E-ID, MOBILEID 7.9.2016 HARALDUR BJARNASON, CEO, AUÐKENNI
AUÐKENNI ■ Auðkenni was founded by banks and others in 2000 ■ Currently owned by all banks and one of the major Telco in Iceland ■ Since the turn of the century Icelandic banks have been working together on security related issues ■ Sharing experiences ■ Implementing common solutions
AUÐKENNIS SERVICES ■ OTP keys in 2006 ■ Distributed to all bank customers ■ Has been a great success, done what it was supposed to do ■ Aim to close the infrastructure soon ■ Electronic certificates (PKI) in 2008 ■ Authentication + Qualified signatures ■ Debitcards, ID cards, SIM for mobile ■ Risk-based authentication, transaction monitoring and fraud detection systems from 2013
THE PKI PROJECT (ELECTRONIC CERTIFICATES ) ■ Auðkenni was founded by banks and others in 2000 ■ Distribute PKI cards for authentication and electronic signatures ■ Governments work gained ground in 2001 ■ Law on electronic signatures passed in parliament ■ Government committee on PKI ■ The government started a PKI pilot in 2003 ■ The ministry of finance sends a letter to Financial Services Association asking for partnership in 2004
THE PKI PROJECT (ELECTRONIC CERTIFICATES ) ■ Banks and the government formed a partnership on eID in 2005 ■ Icelandic Financial Services Association and Ministry of Finance ■ Partnership initiated by government in 2004 ■ Auðkenni and Ministry of Finance signed a formal contract in 2007 ■ Setting up and building a national level PKI infrastructure ■ Distributing certificates to virtually all citizens – using the debit cards ■ Goal: To be the main solution for authentication and electronic signature
THE PKI PROJECT (ELECTRONIC CERTIFICATES ) ■ Preparation: 2006-2008 ■ Defining, procuring and implementing the national infrastructure
THE PKI PROJECT (ELECTRONIC CERTIFICATES ) ■ Preparation: 2006-2008 ■ Defining, procuring and implementing the national infrastructure ■ Infrastructure running: June 2008 ■ Íslandsrót , the national root, owned and governed by the Ministry of Finance. ■ Fullgilt auðkenni , the intermediate certificate, issued by Íslandsrót. ■ Owned and governed by Auðkenni. ■ The first end-user certificate on a debit card in July 2008. ■ October 2008 ■ The financial crisis hit Iceland and the banks collapsed... ■ November 2013 wireless PKI based MobileID ■ Icelandic Financial Services Association and Ministry of Finance sign a MOU 2014
THE PKI PROJECT – DISTRIBUTION CARDS ■ Registration Authorities ■ Distributed around the country (operated by bank branches) ■ Roughly 800 trained Registration Officers ■ Issued over 400 thousand certificates on debit cards ■ Around 40% of population activated the certificate ■ A few thousand employee cards
THE PKI PROJECT – USAGE CARDS ■ Majority of online services accept the certificates for authentication ■ Banks and Insurance companies ■ Government and municipalities ■ Pension funds, unions, mobile operators and more ■ eSigning applications breaking ground ■ Money transaction ■ Contracts and applications ■ Accountants, auditors, engineers, Auðkenni ■ Audkenni – trying to make paper obsolete in our business. ■ Usage of eID on debit cards not as high as expected ■ Usage of eID on employee cards is high ■ Mandatory and business critical
CHALLENGES WITH USAGE OF CARDS ■ Middleware – (Personal from Nexus) ■ Having to download special software is a hinder for some ■ Lack of support with operating system/browsers (Mac problem) ■ Lack of distribution of card readers is a hinder ■ Users with built-in readers more satisfied than others ■ Two PINs, one for each certificate ■ Creates a confusion ■ Lack of support in standards ■ Reason: To protect the user from fraud ■ Not very mobile ■ Lack of support for mobile device ■ We needed to do something new
FUTURE OF PKI ENVIRONMENT ■ Where to store private key-searching for „secure elements“ ■ Smart cards ■ Bank cards, ID cards, USB sticks ■ Central storage (how to access them?) ■ Username/password – OTP (SMS, tokens, apps, etc.) ■ Soft certificates (on computer) ■ Mobile ■ On mobile (soft/apps) ■ On SIM ■ Role of risk-based authentication, fraud detection systems, device identification and behavioral analysis?
