Finnish Mobile ID a Lesson in Interoperability Author: Alix Murphy with Special Thanks To

Finnish Mobile ID A Lesson in Interoperability Author: Alix Murphy With special thanks to:

Pekka Turpeinen, Telia Sonera Janne Jutila, Elisa Perttu Hörkkö, Elisa Lasse Leppänen, DNA

Antti Suokas, If Insurance Esa Kerttula, Proftel Ltd. Jari Kinnunen, HMV Juha Mitrunen, Valimo Kai Koskela, Osuus Bank Ltd. Kimmo Mäkinen, State Treasury of Finland Pekka Jelekäinen, Finnish Population Register Centre Reijo Svento, FiCom Tuomo Pyhala, S-Bank Ltd. Finnish Mobile ID 3 A Lesson in Interoperability

Contents

I Executive Summary 4 Operator Profiles 5 II Finnish Environment 6 A. High usage of online services 6 B. Prevalence of existing Bank ID solutions 6 C. The Finnish Citizen ID card 6 D. Increasing fraud and security breaches 6 E. Consumer demand for mobility 7

III Description of the Mobile ID service 7 A. Vision & principle 7 B. How it works 10 C. Technical solution 11

IV Uptake and Scale 12 A. Adoption by Businesses and Third Party Service Providers 12 B. Challenges to scale 12 C. Consumer Uptake 15

V Economics 16 A. Business model 16 B. Roadmap to commercialisation & sustainability 16 C. Future services enabled by the Mobile ID 17

VI Mobile ID – Key Success Factors 18 A. Interoperability 18 B. Reaching high frequency transactions 18 C. Gaining acceptance of the banks and new mobile payment service providers 18 D. Positive role of government 18 4 Mobile Identity

I Executive Summary

Identity is a core enabler for a wide people)1 having a mobile device, service continues to experience some range of services, especially payments, and on average, each subscriber challenges in reaching scale, mostly banking, government services and having two SIM cards; the three main as a result of the “chicken and egg” effectively all services requiring operators have all launched 4G / LTE problem – subscribers resist taking up strong authentication of the user. As networks and corresponding services. mobile identity services until they are the underlying complexity of digital Approaching 90% of the population is integrated by a broad range of third services grows, and digital fraud already connected to the Internet. party service providers for everyday escalates, identity is increasingly use, and - while many service providers being recognised as key to ensuring The three leading mobile operators have welcomed the advent of mobile secure, validated communications – TeliaSonera, DNA and Elisa, have identity services – some continue and transactions across a wide range launched Mobile ID (“Mobiilivarmenne” to resist integration until a large of sectors. At the same time, users in Finnish), an identity service offered percentage of operators’ customers around the world are demanding faster a shared, common platform for the have adopted the service. In particular, access to services via mobile, making authentication of users to third party banks have been slow to adopt the new the mobile medium an indispensable service providers, irrespective of operator-driven Mobile ID solution due channel for providing secure and the network operator to which to a number of reasons. convenient access to services across they subscribe. many verticals. Nonetheless, Finland offers a Uniquely, the three operators have compelling glimpse of the future: Finland is a market in which mobile formed a “circle of trust” – an mobile identity services are not only operators understood the importance agreement under which the operators mature in their own right, but also offer of identity comparatively early, and accept digital identities created by consumers access to a compelling and have worked collaboratively in order each other, and allow those identities growing range of services. to offer a mobile identity service to effectively “roam” on their network that allows the user to strongly and make use of agreements that each This case study explores the authenticate themselves across a broad individual operator has with third challenges that mobile operators have variety of services. party service providers. faced in deploying mobile identity management services in the Finnish Finland is an advanced market: In spite of substantial government market, and details the innovative mobile penetration is amongst the support and a commercially appealing approaches that the three operators highest in the world, with over 90% service for both consumers and took to overcome them. of the population (of 5.4 million service providers, the mobile identity

1 Population Register Centre. 31 August 2012 Finnish Mobile ID 5 A Lesson in Interoperability

Operator Profiles

TeliaSonera

TeliaSonera is Europe’s fifth-largest operator, with subsidiary operators located in 16 countries across the continent and beyond, including Denmark, Norway, Russia, Spain, Sweden, Turkey, and Georgia.

Founded in the 1853, TeliaSonera is a pioneer of the telecom industry and is proud to be one of the early inventors of mobile communications and founders of GSM. In May 2011, TeliaSonera united the company under one common symbol and identity representing a total of 180 million total subscriptions (Q3, 2012).

“International strength combined with local excellence is what makes us truly unique - and provides a world class customer experience, all the way from the Nordic countries to Nepal. This combination has brought groundbreaking 4G, a world class fibre network, and introduced 3G at Mount Everest.”

Elisa

Elisa is Finland’s largest telecommunications and ICT service company, serving approximately 2.2 million consumers, companies and public administration organisations across the country. Elisa prides itself on being the market leader in mobile subscriptions, while offering a comprehensive 3G and 4G network in Finland. The company also offers international services in partnership with Vodafone and Telenor.

With a vision statement that clearly defines the company’s goal to extend its ICT services into a broader range of day-to-day consumer and business transactions, such as digital TV and broadband, home security, and enterprise conferencing services, Elisa aims to position itself as “More than a network and the brand of excellence”.

DNA

DNA Ltd is a Finnish telecommunications company providing high-quality, state-of-the-art voice, data, and television services to private customers and corporations. DNA’s 3G network covering now five million Finns is continuing to expand, and 4G networks are actively (continuously) being introduced to new population centres (areas). In 2012, DNA recorded a turnover of EUR 769 million and an operating profit of EUR 56 million. DNA has more than three million mobile and fixed-line network customers. DNA and WELHO are registered trademarks of DNA Oy. For more information, please visit www.dna.fi. 6 Mobile Identity

