Smart-ID

Last updated

Smart-ID is an electronic authentication tool developed by SK ID Solutions, an Estonian company. Users can log in to various electronic services and sign documents with an electronic signature. [1]

Contents

Smart-ID meets the European Union's eIDAS Regulation and the European Central Bank's standards for a secure authentication solution. [2] Smart-ID is a Qualified Signature Creator Device (QSCD) that can issue a Qualified Electronic Signature (QES). [2] The Smart-ID app is compatible with both iOS and Android devices and does not require a SIM card. [3] By 2021, the Smart-ID application was launched in the Huawei AppGallery. [3] As of October 2022, Smart-ID has 3,198,773 active users across the Baltic States (Latvia, Lithuania, and Estonia). [4] Every month, the Smart-ID processes 79 million transactions. [5]

History

In November 2016, SK ID Solutions debuted the Smart-ID tool for the first time at its annual conference. In February 2017, eKool, Starman, and Tallinn Kaubamaja Grupp were the first to implement Smart-ID authentication in their e-services. [6] In March 2017, Smart-ID was added as an authentication option to SEB bank and Swedbank's online banking in all three Baltic States. [7] Dokobit, previously known as DigiDoc, began offering its clients the ability to use e-services using Smart-ID in April 2017. [8] More than 100 service providers had implemented Smart-ID as an authentication solution for their services by November 2019. At its annual conference on November 8, 2018, SK ID Solutions revealed that Smart-ID had been certified as compatible with the QSCD[8] level, the highest level of qualified electronic signature in the European Union, following a rigorous certification process. [9] As a result, the Smart-QES-level ID's electronic signature, the digital counterpart of a handwritten signature, is now available to all users who have registered with the tool. This signature is accepted by all European Union member states. [10] On August 26, 2019, Estonian Information Systems Supervisory Authority experts reviewed Smart-ID (ISSA). Based on the methods provided in the eIDAS Regulation, the expert committee concluded that Smart-ID offers a high level of electronic identification assurance. SK ID Solutions and RIA struck an agreement in September 2019 that allows Smart-ID to authenticate Estonian state e-services via RIA's central authentication service, which is used by over 60 public authorities. [11] [12] Smart-ID accounts created three years ago have expired in January 2020. Therefore, renewing them and performing mandatory updates was necessary. [13] [14] [15]

Dokobit

In February 2020, SK ID Solutions announced that Smart-ID could be used to give digital signatures in the national digital signature software DigiDoc4, which up until this moment was only possible with ID cards via Mobile-ID. Users must have at least version 4.2.4.71 or later of the DigiDoc4 software installed on their computers to use this feature. [16] [17]

Since February 2020, Smart-ID accounts can now be created with biometric information from an ID card or passport, but only by users who have previously used a Smart-ID account. Since October 2022, 13–17 years old minors in Lithuania are able to create a Smart-ID account using biometric information too. A parent or legal guardian must approve the registration. [18] SK ID Solutions collaborated on the new solution with iProov from the United Kingdom and InnoValor from the Netherlands. TÜV Informationstechnik GmbH, a German certification company, assessed it. [19] [20]

Overview

The Smart-ID app is available for download on Google Play and Apple's App Store. Android 4.1 and iOS 8 are the oldest supported operating system versions for Smart-ID. [21] Smart-ID works on the premise of two-factor authentication, combining an intelligent device (something the user owns) with PINs (something the user knows). [1] A new user must first authenticate themselves with an ID card or a mobile phone number and then confirm a PIN1 and PIN2 code, either manually or automatically produced. The first PIN is used to authenticate a person's identity when accessing e-banking or e-services, while the second PIN is used to support electronic signatures and authenticate transactions (e.g., transfers). [22] The PIN1 code must be four digits long, while the PIN2 code must be five digits long. [23] To log in to an e-service, the user must use Smart-ID as the authentication method and enter their unique Smart-ID user ID. A notification will open on the user's smart device where the software is installed and display a verification code. If the code matches the code presented to the user by the e-service, then the user can confirm the match by entering their PIN1 code. The user must verify the action with their PIN2 code when giving digital signatures. [23] A Smart-ID account is valid for three years. The report can be updated, changed, and deleted at any given time, free of charge. Smart-ID is available in five languages: Estonian, Latvian, Lithuanian, Russian, and English. [24] An international survey conducted in 2021 revealed that Smart-ID is the most reliable authentication solution in Baltic countries. [25]

