Electronic-ID > Digital-ID > Mobile-ID Estonian experience

Moldovan ICT Summit May 18, 2011

Holger Haljand

Development Manager EMT AS / TeliaSonera Estonia

Phone: +372 502 8814 E-mail: holger@emt.ee

2

TeliaSonera - in brief

• Europe’s 5th largest telecom operator

• Employees: 28,945

• 2010 net sales: EUR 11,9 billion

• Subscriptions: 157m

• In 19 countries: Azerbaijan, Belarus, Denmark , Estonia, Finland, Georgia, Kazakhstan, Latvia, Lithuania, Moldova, Nepal, Norway, Russia, Spain, Sweden, Tajikistan, Turkey, Ukraine, and Uzbekistan.

3

Republic of Estonia

Facts about Estonia

• Part of EU / Eurozone / NATO

• Population: 1,340,000

• Mobile: 118%

• Internet: 57%

• Broadband: 48,5%

• Mobile Internet: 22%

Estonia in 2010: e-Country

• ID-card (1,000,000 cards, 75% of population)

• mobile-ID (25,000 m-ID SIM-cards)

• e-Government

• e-Elections (140,000 e-voters, 24% of all voters)

• m-Elections (3,000 m-voters)

• e-Tax and Customs Board (90% of all declarations)

• e-Banking (90% transactions)

• e-Shool (300,000 users)

• e-Health project (e-prescription)

Mobile services in Estonia - impact on everyday lives

electronic-ID > digital-ID > mobile-ID

Different electronic ID types

ID card (smartcard with foto)

• Widely used physical identification document (75%)

• Enables authentication and digital signatures

• Needs smart card reader & software

• Support for selected web browsers (IE, Mozilla)

Digital ID (smartcard without foto)

• Digital signatures and digitala authorization only

• No physical identification (no photo)

• Very fast application (same day)

• Can be used simultaneosly in multiple electronic devices

Mobiil-ID (mobile SIM card)

• Digital signatures and digitala authorization only

• Doesn’t need SW / HW installed on PC or mobile

• Doesn’t need web browser support

• No physical identification (no photo)

Organization for PKI and Mobile-ID

SP (Bank, City portal)

Service Provider

Mobile Operator

(EMT)

Certification

Authority

Trusted

Service

Provider

Registration

Authority

(EMT)

Client

Mobiil-ID customer service Certificate issuing

2. Signature

validation

Web service that

requires authentication

or digital signatures

OK!

1. Certificate and

validity control

Digital signature

(PIN protection)

Autentication

or digital

signature

request

ORDER

(ID-card audentication)

m-ID Service

Certificate

generation

request

Esto

nia

n C

ert

ific

ation

Ce

nte

r

Mobile ID usability - security vs simplicity (1)

Server based model (Austria):

• Existing mobile SIM cards, where the everything is stored at the certification center server. The operator is really just a channel where the user is identified by his mobile subscription (phone number);

Advantages:

• Easy to adopt (no need to replace SIM, special registration, etc)

• Easy to use (SMS / PIN for authentication)

Drawbacks:

• Security – as it is a server based system, it is relying on the security of the GSM network (authenticated by phone number + info over GSM network)..

• Legislation / banking may require SIM encryption for sent info and PIN

9

Mobile ID usability - security vs simplicity (2)

Client based model (Estonia, Lithuania):

• Special STK on SIM card with encryption algorithms on the SIM.

Advantages:

• The customers private key is under his/her control and the PIN code is not sent over the air.

• Messages to and from the SIM are encrypted and decrypted only for the mobile user to see

• High security - EAL4+ certification applicable (SIM card as a signature creation device). Accepted by governments and banks.

• Easy to use – special software for interaction

Drawbacks

• Adoption – new SIM cards and certification registration needed

10

• Service can be connected only with private person subscription

• One SIM, two subscriptions – if you are a corporate client then you can have two subscriptions on one SIM

• You can choose what services are billed to the corporation (for example mobile-ID) and what to your personal account (calls, SMS, data)

• It is possible to bill also chosen calls and other services to different accounts – everything is under the users control!

Mobiil-ID as your personal subscrition

Mobile-ID usage

• Access authorization

– e-Government portals

– mobile operators

– Banks

• Payment authorization

– internet payments

– transportation tickets

• Digital signatures

– digidoc P2P

– digidoc web portal

• Personal identification

– digital ID

– elections / voting

12

Mobile-ID case study

• TeliaSonera has been running a successful WPKI “ecosystem - testbed” in Estonia since 2007

• Biggest uage is generated by banks

• First m-voting in the world!

• Estonian Parliament Elections Feb 24 - Mar 6, 2011

– 140 000 e-voters (ID card + mobile-ID):

– 24% from all votes (+40% increase)

– e-votes from 106 countries

– 3 000 mobile-ID votes

– 2% from all e-voters

– 10% of all mobile-ID users

Lessons learned (1)

• Activate process simplicity is key for wide adoption

• Balance between simplicity and required trustworthiness

• Usability - the simplicity and convenience (no computer, special SW or smart card readers needed)

• M-ID can be identical (usage, security, etc) to other digital-ID’s

• Strong stakeholders are needed in order to get mass usage and de facto standard status (internet banking, public transportation)

Lessons learned (2)

• Simple and motivating pricing for end users and service providers:

– One time subscription fee for SIM card

– Monthly fee incl unlimited transactions on the SIM

– Monthly fee for the service provider based on transaction bulks

• Solution to provide service for business customer end users (company telephone users):

– Challenge: national identity (Mobile ID) contract can be connected only to private individual (Mobil-ID PIN codes are strictly private)

– Solution: virtual EMT private mobile subscription (slave account) is connected to EMT business customer subscription (master account).

– Private persons can make personal mobile subscription connected to his company subscription (company MSISDN) without company authorization

Conclusions – the future is mobile

• Strong ecosystem for mobile-ID usage - all e-services (login/signing) are available also with mobile-ID.

– e-Government, parliament voting service, tax and customs board, citizen portals, digidoc (web service to sign and share documents), company registration portal, ticketing portals (public transportation, entertainment), energy companies, banks, telecoms, insurance and other e-service providers, etc…

• Internet banking - driving force for Mobile-ID - PIN calculators, Password Cards and even ID-cards are being replaced

• ID cards can`t be connected to smartphones and ipad`s

• Possibility to extend Estonian ecosystem and technological infrastructure operated by TeliaSonera in Estonia (EMT + Certification Centre) to other TeliaSonera markets

Thank you!

Holger Haljand

Development Manager EMT AS / TeliaSonera Estonia

Phone: +372 502 8814 E-mail: holger@emt.ee