II Finnish Environment

A. High usage of online services: B. Prevalence of existing Bank ID solutions: C. The Finnish Citizen ID card:

Finland has one of the highest internet The Finnish Bank ID (or “TUPAS” as it The third method of online identity penetration rates in the world, with is called in Finland) is a strong customer verification and authentication used around 88% of the population having authentication process administered in Finland is the National Citizen access to online services via mobile, by all banks in Finland, which uses a ID card. However, despite being the fixed broadband, or both. Accordingly, combination of a PIN code and a One- first national eID card in the world, having an online presence is considered Time Password (OTP) from a paper list few people in Finland have a card or a necessity by most Finnish businesses, which must be carried by the user at use it beyond its function as a travel as online shopping, e-banking and all times. Launched by the first banks document (the card is primarily used other online services are the norm for 20 years ago, the Bank ID solution was as an alternative to the passport for Finnish consumers. Remarkably, well perceived to provide satisfactory levels traveling within the EU). The Finnish over 60% of Finnish adults, aged of security for online transactions and eID card costs around €50 and is valid 30-45, regularly buy goods and was swiftly taken up by third party for 5 years. Authentication methods services online.2 service providers for authentication to using the card have been adopted by their own services. There are currently fewer than 10 government services Many online services require some around 3 million Bank ID subscribers and very few private online service form of authentication of the user’s in Finland, and Bank IDs can be used providers – primarily due to the high identity, whether for login access or for across a broad range of services and up-front costs associated with rolling secure payment or other authorisations. segments (not just banking), including out card readers at each office and point While simple username and password e-commerce and government services. of sale. login combinations are still widely used by service providers, those requiring Nevertheless, despite the high penetration Ultimately, the National Citizen ID card higher levels of security need to have of Bank IDs, the solution is coming does not meet the needs of consumers a strong authentication solution that under increased scrutiny as consumer wishing to access services remotely can efficiently authenticate the identity demand for mobility grows and as – either online or over their mobile data of customers, while maintaining stories of fraud and security breaches phone - as it requires the person to be ease of use. come increasingly into the public eye. present at the point of sale. According to the Finnish Population Register What is “strong authentication”? Centre, which is the state Certificate Authority responsible for the Citizen The term “strong authentication” or “multi-factor authentication” typically refers ID certificates, a total of only 400,000 to a process of authentication which uses two or more different forms of identity eID certificates were in circulation by verification. In strong electronic identification, the identification device and its user end-2012. can ultimately be connected to the person’s true identity. Most commonly, multi- factor authentication will include a combination of the following factors, or “proofs”: D. Increasing fraud and security breaches: There is a growing perception that the ■ something known, like a password, one-time-password system used by ■ something possessed, like your ATM card, and the banks is vulnerable to fraud and ■ something unique about an individual’s appearance or person, like a fingerprint. theft. Incidences of hacking, spam and phishing attacks are growing at Using strong authentication provides more protection for sensitive information a substantial rate, while criminals are than a simple username and password can provide. When offered by an entity becoming more sophisticated in their which is trusted to have gone through a strong registration process with the methods. The paper and plastic cards consumer (i.e. an operator which has registered the customer in person using containing the One-Time-Password their legally issued identity credentials, such as a passport), strong authentication codes (which must be carried around provides the authenticating party (typically a service provider wanting to by users) are increasingly seen as an authenticate the identity of a customer) with the assurance that the individual is antiquated method which is neither “known” and eligible to use the service. sufficiently secure nor user-friendly.

Strong authentication is increasingly being recognised as a necessary security As the value and attendant risk of measure to ensure protection of sensitive consumer information, especially when online activities grows, with conducting financial and other high-value transactions online. The European consumers executing higher value Central Bank recently published an document outlining a plan to require “strong transactions on the internet, service authentication” on all web-based payment transactions by 2016. This potentially providers became increasingly keen to means that existing username-password –solutions would no longer be allowed find new, more sophisticated means of as verification methods for transactions due to the inherent weakness in security creating and deploying digital identities in simple username-password methods. for consumers.

2 TNS Gallup, March 2012 3 Finnish Ministry of the Environment – National Telecommuting Day 2012 Finnish Mobile ID 7 A Lesson in Interoperability

E. Consumer demand for mobility: Add to this the fact that Finland enjoys of government and public services near 100% mobile coverage throughout authorities, mobile operators and the Finland’s SIM card penetration rose the country (despite being both the Finnish Federation for Communications above 100% in Q4 2005, and smartphone eighth largest country in Europe and Teleinformatics (FiCom), came penetration continued to increase and the most sparsely populated together to develop the terms for such rapidly (today it is already above 46%). country in the European Union) and a new authentication and authorization These trends have implied a greater the opportunity for a mobile identity service, in order to better serve the demand for a broad array of consumer service seems clear. diverse needs of businesses and and public services to be available via provide secure authentication for mobile. Working from home is also These factors demonstrate the need for eGovernment services. The result of relatively common among Finnish a more convenient, all-encompassing these discussions was Mobile ID. employees (over 34% of employees work form of strong authentication in the at least occasionally at home and 14% Finnish market. In the autumn of telecommute), making the demand for 2008, a Finnish consortium made up mobility even more material.3

Consumer demand for Mobile ID in Finland is very high:

According to an online poll undertaken by Elisa in November 2011:

■ 53% of those polled wanted to access public services using a strong mobile authentication service, for services such as document signing and even requesting medical test results. ■ 61% wanted to use mobile for transaction approvals and order confirmations for online shopping and banking. ■ 43% wanted to be able to verify personal information via mobile for expert and professional services.

For more information, please refer to the following sources:

■ http://www.mobiilivarmenne.fi/en/faq/ ■ http://valimo.com/products/government

III Description of the Mobile ID service

A. Vision & principle: Launched as an interoperable solution “The Finnish Bank ID revolutionised online by the three main Finnish mobile services by enabling secure e-business network operators, Elisa, TeliaSonera portals. It is now time for the next step in and DNA, the logic of Mobile ID is the evolution”. (Elisa) simple: a service provider wishing to authenticate and verify their users can “Mobile ID is a convenient, cost effective display the operators’ common Mobile and secure enabler for totally new mobile ID portal on their webpage, allowing services”. (TeliaSonera) Seen by its proponents as the “solution any Mobile ID subscriber to authenticate of the future” for identification, themselves using their own GSM signatures and payment approval, number and by simply keying in their the Mobile ID platform is a secure user PIN after being prompted to do so identity verification tool which allows by a flash-SMS message. With the trust customers of third party service framework, mentioned earlier, allowing providers to login and access their for signature “roaming” between the accounts in one seamless process. operators, the user experience is the Utilising the secure environment of same regardless of which operator they the SIM and mobile SMS channel for use. In addition to web-based services, credential storage and transmission, Mobile ID also works in a variety of Mobile ID can be used in a wide range different channels, including voice, of everyday transactions. mobile data and video conferencing. 8 Mobile Identity

