Security: After Estonia's ID-card train wreck this identity app is taking Baltics by storm

Putting 2017's ID-card security crisis behind it, Estonia has come up with Smart-ID.
Written by Kalev Aasmae, Contributor

A year ago Estonia was embroiled in its ID card crisis. The hardware behind the ID cards that serve as a cornerstone of the Baltic country's e-state was found to be vulnerable to attack.

That vulnerability could theoretically have led to the theft of Estonian citizens' and e-residents' identities, something which fortunately didn't happen, according to the government.

However, the crisis left tens of thousands of citizens, who at that time were temporarily cut off from various e-services, looking for alternative ways to regain access.

So it doesn't really surprise Estonia's certification authority Certification Center's (SK) CEO, Kalev Pihl, that the number of users for its new Smart-ID authentication app have grown sixfold in a very short period.

"People who were looking for alternatives to the ID card found that Smart-ID was a quick and easy solution to implement. It really showed us that we had created a flexible service that the market needed," he tells ZDNet.

App-based Smart-ID was introduced in Estonia in 2017 as an alternative to the traditional authentication services' ID card and Mobile-ID, which unlike Smart-ID need a smartcard or a SIM-card to operate.

SEE: Cybersecurity in an IoT and mobile world (ZDNet special report) | Download the report as a PDF (TechRepublic)

To use Smart-ID, one has to download the app from Google Play or Apple AppStore to one's smartphone or tablet.

The user is then registered via ID-card or Mobile ID. To use Smart-ID, the user has to create PIN1 and PIN2. They can generate the PINs automatically or choose the PINs themselves.

When entering the PIN, a private key is created in two independent parts, so that the user and service provider's secure cloud both own something unique.

The whole operation starts to work when the PIN is entered, but the PIN itself doesn't exist in any form in any information system, which means even if the app or the server is hacked, the intruder can't get access to the user's PIN codes, as they only contain one part of the private key.

Less than two years after its launch, Smart-ID already has over 1.2 million users in Estonia, Latvia, and Lithuania, who can access over 100 e-services. In August alone, 17 million transactions were done using Smart-ID authentication in the Baltics.

"In all three countries, it's mostly used for financial services, which is logical because this product was created because of the EU payment service directive, which forces the financial sector to implement new authentication services," explains Pihl.

However, he admits that although user growth in the Baltics has been great, the company's goals are even more ambitious.

"To be honest, we expected these results. We really believed that we created a service that the market needed and our prognosis was even a bit more optimistic," he says.

"There've been so many different parties who have helped us design this service, and today Smart-ID is certainly a better product than it was 1.5 years ago when we launched it.

"We've managed to keep it free for the end user, which is what motivates us to work on adding new services and forces us to adapt to the changing environment where nothing is complete, as tomorrow will bring new and even harsher competition."

Right now, the signatures given through Smart-ID are valid and legally binding on AdES/QC level and are PSD2 compliant. SK estimates that the service will receive the highest QES level, (Qualified Electronic Signature) within a few months.

"According to our own plans, we should comply with all the necessary requirements by the end of this year. The service is ready, we're not changing anything big. We're just waiting for the results of the quality control," he says.

"This would certainly increase the value of the product in our existing markets and it would certainly be a good reason to start entering new markets even faster."

SEE: IT pro's guide to GDPR compliance (free PDF)

The company has plans to focus on other EU member states once it has met the highest security requirements.

"Although there a numerous other authentication solutions in the EU, and we're not alone in the market, we do believe that our technical solution is unique enough to receive attention," he says.

"So far our competitors have not been eager to cross borders with their services. We've been pioneers in that field and we are planning to maintain that position.".

In Estonia, citizens can e-vote at the parliamentary and municipal elections using the ID-card with the smartcard reader, which is connected to the USB-slots of their computers.

Although SIM-card based Mobile-ID has been around in Estonia for several years now, it is not yet possible to vote using only the smartphone. When asked if the Smart-ID could be a game-changer in that field, Pihl is hopeful but refrains from giving any promises.

"The elections can't be our separate goal, but it would certainly be a great sign of trust for any service," he says.

"We just want to create a situation where making a decision [whether to use it for voting] wouldn't meet any obstacles from our side."

Previous and related coverage

Estonia's ID card crisis: How e-state's poster child got into and out of trouble

Estonia is built on secure state e-systems, so the world was watching when it hit a huge ID-card problem.

Estonia's ID card fiasco: 'We've no intention of letting a good crisis go to waste'

E-state Estonia hit a big ID-card problem last year, but reckons it's actually benefited from the crisis.

ID card security: Spain is facing chaos over chip crypto flaws

With the security of its 60 million national ID smartcards in question, Spain faces some tough choices.

Why Indian, Russian tech startups are weighing up a move to tiny Estonia

On top of its ambitious e-residency program, Estonia is using startup visas to attract tech entrepreneurs.

Estonia to open the world's first data embassy in Luxembourg

To thwart a cyber-attack on its national infrastructure or even an invasion, Estonia is getting ready to open its first data embassy overseas.

Borderless banking: Estonia's e-residents can open accounts without going there

Estonia is expanding its digital residency with a new business banking scheme.

Why the next big tech innovations will come from Estonia or Germany, not Silicon Valley TechRepublic

"I think in America in particular, and Silicon Valley especially, we have become arrogant. We think that everything that gets fixed here. We need to look outwards," said author Andrew Keen.

Apple's Wallet makes room for college student IDs CNET

Students at an initial three universities will be able to use their iPhones or Apple Watches to make payments or get into their dorms.

Editorial standards