Security

Smart-ID is based on Cybernetica's SplitKey authentication and digital signature platform technology, for which the company has filed a patent application. [26] [27] Public key cryptography, digital signature methods, and critical public infrastructures are all used in the technology. [26] The user's PIN is not saved on the device and is only needed to decrypt the private key in the Smart-ID app. [26] When the user inputs the PIN, the private key is cracked, and the answer is transmitted to the Smart-ID server, where a portion of the key given by the app is joined with the server's encrypted key. [26] The app will block the user from accessing it for three hours if they input the incorrect PIN three times in a row. If this happens once again, the app will lock for 24 hours. If this happens a third time, the account will be permanently disabled. PINs cannot be changed or recovered once an account has been created. The user must create a new account if the account is permanently blocked. [28] Smart-ID uses the Apple and Google messaging networks to notify the app when new data is saved on its servers. [29]

Phishing

In February 2019, unknown criminals attempted to create Smart-ID accounts with stolen IDs obtained via phishing customers' text messages and website addresses, according to a monthly report by the Estonian Information System Manager in April 2019. The Latvian Information Technology Security Incident Assessment Body Cert was also notified of these intrusions on March 1. Fraudsters sent emails to potential victims pretending to be bank representatives. The mails linked users to a phishing page after redirecting them to a phony bank login page. Victims were asked to log in using their identification information and PIN1 code. The fraudsters then began the process of generating a new Smart-ID account. As a result, the victim had to input a PIN2 number, which permitted the fraudster to finish setting up a new tab with the victim's personal information. Fraudsters in Estonia were able to log in to multiple e-services utilizing Smart-ID using a Smart-ID account and the victim's data. On behalf of the victims, fraudsters also employed online banking services. Later, the Estonian Information System Manager identified several victims, some of whom had also experienced financial losses. [30] The Estonian Information System Manager requested a full report on the event from SK ID Solutions. The organization opted not to criticize the corporation after receiving the information, although it did propose that the procedure of creating Smart-ID accounts be reviewed. According to the Estonian Banking Association, Estonian banks have not discontinued using Smart-ID and do not think it is required. Smart-ID was exposed to a thorough review process in September 2019 to determine this authentication instrument's level of security. Reviewers discovered no flaws, and SK ID Solutions and the Estonian Information System Manager signed a contract. Estonia later introduced Smart-ID and other authentication mechanisms to the central public services portal. [31]

Related Research Articles

<span class="mw-page-title-main">Authentication</span> Act of proving an assertion, often the identity of a computer system user

Authentication is the act of proving an assertion, such as the identity of a computer system user. In contrast with identification, the act of indicating a person or thing's identity, authentication is the process of verifying that identity. It might involve validating personal identity documents, verifying the authenticity of a website with a digital certificate, determining the age of an artifact by carbon dating, or ensuring that a product or document is not counterfeit.

<span class="mw-page-title-main">Digital signature</span> Mathematical scheme for verifying the authenticity of digital documents

A digital signature is a mathematical scheme for verifying the authenticity of digital messages or documents. A valid digital signature, where the prerequisites are satisfied, gives a recipient very high confidence that the message was created by a known sender (authenticity), and that the message was not altered in transit (integrity).

<span class="mw-page-title-main">Smart card</span> Pocket-sized card with embedded integrated circuits for identification or payment functions

A smart card, chip card, or integrated circuit card is a physical electronic authentication device, used to control access to a resource. It is typically a plastic credit card-sized card with an embedded integrated circuit (IC) chip. Many smart cards include a pattern of metal contacts to electrically connect to the internal chip. Others are contactless, and some are both. Smart cards can provide personal identification, authentication, data storage, and application processing. Applications include identification, financial, mobile phones (SIM), public transit, computer security, schools, and healthcare. Smart cards may provide strong security authentication for single sign-on (SSO) within organizations. Numerous nations have deployed smart cards throughout their populations.

<span class="mw-page-title-main">Mobile payment</span> Payment services via a mobile device

Mobile payment is any of various payment processing services operated under financial regulation and performed from or via a mobile device, as the cardinal class of digital wallet. Instead of paying with cash, cheque, or credit cards, a consumer can use a payment app on a mobile device to pay for a wide range of services and digital or hard goods. Although the concept of using non-coin-based currency systems has a long history, it is only in the 21st century that the technology to support such systems has become widely available.