In March 2010, as Elisa, TeliaSonera and The SIM-based mobile PKI system Furthermore, studies prove that DNA came together to negotiate the underpinning the Mobile ID service consumers notice losing their phone faster trust network agreement and develop an offers a strong security proposition for than losing other important possessions interoperable platform for Mobile ID, the all parties. All security-related operations like their wallet. When a consumer mobile operators defined and remained are encrypted within the SIM-card, and reports their lost phone to their operator, faithful to four basic principles, by which all resulting messages are encrypted Mobile ID ceases functioning in real-time, Mobile ID would be differentiated from SMS-messages, while the GSM-number whereas it can take anywhere up to a all previous and existing solutions: acts as the trigger for the Mobile ID week or more to cancel all one’s cards in a transaction. The combination of two- stolen wallet. i. Ease and flexibility of use – By factor authentication over two separate focusing on the principle that the communication channels (IP and GSM) iii. Legal framework – Two new changes consumer drives demand, user makes tampering or corrupting the to Finnish legislation governing friendliness was of utmost importance transaction inherently more difficult than identification and electronic certificate to the design and deployment of in most other solutions. frameworks were instrumental in Mobile ID. With a single user PIN enabling the Mobile ID service to be to remember and no paper cards to Mobile ID also uses spam prevention codes launched: carry, no extra hardware or software and event (transaction) IDs in order to is required. Mobile ID works on protect the user from being disturbed by a. Act on Strong Identification & 99% of mobile phones (both feature unwanted spam requests – a growing Electronic Signature (effective from and smartphones) and can be used concern in Finland. With the event ID, 1.9.2009): anywhere with a mobile signal, the user is able to know when accepting a i. Under earlier legislation, the even from abroad as SMS roams signature request exactly which event the registration and issuance of strong internationally. signature request is related. identification could only be performed Aside from mobility, the service also by the Finnish Police authority. The The European cross-border authentication needed to be easy to acquire and the change made it possible for private framework for electronic identification registration process made as seamless sector businesses with the relevant (STORK) has developed a 4-stage as possible. PKI-ready SIMs were level of security and authorisation classification for the security in already widely in use in the Finnish to also act as issuers of strong authentication tools. According to market: to activate the SIM for the identification tokens and services. this system, Finland’s legacy Bank ID Mobile ID service the user can either ii. The act clarified that an electronic framework meets the requirements of visit an operator store (a process which signature, if performed with an Level 2, whereas Mobile ID is considered takes just a few minutes) or use an authorized strong identification to meet the security requirements of Level online portal. Another added benefit method, was to be considered legally 3 due to the inherent security of the SIM- to the Mobile ID is its operability on equivalent to a “wet signature.” based PKI-system. all channels, including SMS, voice-call, iii. The law allowed for the issuing of face-to-face service channels. Additional security comes from the new eID credentials based on other ii. Security – The Mobile ID needed to user-experience: Mobile ID is inherently previous strong eID credentials. This be at least as secure as, if not more intuitive to use for the consumer, as made it possible to issue Mobile ID secure than, all existing authentication inputting PIN-numbers into a phone is over the internet to customers already solutions. already an established routine. in possession of a Bank ID, provided that the parties can agree on pricing Payment authorisation demo slide (by permission of Elisa) and sharing of risk.

b. Population Information Act 2009 (effective from 1.3.2010): i. The Finnish Population Register Centre (VRK), which holds national population data for the country and is the only state Certificate Authority IMAGE REQUIRED in Finland, was originally the only entity with the power to issue the ”Finnish Unique Identifier” (SATU) to an individual. Due to the change, all authorised strong ID providers, including mobile operators, could issue eID credentials with the “Finnish Unique Identifier.” This enabled registration for the Mobile ID to take place in the operators’ stores, without Finnish Mobile ID 9 A Lesson in Interoperability

the customer having to go to the established an open four-corner have to establish a single agreement with police department to undertake the business model and allowed for a single operator to be able to access all registration process. the roaming of Mobile ID requests subscribers who make use of the Mobile ii. The legislation also clarified the between operator platforms. The ID service in Finland. In essence, service fact that a person can have only one business model does not suffer from providers are federated across the three identity, but several certificates, such as competitive legislation challenges, operators; the individual operators trust a passport, driving licence, mobile ID as it is highly competitive both one another (a) to undertake the strong certificate, Bank ID, etc. towards service providers and registration process with rigour and consumers. complete compliance, and to carry the iv. Interoperability – The unique legal responsibility for correct registration, feature which differentiates As a result, a subscriber to Elisa, for and (b) they trust each other’s agreements Finland’s Mobile ID from many example, can use Mobile ID to access with third party service providers to be other similar schemes is the service providers that have agreements strategically logical and commercially cooperative framework – or “Circle only with TeliaSonera or DNA. Not only viable (and attractive to subscribers). Each of Trust” – between the three main does this add value for consumers, it operator is responsible for ensuring Finnish operators, Elisa, TeliaSonera provides substantial benefits to third that its customers follow the approved and DNA. This trust agreement party service providers, since they only Mobile ID policies and guidelines.

