Strong customer authentication doesn’t need to be difficult

…at least not in Nordic countries, that is. This article was supposed to be a short introduction on how simple strong customer authentication (SCA) can be. But it became a comprehensive view of where WeAre in customer authentication in Finland. If You Are interested in providing security and ease of access to your service for your customers, be in touch and let’s discuss how that can be achieved together with the help of my awesome and skilled friends.

Strong customer authentication has been difficult in past

While ago I came a cross a LinkedIn post where the writer criticized government efforts to provide authentication means for citizens. It is true that Finland has stumbled a lot with citizen authentication e.g. by starting to add strong cryptography based authentication methods to ID-cards in early nighties.

The time wasn’t right and in the end, even today no one would want to use such complex methods of authentication where a separate card reader would be needed to attach the ID-card to the computer. In these days, we don’t even use services with our computers, but more and more with our mobile devices. Even the current updated version of the government issued ID-card that includes Near Field Communications (NFC) chip hasn’t increased the use of government issued identity on the ID-card.

Finnish Trust Network

It is common, but faulty misconception that government wouldn’t do anything or that the efforts were futile.

In 2019 the Finnish government introduced Finnish Trust Network (FTN). Actually, the idea was introduced few years earlier, and in 2019 after only few years of debate and legistlation it was put in action.

FTN was a brilliant idea to improve a bit stale scheme of strong customer authentication in Finland. As has been proven during the spring 2020, the efforts have not gone in vain, but instead they have been very successful. There are multitude of commercial authentication brokers providing authentication based on rules and regulations in FTN. The amount of authentication events is such that haven’t been seen even in widely used identity federations.

Discussion of improving the network further has been vivid. I believe that even in near future we can see growth in new businesses and improvement of and increase in digital transactions. This has been made possible by the ease of strong authentication based on government issued identity.

Stale history of strong customer authentication in Finland

I feel I need to explain the attribution of previous authentication scheme as stale. You can skip this part in case you know the history already. The authentication scheme before FTN was called Tupas.

For a long time commercial banks have had the lions share in strong customer authentication in Finland. At first some early banks started to provide new digital methods to use banking services. As strong customer authentication was an important part of that business, banks realized that it could be sold separately as a service to external service providers as well. That realization might have come as a necessity to support growing demands of increasing digitalization and self service, but after all, it was good way to cover the costs of customer authentication. Other banks and some early adopters in the field mimed the first implementations and separate methods were formed as competing industry standards.

Finnish financial sector (Finance Finland – FFI) specified together with the banks a Tupas specification unifying diverted implementations that separate banks had. Although there now was a common specification, implementations differentiated. New demands arose and specifications did not follow.

Critique was targeted to banks as Tupas authentication method was quite expensive. Banks had practically no competitors in the strong customer authentication field in Finland and they had very similar pricing of authentication events. Pricing was transaction based and many simple services found that it was way too expensive to find any revenue in the actual service itself after the costs of authentication.

Another cause of criticism were outdated methods used in strong authentication. As banks had no competitors in the field of authentication, they were able to focus development efforts elsewhere. Banks used traditional one time password (OTP) lists that were printed on paper. Users wanted easier methods to authenticate. In addition to customer demand, the rise of new Payment Services Directive (PSD2) forced banks to develop new methods to replace old OTP-lists.

The Finnish government noted that the authentication methods provided solely by banks should be forced to be broken apart. The cost of a single authentication event would be regulated forcing actors to efficiency. New topology of the network would be introduced. The topology was mimed from academic identity federations and confederations, but the identity broker model would be introduced rather than full mesh federation like was in place with academic identity federations. It was thought that this would improve the control of the network easier and ease the integration of relying parties to the network.

Currently, only few competing methods of authentication have emerged. Banks still prevail as authentication providers. Many banks use mobile applications as third factor in multi factor authentication (MFA). The most substantial competitor in the field is Mobiilivarmenne.

A new competitor: Mobiilivarmenne

Mobiilivarmenne is such Finnish thing that it doesn’t even have a proper English translation yet. The Mobile ID -term that operators use has not yet familiarized and is a bit ambiguous. Mobiilivarmenne is cryptographically provided end user certificate that is securely installed to the Subscriber Identity Module (SIM) of the user.

The communication in the authentication procedure between the mobile operator and the user device is done using signaling channel of the GSM communication. The end user application is run in the SIM-card itself ie in the SIM-toolkit.

The use of the features solely on the SIM-card ensures that the method can be used even with the most basic devices. As a cherry on the cake, the method was implemented in co-operation of all three mobile operators in Finland. The Mobiilivarmenne can be used similarly as short text messages (SMS) and phone calls. Service Provider doesn’t need to know to which network the user is attached, but the authentication can be initiated with only the phone number of the user.