<span class="mw-page-title-main">One-time password</span>

A one-time password (OTP), also known as a one-time PIN, one-time authorization code (OTAC) or dynamic password, is a password that is valid for only one login session or transaction, on a computer system or other digital device. OTPs avoid several shortcomings that are associated with traditional (static) password-based authentication; a number of implementations also incorporate two-factor authentication by ensuring that the one-time password requires access to something a person has as well as something a person knows.

<span class="mw-page-title-main">Security token</span> Device used to access electronically restricted resource

A security token is a peripheral device used to gain access to an electronically restricted resource. The token is used in addition to or in place of a password. It acts like an electronic key to access something. Examples include a wireless keycard opening a locked door, or in the case of a customer trying to access their bank account online, the use of a bank-provided token can prove that the customer is who they claim to be.

<span class="mw-page-title-main">Electronic identification</span> Digital proof of identity

An electronic identification ("eID") is a digital solution for proof of identity of citizens or organizations. They can be used to view to access benefits or services provided by government authorities, banks or other companies, for mobile payments, etc. Apart from online authentication and login, many electronic identity services also give users the option to sign electronic documents with a digital signature.

A mobile signature is a digital signature generated either on a mobile phone or on a SIM card on a mobile phone.

Electronic authentication is the process of establishing confidence in user identities electronically presented to an information system. Digital authentication, or e-authentication, may be used synonymously when referring to the authentication process that confirms or certifies a person's identity and works. When used in conjunction with an electronic signature, it can provide evidence of whether data received has been tampered with after being signed by its original sender. Electronic authentication can reduce the risk of fraud and identity theft by verifying that a person is who they say they are when performing transactions online.

Mobile identity is a development of online authentication and digital signatures, where the SIM card of one’s mobile phone works as an identity tool. Mobile identity enables legally binding authentication and transaction signing for online banking, payment confirmation, corporate services, and consuming online content. The user's certificates are maintained on the telecom operator's SIM card and in order to use them, the user has to enter a personal, secret PIN code. When using mobile identity, no separate card reader is needed, as the phone itself already performs both functions.

<span class="mw-page-title-main">Estonian identity card</span> National identity card of Estonia

The Estonian identity card is a mandatory identity document for citizens of Estonia. In addition to regular identification of a person, an ID-card can also be used for establishing one's identity in electronic environment and for giving one's digital signature. Within Europe as well as French overseas territories and Georgia, the Estonian ID Card can be used by the citizens of Estonia as a travel document.

Credit card fraud is an inclusive term for fraud committed using a payment card, such as a credit card or debit card. The purpose may be to obtain goods or services or to make payment to another account, which is controlled by a criminal. The Payment Card Industry Data Security Standard is the data security standard created to help financial institutions process card payments securely and reduce card fraud.

<span class="mw-page-title-main">Multi-factor authentication</span> Method of computer access control

Multi-factor authentication is an electronic authentication method in which a user is granted access to a website or application only after successfully presenting two or more pieces of evidence to an authentication mechanism: knowledge, possession, and inherence. MFA protects user data—which may include personal identification or financial assets—from being accessed by an unauthorized third party that may have been able to discover, for example, a single password.

<span class="mw-page-title-main">Card security code</span> Security feature on payment cards

A card security code is a series of numbers that, in addition to the bank card number, is printed on a card. The CSC is used as a security feature for card not present transactions, where a personal identification number (PIN) cannot be manually entered by the cardholder. It was instituted to reduce the incidence of credit card fraud.

Electronic signature allows users to electronically perform the actions for which they previously had to give a signature on paper. Estonia's digital signature system is the foundation for some of its most popular e-services including registering a company online, e-banks, the e-voting system and electronic tax filing – essentially any services that require signatures to prove their validity.

<span class="mw-page-title-main">DigiDoc</span> File format family

DigiDoc is a family of digital signature- and cryptographic computing file formats utilizing a public key infrastructure. It currently has three generations of sub formats, DDOC-, a later binary based BDOC and currently used ASiC-E format that is supposed to replace the previous generation formats. DigiDoc was created and is developed and maintained by RIA.

eIDAS EU electronic identification regulation

eIDAS is an EU regulation on electronic identification and trust services for electronic transactions in the European Single Market. It was established in EU Regulation 910/2014 of 23 July 2014 on electronic identification and repeals 1999/93/EC from 13 December 1999.