Mobile ID: an evolved solution “At that point, the registration process was too difficult: Mobile ID is the result of a multi-year project involving because the authorities thought that Mobile ID was similar entities from a wide cross-section of industries in Finland. to your passport or driving license: the law at that time Discussions around the possibilities for supporting the stated that only the police department could issue the strong service began in 2005 and 2006 as the new Government identification. So, customers needed to go to the police came to office with a strong commitment to strengthening station to get a Mobile ID. In the end, the process was too Finland’s e-services ecosystem. Under this platform, the difficult, so it failed.” (Antti Suokas, If Insurance). Information Society Programme Board saw to it that the With the third time, the Mobile Operators believe they have Mobile ID was brought to the top of the agenda. the process right. Better coordination, clarified legislation, “When I first came to the discussions, I was surprised at how new mobile signature service standards, and a greater many ministries and civil servants were interested in this number of service providers interested in the possibilities issue. Not only the Ministries of Justice and Communications that Mobile ID offers have all come together to create an were at the table, but also public service authorities on the environment that is ripe for the success of the Mobile ID. fiscal side – in total, around eight different authorities. Then “From the end-user perspective, the service hasn’t changed I understood what an important advancement this would be much. It’s the same device, the same SIM card, the same SIM for Finnish citizens.” (Reijo Svento, FiCom Director). application toolkit, the same MSS channel. The difference is Mobile ID in its current form is the third generation of registration, and the service provider side of the equation. an evolving service. In 1999, Smartrust, a Sonera owned Now that operators can undertake registration themselves, it’s company, launched a SIM-card based mobile signature become a straightforward and easy process. Also, because of the service for document signing in businesses. The first mobile circle of trust – and the fact that third party service providers certificate in the world was launched by the Population can gain access to all three operators’ subscribers via a single Register Centre that year, in a pilot for use in mobile banking. agreement and a single technical platform, there’s much more Though these early iterations were formative and ground- traction from companies across the Finnish economy, and breaking, they were also a little too early, as appropriate government agencies.” (Esa Kerttula, Prof-Tel Ltd.). infrastructure (such as capable handsets and SIM cards, Another key change that has added to the growing success as well as legislation and regulations) was not sufficiently of the Mobile ID service is pricing. All stakeholders admit widely deployed, and consumers were just beginning to that earlier variants of the service were too expensive – seen understand the possibilities that the Internet represented. from the perspective of consumers and third party service As a consequence, though many technical “firsts” were providers. Today, due to the Circle of Trust agreement which achieved, the services did not achieve mass-market appeal. encourages competition among the operators to sign up “The short answer is that it was too early. There wasn’t the service provider partners, as well as stronger interest from right legislation, no trust circle, no 4-cornered business model online service providers who recognise the key strategic among the providers to make it scalable for reaching the value of the Mobile ID in reaching a larger customer base, mass-market. Finland has always been keen to develop new the pricing offered by the operators is now more accurate. things, especially in the mobile world, so mobile identity was In these early stages, Mobile ID is offered as a free service to considered straightforward. But the market wasn’t ready.” subscribers, while third party service providers are charged (Esa Kerttula, Prof-Tel Ltd.). for the service on a per-transaction bases, with prices stratified based on the frequency, volume and value of the Other smaller pilots have occurred since then, but the second transactions being made. Most importantly, however, the real attempt was in 2005 when operators tried to launch a price offered to third party service is around a third of that Mobile ID similar to the one today. currently being charged by banks for use of their Bank IDs. 10 Mobile Identity

B. How it works:

How Mobile ID works: the consumer journey

When a user needs to authenticate their identity while using an on-line service: ■ The user recognises the Mobilivarmenne (Mobile ID) symbol as the interoperable mobile-based tool they wish to use, and clicks on the icon, which brings them to a login screen. ■ The user types their phone number (which in this example corresponds to Operator A) into the login screen in the online service provider site. The number is transmitted over the IP channel while the response comes back to the user over theGSM channel). ■ The Service Provider has an agreement for the Mobile ID with Mobile Operator B. ■ Mobile Operator B recognizes the user as an Mobile Operator A subscriber and so forwards the authentication request to Mobile Operator A (signature roaming). ■ The user receives the authentication request to their phone and inputs their unique user authentication PIN (4-8 digits). If the PIN code is correct, the SIM application signs the authentication request. ■ The result, now verified, is sent back to Mobile Operator A and the user is granted access to the service. The user’s actions in this strong authentication case (2 factors, 2 channels) comprise of: 1. Input the mobile number (on a PC, for example). 2. Input the PIN (on the mobile device). In the end, all that is required of the user is the physical possession of a phone and PIN-code.

User authentication using signature roaming between Mobile Network Operators

Operator B

Authentication Request: Sign

Operator Signature Certificate Authority Service Provider Platform Digital Signature Subscriber Roaming between mobile operators Operator A

Operator Signature Certificate Authority Sign Authentication Request Platform Finnish Mobile ID 11 A Lesson in Interoperability

C. Technical solution: – Always uses the same user PIN. In addition to these, the ETSI Mobile Signature Service Provider i. The mobile certificate (also referred – Security of 2 channels: activity (MSSP) standard enables signature to as “mobile ID”, “cell phone is over (fixed) Internet channel transmission and authentication ID”, “cell phone certificate”) is an and identification is over across all operators. electronic personal identity certificate mobile network. which the SIM cardholder may use Services based on similar technology iii. The mobile PKI infrastructure used to prove their identity within the are already used in several in the Mobile ID is uniform across context of different electronic services countries, including Turkey (bank the three operators. Productised or electronic signature situations. identification, cash withdrawal from APIs for the service were provided The mobile certificate contains the an ATM), Estonia (citizen certificate by various technology firms (Valimo personal details of the SIM card in extensive use for e-services) and Wireless, Methics Inc. and others). owner and is held in a directory, Norway (BankID). The underlying uniformity of APIs enabled the operators to offer an while with the corresponding private ii. Using a single nationwide standard identical experience for service keys are embedded in the SIM of a for mobile PKI greatly facilitated provider clients and correspondingly, mobile phone. the implementation of Mobile ID. end users. The signing PKI application Key elements of Mobile In Finland, a selection of standards is stored on the SIM card, allowing the ID certificates: established by the international user to receive digital signing requests standards body, ETSI, are applied to – Support both identification and and to produce the signed response the Mobile ID service. These include: signature services. by entering their unique user PIN – Used in all cases where the a. ETSI TS 102 204 for service code. The digital signatures use the individual must prove their provider integration; RSA algorithm with either 1024bit or identity in the electronic world, i.e.: b. ETSI TS 102 207 for the 2048bit key-length. a. banking, public services etc. roaming; and For further information on the (“old” cases) c. ETSI TR 102 203 for business Certificate Policy or the ETSI MSS b. social networks, gambling etc. and functional requirements. standards employed by the Mobile ID (“new” cases) solution, please refer to: http://www. mobiilivarmenne.fi/en/documents/ 12 Mobile Identity

