Is online authentication going south? Saying farewell to Tupas credentials will not be simple
The Tupas authentication method based on online banking code cards will be history in just a few months’ time. But no one is quite sure what the optimal replacement would be.
From the beginning of next year, it will no longer be possible to log into government e-services with Tupas credentials.
The login code apps offered by Nordea and OP will still be accepted for strong authentication in the future, but the situation of other banks is not clear. If an agreement cannot be reached, the customers of other banks will no longer be able to use their online banking credentials to log into government services after the turn of the year.
“It’s going to be difficult to implement the transition from Tupas to another method, atleast without putting the banks in an unequal position”, says Qvik’s CEO Lari Tuominen. “The authentication business will be a clear-cut competitive advantage for Nordea and Osuuspankki if the login codes of other banks will not be accepted for logging into public services any more.”
To date, strong authentication in Finland has been synonymous with Tupas: every service requiring strong authentication offers Tupas as an option, and the majority of users log in with banking codes.
Change based on EU regulations
The criteria for electronic authentication are being harmonized because of EU regulations. The new requirements specify that no phase of a strong authentication method may be easy to copy. A disposable code card can be copied easily, so it now seems that Tupas will be shut down completely in September 2019.
“The change of online authentication methods is a complex issue, since it is governed by two separate sets of legislation, both aiming to make authentication safer. eIDAS focuses on the confirmation of identities, while RTS is for specifying the technical standards of payment transactions”, Tuominen says.
“The regulations are mostly aligned, but in the field of online banking codes, there are still some major, unresolved conflicts.”
Mobile ID increasing its popularity in Europe – strong option for Finland too?
In addition to online banking codes, Finland accepts the mobile ID and electronic identity cards for strong authentication. The spread of electronic identity cards is not very likely, as they require the user to obtain both the card and a seperate card reader.
A mobile ID, on the other hand, can be used with any phone with a Telia, Elisa or DNA subscription. If all banks cannot be brought into the fold for strong authentication game, mobile ID use will probably become a lot more common.
“Mobile ID use is already common elsewhere in Europe. From the perspective of data security, it could be a better choice, since the ID is transmitted via a separate channel and is thus isolated from actual service use”, Tuominen says.
This arrangement would probably leave a part of the population behind, since not every citizen owns an electronic identity card and reader or is a customer of Nordea, Osuuspankki, Telia, Elisa or DNA.
How about a solution modeled on Finland’s neighbors?
In Estonia, the strong authentication of citizens has been handled by the government for almost two decades now. Citizens are issued an electronic identity card by the government for logging into public online services. In Sweden, on the other hand, the leading strong authentication method is BankID offered by the country’s largest banks. The first version was launched in 2003, and the current number of active users stands at 7.5 million.
“In the Swedish model, authentication is convenient and easy to integrate with other services as well”, says Jesse Vartiainen, Qvik’s Head of Technology, Sweden. “On the other hand, the strong authentication offered by the state in Estonia is equal for all banks and service providers.”
In Finland, the Population Register Centre’s report on future strong authentication solutions will be finished in January at the earliest. The report mentions a proprietary authentication solution offered by the state as one potential solution.
For Tupas to be seen off properly on this schedule, the decisions on new authentication methods should have been made by now, and development of the new services would have to be under way. The development and deployment of a new authentication option and its introduction to the general populace is a trickier proposition, especially if there are only months to pull it off.
The Population Register Centre says that it will issue an announcement on the progress of negotiations with the banks in October 2018 at the latest.
Illustration: Aija Malmioja