Different electronic ID typesID card (smartcard with foto)• Widely used physical identification document (75%)• Enables authentication and digital signatures• Needs smart card reader & software• Support for selected web browsers (IE, Mozilla)Digital ID (smartcard without foto)• Digital signatures and digitala authorization only• No physical identification (no photo)• Very fast application (same day)• Can be used simultaneosly in multiple electronic devicesMobiil-ID (mobile SIM card)• Digital signatures and digitala authorization only• Doesn’t need SW / HW installed on PC or mobile• Doesn’t need web browser support• No physical identification (no photo)
Organization for PKI and Mobile-ID Mobiil-ID customer service Certificate issuing Certificate Estonian Certification Center Registration generation Certification request Authority Authority ORDER (ID-card audentication) (EMT) 1. Certificate and validity control m-ID Service Autentication 2. Signature or digital validation signature Mobile Operator request Trusted Client (EMT) Service Digital signature Provider (PIN protection) Web service that SP (Bank, City portal) requires authentication Service Provider or digital signatures OK!
Mobile ID usability - security vs simplicity (1)Server based model (Austria):• Existing mobile SIM cards, where the everything is stored at the certification center server. The operator is really just a channel where the user is identified by his mobile subscription (phone number);Advantages:• Easy to adopt (no need to replace SIM, special registration, etc)• Easy to use (SMS / PIN for authentication)Drawbacks:• Security – as it is a server based system, it is relying on the security of the GSM network (authenticated by phone number + info over GSM network)..• Legislation / banking may require SIM encryption for sent info and PIN9
Mobile ID usability - security vs simplicity (2)Client based model (Estonia, Lithuania):• Special STK on SIM card with encryption algorithms on the SIM.Advantages:• The customers private key is under his/her control and the PIN code is not sent over the air.• Messages to and from the SIM are encrypted and decrypted only for the mobile user to see• High security - EAL4+ certification applicable (SIM card as a signature creation device). Accepted by governments and banks.• Easy to use – special software for interactionDrawbacks• Adoption – new SIM cards and certification registration needed10
Mobiil-ID as your personal subscrition• Service can be connected only with private person subscription• One SIM, two subscriptions – if you are a corporate client then you can have two subscriptions on one SIM• You can choose what services are billed to the corporation (for example mobile-ID) and what to your personal account (calls, SMS, data)• It is possible to bill also chosen calls and other services to different accounts – everything is under the users control!
Mobile-ID usage• Access authorization • Digital signatures – e-Government portals – digidoc P2P – mobile operators – digidoc web portal – Banks• Payment authorization • Personal identification – internet payments – digital ID – transportation tickets – elections / voting12
Mobile-ID case study• TeliaSonera has been running a successful WPKI “ecosystem - testbed” in Estonia since 2007• Biggest uage is generated by banks• First m-voting in the world!• Estonian Parliament Elections Feb 24 - Mar 6, 2011 – 140 000 e-voters (ID card + mobile-ID): – 24% from all votes (+40% increase) – e-votes from 106 countries – 3 000 mobile-ID votes – 2% from all e-voters – 10% of all mobile-ID users
Lessons learned (1)• Activate process simplicity is key for wide adoption• Balance between simplicity and required trustworthiness• Usability - the simplicity and convenience (no computer, special SW or smart card readers needed)• M-ID can be identical (usage, security, etc) to other digital-ID’s• Strong stakeholders are needed in order to get mass usage and de facto standard status (internet banking, public transportation)
Lessons learned (2)• Simple and motivating pricing for end users and service providers: – One time subscription fee for SIM card – Monthly fee incl unlimited transactions on the SIM – Monthly fee for the service provider based on transaction bulks• Solution to provide service for business customer end users (company telephone users): – Challenge: national identity (Mobile ID) contract can be connected only to private individual (Mobil-ID PIN codes are strictly private) – Solution: virtual EMT private mobile subscription (slave account) is connected to EMT business customer subscription (master account). – Private persons can make personal mobile subscription connected to his company subscription (company MSISDN) without company authorization
Conclusions – the future is mobile• Strong ecosystem for mobile-ID usage - all e-services (login/signing) are available also with mobile-ID. – e-Government, parliament voting service, tax and customs board, citizen portals, digidoc (web service to sign and share documents), company registration portal, ticketing portals (public transportation, entertainment), energy companies, banks, telecoms, insurance and other e-service providers, etc…• Internet banking - driving force for Mobile-ID - PIN calculators, Password Cards and even ID-cards are being replaced• ID cards can`t be connected to smartphones and ipad`s• Possibility to extend Estonian ecosystem and technological infrastructure operated by TeliaSonera in Estonia (EMT + Certification Centre) to other TeliaSonera markets