IV Uptake and Scale

A. Adoption by Businesses and Third Party iii. Unlike the proprietary authentication B. Challenges to scale Service Providers: systems used by Bank ID, the Nevertheless, despite the strong value competitive dynamics of Mobile ID proposition to Finnish businesses, some i. The primary value of the Mobile ID mean that the operators compete on challenges remain to obtaining scale to consumer-facing businesses is partnership with service providers, among service providers: the potential of reaching all Finnish thus keeping the pricing for the mobile subscribers with one single, service low and the incentive high i. Two-sided market – Like any new seamless integration process for to develop and deliver innovative service offering, there is a “chicken digital authentication and signing. value-adding eServices within a high- and egg” challenge to be overcome. Historically, any business that security architecture. Users are unwilling to adopt a new wanted to offer electronic or web- iv. The interoperable model provides service when relatively few services based services needing customer an ideal platform for government are appended to it, and, equally, authentication needed to sign an and public services authorities, service providers tend to adopt a agreement with each of Finland’s who recognise the need for a cost- “wait and see” approach – preferring banks independently, in order to effective and user-friendly method to deploy the solution when there is a use the Bank ID scheme. This meant of strong user authentication across critical mass of subscribers. that, as is often the case, businesses their e-services platforms. With 200% ended up having to execute at least 10 Some forward-looking service SIM penetration in Finland, as well separate agreements and integrations providers have recognised the as the fact that the service works on with banks, each with its own fee potential that Mobile ID can bring 99% of phones, Mobile ID offers the structure and certificate scheme. for their future service offerings foundations of a nationwide eServices Some public service authorities and have decided to adopt the ecosystem, with the potential to offering multiple services had to service. These early pioneers include address the majority of the Finnish execute up to 80 separate agreements insurance providers, smaller local population. In 2012, VETUMA (the with different banks. banks and government public service eAuthentication and payment service authorities. As a consequence of its technical used by federal and municipal ii. Resistance from banks – As the uniformity and commercial Finnish government agencies) predominating providers of online simplicity, the Mobile ID service activated Mobile ID for authentication for nearly 20 years, supports the same user-experience all VETUMA clients, meaning that banks in Finland are understandably across all channels, including over 140 public organizations were concerned about the entrance of internet services, mobile, voice and now able to authenticate citizens Mobile ID onto the market. The open- video, meaning that businesses can for access to their service using four corner business model employed ensure full coverage and customer- Mobile ID. reach in their segment or vertical. by the operators is also likely to Service providers need only sign an “For the Finnish Government, Mobile ID increase competition between banks agreement with one operator in order is the most cost effective way to provide an by enabling consumers to shop to offer the service to all participating authentication method to citizens.” electronically between bank offerings. mobile subscribers of the three (Kimmo Mäkinen, Service Manager.” While a number of Finland’s banks operators combined. State Treasury of Finland). foresee the value in employing another trusted entity to undertake ii. The availability of the service on v. The multi-channel capability of the costs associated with the strong multiple channels allows service Mobile ID, including voice and electronic authentication process, providers to work flexibly with video, gives services providers the banks have their own legitimate customers on whatever medium the opportunity to build a wide considerations regarding security and they are using. For example, when array of additional value-adding operability which they believe need a customer calls their customer services in the future. Studies are to be addressed. service number wishing to make currently being conducted on the changes to their agreement, rather The Finnish banks articulate their potential for Mobile ID to be used than providing their address or the concerns in the following manner: by medical professionals for signing last four digits on their social security a. Security – Banks view their Bank prescriptions and securely sending number (typical security questions ID solution as a “gateway” into essential health records during in a voice-based authentication participating banks’ internal specialist referrals. By the beginning procedure), the user subscriber GSM- systems and to the assets held of 2014, all social sector clerks will be number is picked up from the call by their customers. As such, the issued with mobile apps for access and a PIN-verification request is send security of that system is of utmost to records and systems while out of over the SMS channel (the user PIN importance. Banks have therefore the office. Mobile ID is also being is never transmitted). With a correct been understandably keen to considered for use in checking and answer, the operator service certifies rigorously check and recheck the verifying information from different the caller ID during the call. security of the Mobile ID solution, healthcare and social sector registers. to ensure that it is as secure as Finnish Mobile ID 13 A Lesson in Interoperability

their own, trusted solution – and “We’ve worked together for many years transition requires a level of market to further ensure that it provides and our colleagues in the mobile operators penetration among other service additional value (in terms of now understand the high level of risk and providers that has not yet been functionality and usability) for subsequent security that we require. We’ve reached. For those banks on the bank customers. had good relations with the three main verge of accepting the Mobile ID A key dimension of this security operators but our industry background is solution, one factor informing their question is the process of customer different – it does of course take some time to resistance is the notion of “going it registration, as this is the point overcome these differences” alone” without the other banks. at which trust is laid down - (Kai Koskela, SVP of Private Consumer e. Revenue – Each bank has its own between the registering party, Banking at Osuuspankki, the largest pricing structure for charging the authenticating party and the consumer bank in Finland). service providers for the use of customer. For banks and service its Bank ID service. These pricing b. Regional banks – For Finnish providers alike, there is significant structures are based on the costs banks, the Mobile ID proposition financial and reputational to the bank for maintenance of the offers a logical extension or collateral riding on the trust service, the cost of the certificates, “addition” to their Bank ID: the established at this point: and all and the pricing structure charged ability to authenticate customers parties need to be certain that the to consumers (i.e. most banks over the phone is of great value. registration process is applied charge customers on a monthly However, regional banks operating uniformly, rigorously and without subscription basis, but charge in Finland with headquarters based compromise by mobile operators. service providers per transaction). in Sweden and Denmark may Additionally, the majority of have a different set of priorities. Additionally, because some services banks have their own certificate These banks express the need to are high value but low volume, or standards, formats and policies have streamlined solutions across vice versa, the values per transaction internally. Conferring trust onto all markets, making adoption are differentiated depending on the mobile certificates is a lengthy of Mobile ID more challenging. volume used (i.e. from €0.05 and and complex process. Secure These banks also have other Bank €0.10 per transaction for “high- certificates sit at the heart of strong ID solutions in operation in other volume, low value” through to €0.30- authentication processes, and a countries in the Nordic region, 0.40 per transaction for “low-volume, great deal of thought goes into for example. high-value”). In some cases, the the design, storage and use of c. B2B clients – The primary use case difference in volumes can be from certificates for different use cases. for Mobile ID is on the B2C side: thousands to millions of transactions, Accordingly, being prepared to for consumer facing business to depending on the service. As a result, migrate to the use of a third party’s verify their customers securely. those banks which derive substantial certificates (in this case the mobile However, for clients wishing to use revenues from the Bank ID service are operators) requires a great deal the tool in B2B transactions and less willing than others to support of investigation and negotiation verifications, the challenge lies in the Mobile ID service’s entry into – particularly for banks, whose enabling corporate representation the market. online / digital activities tend to using Mobile ID: in this case, the Nonetheless, as this case study have a comparatively high level of customer is a company, not an went to press, a consortium of risk appended to them. individual. While the certification Finnish banks were in discussion In fact, the registration process for process is no more complex for with FiCom and the Finnish mobile Mobile ID customers is exactly a business entity, the challenge operators in order to negotiate a the same as that for Bank ID emerges when multiple users with working agreement on the potential customers, and is administered different roles in a single company use of Mobile ID for online banking by professionals with the same need to use Mobile ID. The process access, amongst other things. training in trust issuance and is further complicated when an compliance as those providing ID individual with access to the Mobile documents in the public sector ID certificate wishes to leave the (e.g. the police department). Under company, or transfer roles. Finnish law, Mobile ID has been These questions are among those deemed to offer an equivalent currently being addressed by the security level to that of the Bank ID. Finnish mobile operators. The Finnish Communications d. Two-sided market – Even for those Regulatory Authority (FICORA) banks wanting to offer the Mobile has the authority to give ID solution for access to their own permission for companies to banking systems, or to integrate issue Mobile IDs, but very the service with their Bank ID closely oversees and on other third party websites, scrutinises their activities. the investment required for this 14 Mobile Identity

