Finland is one of the leading countries in digitization, where citizens and residents rely heavily on online services for everything from banking to healthcare. There are various options for citizens to choose from such as 9 different Bank IDs (depending where you have a bank account), State issued Identity cards which can be used via card reader + computer or with NFC enabled phones, and Mobiilivarmenne (mobile PKI solution on SIM or eSIM). Each authentication method is made available to public after Traficom’s scrutiny and validation.
Year 2024 has been a year for Mobiilivarmenne. It received endorsement of use, from various actors, such as Suomen Pankki (Bank of Finland), Suomen Poliisi (Finnish Police), Traficom, FiCom, Mobile Operators and various cybersecurity experts. This article is arranged into quotes about Mobiilivarmenne by Finnish authorities and similar services deployed by Methics across the word.
Note: Links are at end of the article.
1. Suomen Pankki
Due to increasing attacks on bank in Finland, Suomen Pankki (Bank of Finland) recommended that users should have Mobiilivarmenne. [1]
It was reported [2] that Päivi Heikkinen said “Bank authentication should only be used for banking, and all other services should be handled separately with mobiilivarmenne.“
In addition to payment, bank IDs are also used as a means of strong identification in many services that require reliable identification. Users can use other strong identification tools for identification, such as a Mobiilivarmenne (Finnish PKI Mobile ID) or ID card provided by DVV. [3]
2. Suomen Poliisi
Finnish Police has urged users to take special care when using bank codes. They also recommends to avoid using sites which do not provide Mobiilivarmenne as a option to authenticate yourself, meaning it Mobiilivarmenne is the safest way to log in. Be critical of sites that don’t offer a mobile certificate as a sign-in option [4].
However, Traficom pointed some scammers have added Mobiilivarmenne icon on landing page, but nothing happens when you click on it. If nothing happens, it is almost certainly a scam page [6].
Police also said Mobiilivarmenne is safe, because then you don’t need bank credentials to identify or log in to different platforms, which means the risk of bank credentials falling into the wrong hands is reduced [5].
3. Traficom
Even though in terms of security all services listed on Finnish Trustnetwork are scrutinized by Traficom. As a regulator it will be a tough position to prefer one service over another. Traficom director Petteri Ihalainen mentioned, “In terms of our own security of service, it would be good to have another strong electronic identification tool available, the most reasonable option is to obtain a mobile certificate offered by telecom operators.” [5]
4. Mobile network Operators (Telia, DNA, Elisa)
All mobile network operators in Finland have reported an increase in their end-users using Mobiilivarmenne service. Telia mentioned n increase of 30% during Fall and over 50% in later part of 2024. Elisa mentioned Mobiilivarmenne users increased by over 10%. Similarly DNA mentioned an increase of over 45% in their Mobiilivarmenne users. [7] Relevant personnel in one operator said: “Everyone should have two methods of identification at their disposal. If, for example, the bank credentials don’t work for one reason or another, another identification method would be available.“
5. Other experts
Jani Eloranta from Nordea said “it is still justified to reserve bank credentials for online banking and transact with a mobile certificate in third-party services” [8].
The use of the Mobiilivarmenne as an authentication method protects against phishing, which is used to steal bank credentials. Criminals can set up websites that look like bank websites. When a customer logs into them, they can lose their Bank ID credentials to fraudsters. With us of Mobiilivarmenne, at most, criminals using a mobile certificate end up with only a phone number. Beurling-Pomoell who is Sectary General of Consumers association estimates that this is also very rare, because scammers’ websites usually don’t ask for a mobile certificate. [9]
Similarly, in [12] DVV’s DG and Kela’s director in their aricle stated “A user’s Mobiilivarmenne credentials are not as interesting to criminals as a bank ID. The Mobiilivarmenne service can also be interfered with, but it offers an alternative to bank credentials.”
FiCom states “Mobiilivarmenne is a service jointly developed and maintained by Finnish mobile phone operators. The identification of the Mobiilivarmenne is based on a 256-bit EEC encryption key and it uses two-step identification: a password alone is not enough, a physical device, your own phone, is also required to confirm the login.” [10].
Methics CEO, Jarmo Miettinen pointed that comparison of security between Bank IDs and Mobiilivarmenne is like comparing apples and oranges. Just like a keyring in your pocket, there are multiple keys and all of them are needed for different purposes and you can use them if they are in your possession. However, to misuse Mobiilivarmenne, attacker would require 2 items, possession of user’s SIM card and user’s pin.
Conclusion
Option like Mobiilivarmenne significantly reduces the risk of unauthorized access, even if a user inadvertently enters their credentials on a phishing site. Because in SIM/eSIM based Mobile ID, if user enters the credentials publicly it will only be your phone number. Next, the request is sent by user’s SIM/eSIM with unique IMSI which cannot be replaced by scammers.
Reason SIM/eSIM receive the request is SIM/eSIM is storing a small application commonly known as applet. Mobiilivarmenne enabled SIM/eSIM cards in Finland contain an applet similar to Alauda P38, which allows on-board key generation, allows user phone to show the prompt, ask for pin input and send it securely over the network.
As a global leader of Mobile ID services, Methics products are delivering tech for strong authentication not just in Finland but many countries across EMEA and APAC regions. Methics products are mature and used by over 6 million end-users. We support digital identity over a wide variety of authentication mechanisms and security assertions. Feel free to get in touch with us if you want to discuss the presented Mobile ID model, or use of mobile ID in eIDAS, eIDAS 2 and Digital Identity Wallets.
Publish Date: 09th December 2024
Written and Edited by: Ammar Bukhari & Eemeli Miettinen
References:
- News article from 15.11.2024: https://www.lansivayla.fi/paikalliset/8062786
- News article from 14.10.2024: https://www.iltalehti.fi/digiuutiset/a/9d936cc9-08a3-4ad8-89f5-269d3a4552c5
- Suomen Paki statement from 14.10.2024: https://www.suomenpankki.fi/fi/ajankohtaista/lehdistotiedotteet-ja-uutiset/uutiset/2024/maksamisen-varautuminen-hairiotilanteissa/?gsid=72f799f4-9833-4493-ac9e-218329b991b1
- Police press release from 13.09.2024: https://poliisi.fi/-/poliisi-varoittaa-aktiivisesta-huijausviestikampanjasta
- News article from 06.04.2024: https://www.is.fi/digitoday/tietoturva/art-2000010340453.html
- Police press release (16.05.2024): https://poliisi.fi/-/erilaiset-huijaukset-jatkuvat-edelleen-pida-huolta-digitaidoistasi
- https://mobiili.fi/2024/11/18/telia-mobiilivarmenteen-kayttajamaara-kasvanut-yli-50-prosenttia-tana-vuonna/
- News article from: 04.12.2024: https://www.is.fi/digitoday/tietoturva/art-2000010878557.html
- News article from 19.10.2024: https://www.is.fi/taloussanomat/art-2000010770786.html
- FICOM statement on 28.10.2024 : https://ficom.fi/ajankohtaista/uutiset/turvallista-verkkoasiointia-mobiilivarmenteella/
- Pekka Rehn, Nina Nissilä, Helsingin Sanomat article: https://www.hs.fi/mielipide/art-2000010796942.html