signature allows users to electronically perform the actions for which they previously had to give a signature on paper. Estonia's digital signature system is the foundation for some of its most popular e-services including registering a company online, e-banks, the e-voting system and electronic tax filing – essentially any services that require signatures to prove their validity.

<span class="mw-page-title-main">DigiDoc</span> File format family

DigiDoc is a family of digital signature- and cryptographic computing file formats utilizing a public key infrastructure. It currently has three generations of sub formats, DDOC-, a later binary based BDOC and currently used ASiC-E format that is supposed to replace the previous generation formats. DigiDoc was created and is developed and maintained by RIA.

OneSpan Inc. is a publicly traded cybersecurity technology company based in Boston, Massachusetts, with offices in Montreal, Brussels and Zurich. The company offers a cloud-based and open-architected anti-fraud platform and is historically known for its multi-factor authentication and electronic signature software.

<span class="mw-page-title-main">National Identity Card (Peru)</span> National identity card of Peru

The Documento Nacional de Identidad (DNI) (Spanish for 'National Identity Document') is the only personal identity card recognized by the Peruvian Government for all civil, commercial, administrative, judicial acts and, in general, for all those cases in which, by legal mandate, it must be presented. It is a public document, personal, and non-transferable and also constitutes the only title of right to the suffrage of the person in whose favor it has been granted. Its issuance is in charge of the National Registry of Identification and Civil Status (RENIEC).

References

  1. 1 2 "SEB ir "Swedbank" pristatė bendrą identifikavimo sistemą el. bankininkystės klientams". DELFI.
  2. 1 2 "Adobe - Smart-ID". 2024-06-30.
  3. 1 2 "Mėgstamiausias lietuvių parašas: koks jis?". Telefonai.eu.
  4. "Smart-ID naudotojų skaičius". May 16, 2023.
  5. "Pusantro milijono "Smart-ID" naudotojų laukia naujovės". DELFI (in Lithuanian). Retrieved 2022-10-28.
  6. Madara (2023-04-22). "Smart-ID Breaks Records with 85 Million Transactions in March". Smart-ID. Retrieved 2023-05-16.
  7. "SK ID Solutions' Smart-ID is going to change the world". e-Estonia. March 13, 2017.
  8. "Smart-ID | SEB".
  9. "Sign documents electronically with your e-resident card". www.dokobit.com.
  10. "Qualified e-signature already available in Smart-ID – Everything about Dokobit and e-signing | Dokobit Blog". blog.dokobit.com.
  11. "How to sign documents with Smart-ID?".
  12. "ENISA Report - eIDAS Compliant eID Solution". 2024-06-30. Archived from the original on 2024-02-28. Retrieved 2022-06-14.
  13. "Means of eID | Estonian Information System Authority". www.ria.ee. Archived from the original on 2022-07-07. Retrieved 2022-06-14.
  14. "Smart ID: kolm aastat ja 2,6 miljonit kasutajat hiljem". Forte.
  15. "SK - News - Smart-ID has grown at an incredibly rapid pace in just three years The first Smart-ID users must update their certificates". www.skidsolutions.eu.
  16. "What to do when your Smart-ID account is about to expire".
  17. "Nüüd saab ametlikku digiallkirja anda ka Smart-ID-ga". Forte.
  18. "SK - News - Smart-ID can now be used to give digital signatures in DigiDoc4". www.skidsolutions.eu. 7 February 2020.
  19. ""Smart-ID" paskyrą galės susikurti ir nepilnamečiai". lrt.lt (in Lithuanian). 2022-08-25. Retrieved 2022-10-28.
  20. "SK - News - You can now use biometry to register for a Smart-ID account". www.skidsolutions.eu. 26 February 2020.
  21. "Smart-ID kasutajaks saab nüüd biomeetrilise passiga". Forte.
  22. "Digital Nation Blog | Read e-Residency news and stories". e-Residency. 2023-04-21. Retrieved 2023-05-16.
  23. "Smart-ID – "Google Play" programos". play.google.com.
  24. "Smart‑ID | Luminor". www.luminor.lt. Retrieved 2022-10-28.
  25. 1 2 "Atlikus tyrimą paaiškėjo, kokias elektroninio autentikavimo priemones dažniausiai renkasi lietuviai". DELFI.
  26. "Upgrading your Smart-ID Basic account".
  27. "SK - News - International Survey: Smart-ID is the Most Reliable Authentication Solution". www.skidsolutions.eu. 30 June 2021. Retrieved 2022-10-28.
  28. "Smart-ID surpasses Mobile-ID & ID-cards usage". Digigeenius. 24 January 2023. Retrieved 2023-05-16.
  29. 1 2 3 4 "SplitKey Mobile Authentication and Digital Signature Platform" (PDF). Archived from the original (PDF) on 2024-08-01.
  30. "Smart-ID Technical Overview". 2024-06-30.
  31. "How to keep your smart device and Smart-ID safe?".
  32. "What kind of data is sent over Google and Apple messaging platforms?".
  33. "Štai kaip galite apsisaugoti nuo sukčių pinklių: to išvengti padės paprastas sprendimas". DELFI.
  34. "The Information System Authority will adopt Smart-ID for state services | Estonian Information System Authority". www.ria.ee.
This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.