A Service Provider’s Point of View: If Insurance “Other initial concerns related to the security of the tool, as well as questions related to the actual process for obtaining a Interview with Antti Suokas Mobile ID. For example, the Mobile ID needs a PKI enabled (Business Developer, If Insurance) SIM, so those people with older SIMs needed to switch over If entered the project for Mobile ID with Elisa almost 3 years to new ones. People were worried that they would lose all ago, as part of an attempt to adapt to changes that were their contact information. Luckily, the operators had started expected in the insurance market. “In fact, the biggest need to introduce the new SIMs a few years ago, so this wasn’t a we foresaw at the time was in registration for car insurance problem for most people.” – there needed to be a way to do the process electronically, to “Now, we try to actively promote Mobile ID to our customers reduce the hassle of processing lots of paper and to eliminate as much as possible. But we do this in the same way that we the need for the customer to go in person to the authorities. promote our other services: as part of our service portfolio. That’s when we heard about the Mobile ID idea.” On our main login screen we have a description of mobile If’s criteria when assessing the Mobile ID: “Good customer ID and tell people that they need to contact their operator in service is part of our core business. We needed to find a way order to get one. Our basic message to consumers: “It’s the to identify customers and to get electronic signatures for way of future; start using it already!” consent over the phone, but any solution needed to be hassle- Plans for the future: “One of the most important free and easy-to-use for the customer. Usually, when we additional functions we want to enable with Mobile ID serve our customers we use some kind of logical identifying is signing documents and obtaining approval signatures questions to ensure that the customer is who they claim from customers over the phone. If you could do this over to be (usually these are pieces of information that only the SMS – even while you are speaking on the phone to the customer should know, such as their social security number, customer service representative – the whole process could details on the insurance they have, etc.). With Mobile ID, we be completed in one single session. Additionally, unlike could eliminate this process.” the Bank ID which only provides the name and customer Cost: “Another very important criterion for us is that the cost number, with Mobile ID we could add a lot more information of the Mobile ID is around one third of cost of equivalent to the customer profile, such as the address, basic credit Bank ID. We have over 1.7 million logins per year, so this is a checks (all with the customer consent, of course.) Mobile ID remarkable price reduction. Also, like many service providers offers a whole range of opportunities that Bank ID doesn’t.” in Finland, we have to enter into separate agreements with “The challenge we still experience is that many of our each of the banks. This creates a lot of work for us. We built customers don’t have a Mobile ID yet, so the penetration is our business case for Mobile ID on various assumptions on still too low to make the investment to build these additional the penetration of Mobile ID and the level of savings we kinds of services. Once the banks join us, I believe the could make, and it worked out in every scenario.” penetration of Mobile ID will grow quite rapidly.” Being ahead of the market: “We were the second company “Facilitating the online registration process for customers in Finland to start using Mobile ID. We wanted to show will be a major factor. At the moment, only a few banks that we were front-runners in the market and to be the first allow the Bank ID to be used as pre-authentication for online big, mass-market consumer-facing company to be using registration to obtain a Mobile ID, otherwise the customer it (the other company at the time was a small scale start- must go in person to their operator to get it. Once the online up company providing electronic signatures for business registration process is solved, it really can’t get any easier for contracts between companies). It’s a strategic move that we the customer. This is the part we are waiting for. But because are still proud of.” banks are so resistant to this they are holding back promotion “When we originally started to look into Mobile ID, we saw it and marketing activities for the whole market.” as a potential replacement for Bank ID. But now we recognise Message to other service providers: “As with many new it as a complementary tool to improve the user experience, products, there’s a snowball effect. The tendency in these especially in terms of adding new services. I think other situations is that companies think they should just wait to service providers are seeing this as well: now there are more see what others in the market do. When I talk to other service than 200 service providers using Mobile ID.” providers in Finland I tell them: “We are big in the market. Launching the service: “Before we launched Mobile ID If we believe that we should be doing this, then you should to our consumers, we wanted to test out the service. Our as well. As an insurance company, our business is based on first target group was our own personnel. We thought that trust, so if we think Mobile ID is secure enough for us then it once our own people were familiar with it, it would be should be for you, too.” much easier for them to promote and give support to our The other message we want to give is that the first step doesn’t customers. In fact, this was extremely useful as we found involve any big risks at all. Our biggest costs were on the pre- out the questions that customers would be asking about it. study and a few days’ work for our IT department, but that’s The feedback: “They loved how easy it was to use! Basically, all. The cost structure for Mobile ID is to pay per use, so if the main questions were ‘So now I can use this with our (IF people weren’t using it then we weren’t paying the operator. I Insurance) services, but where else?’” try to tell them, “don’t wait – just do it and see what happens!” Finnish Mobile ID 15 A Lesson in Interoperability