You may be thinking how this new method will succeed when the E-SIM will take down the markets from the traditional physical SIM-card. Fear not. I have received signals that the extended specifications that are needed to support Mobiilivarmenne would be taken in to the E-SIM specifications as well. This would mean the E-SIM will not be the end of Mobiilivarmenne.

Even though the Mobiilivarmenne is simple and efficient authentication method, it is not widely known yet. While operators have made good efforts in joint marketing of the product, only handful of users have registered the Mobiilivarmenne to their SIM-card. However, statistics show that the market share of the Mobiilivarmenne is growing as more and more services are endorsing the use of it.

Currently, the Mobiilivarmenne is the only real competitor as a new method in FTN to replace the bank ids in Finland as the methods of strong customer authentication. Some new proposals have emerged in Europe lately, but they are still national. No method comprising all EU citizens have emerged yet.

Shouldn’t the government provide the method of authentication

This is really interesting question. I would like to challenge it. Why should it? Is it really the core business case of the government and proper use of tax payers money to issue methods of authentication by the government?

Another common misconception is to join the procedure of authentication to the identity of the entity being authenticated. In reality, they are separate things and should not be thought as a single issue. The correct question to ask should be whether government should be the entity issuing the identity of citizen. Answer to that question could be: yes it should.

To be thorough, even the identity could be issued elsewhere. In optimal world, the government should only confirm the identity and citizenship or status of the person in regard to the nation (e.g. permanent residency etc). But I guess we are not ready for that discussion as the globalization is still taking its baby steps.

Also, do not mix the artifact to prove identity, credentials used in authentication or authentication token to authentication method or authentication provider. These are difficult terms and they are quite often interchanged in discussion while all of them refer to a different thing.

Governments are slow in their moves and authentication methods evolve rapidly. Government issued authentication methods get deprecated before they get widely adopted. FTN is brilliant real world case study that government should only offer the environment and schematics of authentication and the actual implementation should be left for the market to decide. Efficient services will prevail. Inefficient or difficult implementations will fade.

How can I profit from this change

As was supposed to be the premise of this article, strong customer authentication is easy. It is easy at least if you clients are citizens in Nordic Countries. Where applicable, don’t hesitate to start using FTN as your strong customer authentication method preferably sooner than later.

Strong customer authentication can lower your risks of data leaks by making sure only the actual authorized users have access to the data. You don’t no longer need to trust partner organizations identity management processes, but you get the actual identity of the user. As well, the risk of abuse and fraud decrease as the real identities of users are confirmed.

You should provide such authentication methods to your users that they know and they are comfortable with. FTN is that. Ease of access and familiarity increases the growth of your business where impractical and difficult processes drive your customers elsewhere. In these days, don’t make the mistake of provisioning a new identity and new credentials for your users. Use federated authentication where ever possible. You can see FTN as a specific corner case of federated authentication.

Joining FTN is easy. There are multiple Identity Broker services available in Finland that produce their services with transaction based pricing. There is no need for big initial investments or initial fees. Yes, you need to invest in the integration, but don’t see that as an issue. Instead, turn to skilled specialist that can show you how easy the integration can be.

We have done a proof of concept demonstration of a basic case of FTN integration with open source tools. Just let us know and we can arrange a demonstration for you.

Strong customer authentication is too expensive

The claim of expensive strong customer authentication is true only partly. In busy service, transaction based fees of authentication may collect a rapid flow of expenses. You need to consider if you need to confirm the identity of the user on each authentication event. Could it be done only periodically while resorting to basic authentication methods in between?

We have great plans in improving authentication schemes. Let us know if you are interested to participate in the evolution of authentication.

Do I need strong customer authentication

This is a question you should consider even before starting to do anything. The world is rich in new inexpensive authentication methods that don’t even require passwords. WeAre can help you with these as well. Most of all, you should start by investigating what your actual needs are and try to find the best match to solve your problem.

Honorable mention

This article would not be complete if I left to mention a new prospect as new generally accepted authentication method. We have a community in Finland called SisuID that is building a new secure and free digital identity for every citizen, even those that don’t permanently live in Finland or have Finnish citizenship.

There are suggestions that SisuID would start to provide strong identity and authentication, but they are not there currently. However, the progress of SisuID is something that anyone with interest to authentication and identities should monitor closely.

Author

Kari Laalo is skilled CIAM specialist experienced in budget funded government agencies in both national security and humanistic sector with latest experience in Financial Services. In addition to IAM & AAI he has experience in telecommunications and networking in critical environment. Kari has built his know-how by passionate interest in computing since early age.

WeAre Solutions is dedicated to help you build and further develop your digital business.