Using a mobile device to access e-services and provide digital signatures isn’t new in Estonia. A very popular SIM-based mobile digital identity system, called Mobiil-ID, was introduced in 2007.
But now Estonia’s certification authority Certification Centre, or SK, says it’s going to launch a new digital authentication app for Android and iOS called Smart-ID early next year.
SK’s CEO Kalev Pihl tells ZDNet that although the new app, developed with Norwegian tech firm Cybernetica, isn’t built to replace the old system, it’s seen as a way of drawing in all the potential clients who for various reasons are not using Mobiil-ID.
“Mobiil-ID and Smart-ID are not identical, nor is Smart-ID meant to replace Mobiil-ID,” Pihl says.
“Mobiil-ID was launched almost 10 years ago and is a child of its time. It was based on all that seemed customary then. Mobiil-ID is still a fully working solution and it doesn’t need a replacement. Smart-ID has been created with an eye to the future.”
For years, Estonia has been the frontrunner in the field of digital identity. The compulsory chip-equipped Estonian ID card, introduced in 2002, is not just a travel and identification document, but also a daily tool for people who are using different public and private sector e-services.
When connected with a smartcard reader and specific software, it is possible to enter web portals, use e-services, make payments and bank transactions, provide digital signatures, and even to take part in electronic voting with it.
The card itself holds two separate public key infrastructure, or PKI, digital certificates: one for confirming the holder’s identity, and the other to allow them to sign documents with a digital signature.
There are two associated private keys on the card, which are each securely protected by a unique user PIN.
Users can enter one when asked to verify their identity online, the other when they want to digitally sign something. Entering the second PIN is the equivalent of signing a document in person, and it’s considered just as legally binding in Estonia.
In 2007 an alternative to the ID-card based system called Mobiil-ID was launched, which made life for citizens even easier. Instead of carrying around a smart-card reader and installing special software, the user gets secure access to all the same services through the mobile phone using special PIN codes.
This system is SIM-based, which means to get Mobiil-ID you have to apply for it with your mobile operator, which then provides a special SIM-card.
SK’s Smart-ID will be another alternative in this field. Although it is also based on the PIN codes users have to type in when using services, there are two important differences when compared with Mobiil-ID. First, it can work independently of the SIM-card and only an internet connection is needed. Secondly, it offers new security technology.
Pihl explains that there are currently two common methods for providing security for digital signatures.
“The secure digital signature has been connected with a certain cryptographic key, which is kept in one specific device and the cryptographic key can’t leave this device. Those devices are in the hands of the users via a smartcard, SIM, or crypto token and protected with PIN code,” he says.
Alternatively, they are kept somewhere in the service provider’s cloud.
“When the user logs in to the service, he or she authorizes the signature that the service provider gives on his or her behalf. In Estonia, that first model has prevailed and is based on the idea that the user should trust himself or herself and the device for signing. In general, the other risks should be mitigated from the moment the user is handed the device,” Pihl says.
“The second model is riskier for the user because the service provider has everything it needs to give the digital signature in user’s name.”
He argues that the new Smart-ID solution combines the best qualities of both systems.
“The private key has been created in two independent parts, so that the user and service provider’s secure cloud both own something completely unique. The whole operation will start to work when the PIN is entered, but the PIN itself doesn’t exist in any form in any infosystem. It is validated through the results of specific calculations,” he says.
This approach means even if the app or the server is hacked, the intruder can’t get the access to user’s PIN codes, as only they only contain one part of the private key.
Pihl says the basis for this cryptosystem has existed for some time, but the team behind the new system had to do a lot of optimizations for it to be able generate keys quickly enough to be acceptable to the user, using hardware that anyone could buy from a shop.
“We’ve applied for several patents, and the scientific studies regarding the whole system have already been sent to a peer-reviewed journals,” he added.
Although the service will be launched next year, it takes some time to get the whole technical system certified for it to be used as equally legally binding as a hand-written signature.
“It can take a year or two, but we hope that we’ll be ready with it by the end of the next year,” Pihl said.
He believes that Smart-ID is universal enough to be implemented internationally, which is why SK is not going to put its main focus on Estonia when the new system is launched next year.
“With our service provider model we are looking at the European market first, because in the European Union we have the single market for trust services which makes our service more trustworthy in other member countries,” he says.
“But we’ve also seen interest also from outside the EU. In three years, I hope it’ll be used in at least 10 countries. As a tool for international identification and signing, it might mean a few bigger e-services.”