C. Consumer Uptake b. Online using the Bank ID: iii. The additional limitation to Around 4 Finnish banks currently scalability is the uptake of daily, i. The Mobile ID service is currently have agreed to offer their Bank high-value services, especially offered as a free service to ID as a component of the online in internet-banking and payment individuals, and is viewed by its pre-registration process for their approvals. Reaching high volumes users as far more convenient and customers to obtain a Mobile ID. for services used by consumers user friendly than existing Bank ID Users who have already gone (compared to those used less or Citizen ID card authentication through a hard registration process frequently, such as insurance and solutions. The ability to access secure with their bank can use the strong government services) is important accounts from anywhere, at any authentication process of the for maintaining scalability for the time, without the need to carry a Bank ID to verify their customer operators, as well as increasing plastic card with OTP codes is very information on their operator’s awareness and user-familiarity with appealing to Finnish consumers. website. The ability to issue Mobile the service. Additionally, anyone who has two ID “over-the-air” is based on the bank accounts requires two separate fact that most SIMs in the field are “For consumers, these (high volume) Bank IDs, with two separate PIN Mobile ID capable already. This services are interesting enough to go codes and plastic OTP code cards. process only takes 3 minutes and is through the first authentication threshold and encourage them to obtain the Mobile ii. Nevertheless, low awareness therefore considered to be far more ID.” (Elisa). among consumers and slow service convenient to the customer. provider uptake to date have meant In the eyes of the three mobile “I’ll never go back to plastic cards” that Mobile ID was not taken up operators, enabling the pre-registration (user of the Mobile ID service). by consumers as quickly as the through the Bank ID is a key milestone operators had hoped. One primary For further information on the for facilitating scale and uptake among reason attributed to this relatively Mobile ID as presented to customers, users. low uptake is the registration process please see: required in order to obtain the However, so far, only 4 of the 10 http://www.mobiilivarmenne.fi/ Mobile ID. Currently, two methods banks in Finland have made an en/faq/ can be used for registering for a agreement to allow their Bank ID to Mobile ID: be used in this way, meaning that the threshold for Bank ID authentication a. In person at the operator store: established by the operators has The in-store registration process been limited (in Elisa’s case, only entails collecting the user’s 50% coverage). As a result, the level personal information, verifying of market penetration necessary the ID documentation (typically a for investment in public awareness passport, driver’s license or national marketing has also been delayed. Citizen ID card) and verifying the customer’s subscription to the SIM. The process can be done in any operator store around the country and takes approximately 8 minutes in total.

Official Mobilivarmenne website

What? Where? Why? Who is it for? The mobile certificate is With the mobile Certificate, The mobile certificate is The mobile certificate is your digital ID in your you can prove your identity absolutely secure. It functions compatible with all Finns’ mobile phone. With it, you online or during a phone call with an access code which mobile phones, and you can can prove your identity in an easy way. It is compatible only you know. With the easily have it activated by and use electronic with online services that mobile Certificate you can your operator. signatures in different require identification and will take care of electronic electronic services. also be compatible with bank business in a convenient services in the future. way from start to finish. 16 Mobile Identity

V Economics

A. Business model ii. Pricing structure: B. Roadmap to commercialisation The three operators compete & sustainability i. In establishing a “Circle of Trust” on pricing packages to service between the three operators, the i. There is still some disagreement providers. For example, Elisa’s Mobile ID offers a significant as to the form that future revenue pricing is standardized for all service advantage over other existing models for Mobile ID should providers, with volume-discounts solutions. The model is service- take. Some believe that once the for high-volume service providers. provider driven: the service service reaches 25% penetration For consumers, Mobile ID will provider has an agreement with a of end users, operators can start remain free until penetration levels single operator, under which the charging consumers via billing or a have grown sufficiently. payment structure and revenue subscription-based payment scheme. generation is derived. According to Elisa, this aspect of Others, however, believe that the their business-mode was publicly solution should not cost anything stated from the start of Mobile ID. for the end-user and that total cost Today, Mobile ID is packaged as a should fall on the service provider, value-adding service to the user’s at least the mass-market segments. mobile subscription. When it comes to enterprise subscription to the Mobile ID, there may be some ability to charge enterprises for use of the service.

Elisa: Bringing the Mobile ID to market Eventually, what we want to establish is a world where your Mobile ID becomes the eID used everywhere. Estonia has The strong authentication market is small but rapidly growing. managed to do this with their eID and there is now strong In Finland we see approximately 30% growth annually. push to do the same in Finland since the benefits are huge. Commercially, the most important emphasis will be on value- We could eventually provide proprietary IAM (Identity adding services, such as mobile purchases, remote payments and Access Management) systems for service providers to over the internet and mobile (potentially, this includes NFC- identify their employees) (e.g. policemen or healthcare care based physical payments in the near future), as well as a professionals) by offering mobile PKI based solutions for multitude of eServices requiring approval or signature from that process. For the time being, however, we think the best the consumer. Mobile ID will be a key enabler in these and approach is to offer our current generic Mobile ID for all and many others. In this way, we see the Mobile ID as a “control then build on additional identity relevant services that can be and value-capture” point. adjusted for the particular use case (i.e. allowing for degrees of We saw market-entry as a “chicken-and-egg” situation: no access relevant to the service). users means no services, which means no reason for users We are confident that the market will move in our direction. to join and the same for service providers. But this is often On the consumer side, the main threshold is user familiarity the case in the telecoms arena. So, we started enticing the with Mobile ID. Our experience is that after three transactions service provider side with the aim of having enough services the consumer feels comfortable with Mobile ID and then to implement Mobile ID across multiple industries, and also becomes an active user. We have ongoing activities to increase focused on trying to attract high-involvement services. After usage frequency, but in our view, the current starting-phase approximately 12 months, Mobile ID was usable in most user-frequency has been in line with our expectations. internet-based services where the Bank IDs were historically used for strong authentication. Elisa’s business model has been publicly stated from the start: we aim to earn revenue from both service providers and from What’s important to recognise is that high-involvement consumers. We know it will be important to standardize the services can be of two sorts: existing ones such as Internet pricing structure for service providers and we give volume- banking, and new-ones where Bank IDs are not feasible. based discounts for high-volume service providers who use These latter services are typically services that rely on mobile our service. For consumers, Mobile ID will remain free at phones and applications, such as mobile-based purchase and least until the end of 2013 when the penetration has grown payment approval. Both require new service design which, sufficiently and familiarity is well established. from the point of decision to the point of public launch, can take on average 12 months or more to develop. Thus, these services are only now entering the market. Finnish Mobile ID 17 A Lesson in Interoperability