OneSpan is a publicly traded cybersecurity technology company based in Chicago, Illinois with offices in Montreal, Brussels and Zurich. The company offers a cloud-based and open architected anti-fraud platform and is historically known for its multi-factor authentication and electronic signature software.

<span class="mw-page-title-main">Google Pay (payment method)</span> Mobile payments platform developed by Google

Google Pay is a mobile payment service developed by Google to power in-app, online, and in-person contactless purchases on mobile devices, enabling users to make payments with Android phones, tablets, or watches. Users can authenticate via a PIN, passcode, or biometrics such as 3D face scanning or fingerprint recognition.

<span class="mw-page-title-main">Documento Nacional de Identidad (Peru)</span> National identity card of Peru

The Documento Nacional de Identidad (DNI) is the only personal identity card recognized by the Peruvian Government for all civil, commercial, administrative, judicial acts and, in general, for all those cases in which, by legal mandate, it must be presented. It is a public document, personal, and non-transferable and also constitutes the only title of right to the suffrage of the person in whose favor it has been granted. Its issuance is in charge of the National Registry of Identification and Civil Status (RENIEC).

References

  1. 1 2 "SEB ir "Swedbank" pristatė bendrą identifikavimo sistemą el. bankininkystės klientams". DELFI.
  2. 1 2 https://helpx.adobe.com/lt/document-cloud/digital-identity/smart-id.html
  3. 1 2 "Mėgstamiausias lietuvių parašas: koks jis?". Telefonai.eu.
  4. "Pirmieji "Smart-ID" naudotojai turi atnaujinti savo paskyras". January 28, 2020.
  5. "Pusantro milijono "Smart-ID" naudotojų laukia naujovės". DELFI (in Lithuanian). Retrieved 2022-10-28.
  6. "SK ID Solutions' Smart-ID is going to change the world". e-Estonia. March 13, 2017.
  7. "Smart-ID | SEB".
  8. "Sign documents electronically with your e-resident card". www.dokobit.com.
  9. "Qualified e-signature already available in Smart-ID – Everything about Dokobit and e-signing | Dokobit Blog". blog.dokobit.com.
  10. "How to sign documents with Smart-ID?".
  11. https://www.enisa.europa.eu/publications/eidas-compliant-eid-solutions/@@download/fullReport
  12. "Means of eID | Estonian Information System Authority". www.ria.ee.
  13. "Smart ID: kolm aastat ja 2,6 miljonit kasutajat hiljem". Forte.
  14. "SK - News - Smart-ID has grown at an incredibly rapid pace in just three years The first Smart-ID users must update their certificates". www.skidsolutions.eu.
  15. "What to do when your Smart-ID account is about to expire".
  16. "Nüüd saab ametlikku digiallkirja anda ka Smart-ID-ga". Forte.
  17. "SK - News - Smart-ID can now be used to give digital signatures in DigiDoc4". www.skidsolutions.eu.
  18. ""Smart-ID" paskyrą galės susikurti ir nepilnamečiai". lrt.lt (in Lithuanian). 2022-08-25. Retrieved 2022-10-28.
  19. "SK - News - You can now use biometry to register for a Smart-ID account". www.skidsolutions.eu.
  20. "Smart-ID kasutajaks saab nüüd biomeetrilise passiga". Forte.
  21. "Smart-ID – "Google Play" programos". play.google.com.
  22. "Smart‑ID | Luminor". www.luminor.lt. Retrieved 2022-10-28.
  23. 1 2 "Atlikus tyrimą paaiškėjo, kokias elektroninio autentikavimo priemones dažniausiai renkasi lietuviai". DELFI.
  24. "Upgrading your Smart-ID Basic account".
  25. "SK - News - International Survey: Smart-ID is the Most Reliable Authentication Solution". www.skidsolutions.eu. Retrieved 2022-10-28.
  26. 1 2 3 4 [ bare URL PDF ]
  27. https://www.smart-id.com/wordpress/wp-content/uploads/2017/01/smart-id-technical-overview-v0.6.html
  28. "How to keep your smart device and Smart-ID safe?".
  29. "What kind of data is sent over Google and Apple messaging platforms?".
  30. "Štai kaip galite apsisaugoti nuo sukčių pinklių: to išvengti padės paprastas sprendimas". DELFI.
  31. "The Information System Authority will adopt Smart-ID for state services | Estonian Information System Authority". www.ria.ee.
This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.