WHAT TO DO?
WHAT ARE OUR PARTNERS DOING? ■ Usage of certificates (private keys) in the North ■ On cards (Iceland, Sweden, Finland) ■ Debit cards, eID card ■ Centrally stored (Norway, Denmark, Austria) ■ Username/password/OTP ■ Mobile on APP (Sweden) ■ Mobile on SIM (Norway, Estonia, Finland)
OUR RESPONSE – EID ON SIM
WHY? ■ The only solution that fulfils our security requirements ■ App not secure enough (missing secure element) ■ Easier to manage ■ No development for different operating systems/browsers/etc. ■ Easier to service ■ Much easier to track if user is experiencing errors in usages ■ Easier to use ■ No technological requirements
CHALLENGES (CONS) ■ Distribution of compatible SIM cards ■ When people change SIM card they need new certificate ■ Depended on mobile operators ■ Partnership with majority of mobile operators needed ■ Finding the right business model
MOBILE PKI (ON SIM) ■ Based on our existing PKI infrastructure ■ In-house registration solution ■ Online for users with certificates from Auðkenni ■ In person for others (face-to-face) ■ Partnership with ■ Telecom operators in Iceland ■ Banks ■ Government ■ Others ■ Mobile solution from Valimo/Gemalto
REGISTRATION The system is just as strong as the weakest link…
MOBILEID – REGISTRATION PHASE ■ In person (face-to-face), show credentials (Passp/driving license, etc.) ■ Bank branch ■ Auðkenni ■ Online ■ For users with certificates from Auðkenni ■ Username/passw and our OTP key not allowed..! ■ The system is just as strong as the weakest link…
MOBILEID - USABILITY ■ Support for SIM (SIM toolkit) ■ Works on most mobile phones (Nokia 5110 to iPhone 6) ■ Works on most tablets that use SIM and support the SIM toolkit standard ■ Accessing services ■ No technical requirements from the mobileID solution ■ Works on all operating system and browsers ■ No need for user to set up special software, use special versions of browsers, operating system or even device ■ One PIN – not two ■ Usability over liability?
MOBILEID - USAGE ■ Strong authentication ■ To majority of online services in Iceland ■ Enterprise usage (like VPN) ■ More… ■ Qualified signatures ■ ETSI compliant signatures (CAdES, XAdES, PAdES)
EXAMPLE OF SERVICES AVAILABLE ■ All internet banks in Iceland ■ The tax authorites ■ Insurance companies ■ Education ■ Healthcare portal ■ E-democracy portal (online voting) ■ Payment applications ■ Document signing services
E-SIGNATURES – AUÐKENNI USE CASE ■ Everything that is signed is signed electronically…. ■ Auðkenni usage of eSigning -> a mission possible ■ All contracts ■ Contractors/Suppliers ■ Employees ■ Annual statement (P&L and balance sheet) ■ Minutes of the board ■ Communications with government ■ Communications with banks ■ A cross-country contract electronically signed ■ With Valimo …
ANNUAL REPORT Auðkenni‘s board of directors digitally signed Auðkenni‘s annual reportwhile in seven differentlocations: Three countries and four cities in Iceland.
THE AMENDMENT (GOVERNMENT PROGRAMME) ■ Programme that aims to assist households with indexed mortagages by writing down a portion of the mortage debt ■ It extends to over a third of all Icelanders ■ The entire process is electronic (oblicated by law) ■ Qualified electronic signature are required
STATUS TODAY - MOBILEID ■ About 30% of the population has MobileID ■ Close to 100% of telecom operators now offer MobileID (all but one small) ■ Over 200 service providers accept MobileID ■ MobileID both used for identification/authentication and signature ■ MobileID has transformed the usages of eID ■ Usages is rising ■ Number of new service providers is rising
MOBILE ID NUMBER OF USERS
MOBILE ID NUMBER OF USERS AND USAGES
RAFRÆN SKÍLRÍKI Á FARSÍMA – NOTKUN EFTIR SKRÁÐRI BÚSETU AÐILA
THANK YOU ■ Haraldur Bjarnason ■ hab@audkenni.is ■ audkenni.is
Recommend
More recommend