ii. A number of other models are C. Future services enabled by the ii. A number of feasibility studies currently being discussed to look at Mobile ID are currently being undertaken on the viability of integrating Mobile ID the potential use of Mobile ID in i. As mentioned above, current with existing solutions, or providing healthcare (see box below), social usage of Mobile ID is seen as the support in scaling service adoption services, payments, person-to-person “tip of the iceberg” in terms of the by rolling it out among public verification (e.g. over voice) as well services and processes that it could service authorities. One such model as options for direct customer care support, across a broad range of being proposed by some would by consumer-facing businesses. industries. Eventually, the operators be for use of Mobile ID in public One important future use-case for want to reach a point where and e-government services. In this Mobile ID that the operators are Mobile ID becomes the eID used model, the Finnish Government examining is over the Near Field everywhere, for services beyond would provide some support for Communication (NFC) channel. simple authentication and access, infrastructure development and This would be of particular interest by empowering service providers to integration of the services, while in scenarios where the customer build flexible and customer-tailored each public service authority would authentication process needs to be services based on the strong identity sign a service agreement with their quicker than over the mobile or credentials held by the operators. customers. internet channels, such as in-store payments, transport and similar.

Mobile ID in the future: Healthcare prescriptions “Life-changing solutions like this one are now close at hand with the Mobile ID. We at the Population Register Centre Studies into the use of mobile certificates in the healthcare know that 95% of the (mobile certificate-based) solution industry have now been underway for several months. is ready; what it needs now is a strong business model to For example, a solution for mobile prescription connect the healthcare sector to the mobile operators. authentications by qualified healthcare providers was also considered during the earlier Mobile ID launch in 2005, but Similar studies like this one it was not developed due to the low uptake of the service. are being conducted across a range of sectors where Mobile The idea is now being taken up again in a feasibility ID is perceived to have the study being commissioned by the Finnish Population potential to vastly improve Register Centre . Finland has 300,000 healthcare the conduct of day-to-day professionals, meaning that enabling Mobile ID to act as activities of both employees a doctor’s signature for prescriptions would open up a and consumers. For example, significant number of high-volume transactions. In this a number of public and model, the certifying body would be the state certificate social service authorities are authority, the Population Register Centre, which would considering Mobile ID as a issue the certificates to doctors and other medical tool for social workers to use professionals. According to early findings from the study, in accessing records while out this service is feasible and will take around eight months of the office. to develop the solution. 18 Mobile Identity

VI Mobile ID – Key Success Factors

A. Interoperability C. Gaining acceptance of the banks and D. Positive role of government: new mobile payment service providers By establishing a “Circle of Trust” i. Legal clarification: between the three operators, Mobile ID Determining a basis upon which Clarification of the legal framework was able to offer a significant advantage Mobile ID can enter the market and regarding Mobile ID was key to over other existing solutions. This stand compatibly alongside the Bank ensuring the successful launch of unique model of strategic collaboration, IDs will be crucial to ensuring the the solution. By establishing legal whereby the operators present a success of the solution. Mobile ID justification for the competitive unified, seamless platform but were does not need to be viewed as a direct “Circle of Trust” between the still able to compete with each other for competitor to the existing Bank ID operators, and by adjusting revenue on the service provider end, solutions; indeed, there solutions are the legislation to allow mobile allowed the operators to work together mutually compatible and can provide operators to act as issuers of strong to cover the market and reach scale. a combination of greater convenience identification on the basis of their and security to the consumer when strong Know-Your-Customer (KYC) However, the operators have learned offered together. Facilitating the online processes, the Finnish government that in order to reach the scale and registration process for Mobile ID paved the way for Mobile ID. penetration they hoped for, there still through the customer’s existing Bank remain a number of challenges to IDs, for example, will greatly empower ii. Unifying role played by FiCom: be overcome. both solutions to better serve the user. The Finnish Federation for Communications and B. Reaching high frequency transactions Different solutions to this challenge Teleinformatics (FiCom), Finland’s High volume transactions, such are currently in discussion, including national telecoms representative as banking, online payment and the concept for a potentially body, played a crucial role in e-commerce verifications, will be the interoperable model for identity bringing the mobile operators key to driving sustainability in terms authentication between all three together to speak with one, unified of revenue and reach. Consumers are solutions (Mobile ID, Bank IDs and voice with the Finnish Government more likely to “stick” to Mobile ID if the Finnish National Citizen ID card), and other key industry stakeholders they use it frequently; while service which would greatly reduce the burden during the establishment of Mobile providers are more likely to invest in for service providers in terms of system ID. Through the work of FiCom, adopting an authentication service that design and integration. the key legislative and technical consumers will use often. Sustainability solutions embodied in the trust The key learning taken from this in the business model for operators is agreement were defined among the situation by the mobile operators is the gained from those service providers operators in order to launch a fully value gained from listening to the needs who process a greater volume of low- interoperable service. of other industry players in the identity cost, high frequency transactions market. Ultimately, clear and open iii. Role of government in driving over time. discussions with the Finnish banks service uptake: Once the point of high frequency is resulted in the mobile operators being Governments around the world are reached, the range of additional value- able to develop a more robust solution beginning to recognise the positive added services which can be built over which meets the security needs of benefits of mobile identity for citizen the top of the Mobile ID is infinite. financial service entities, while working authentication and access to public with the Finnish legislative authorities services. The Finnish Government to ensure that these specifications were is developing plans to make all made clear by law. public services fully available online by 2015. By encouraging migration to e-services which require strong authentication solutions, the Government will help to drive uptake by consumers who recognise the value in being able to access services – for activities as diverse as accessing private health or housing records, bidding for housing, receiving benefits, filing taxes – all from their mobile phone.

For further information, please visit www.gsma.com/mobileidentity or contact the GSMA Mobile Identity team at [email protected]