The Estonian eID card system, one of the most advanced in the world, is the basis for all of the digital services that are available in the country. Celebrating its 15 years in service in 2017, the eID card is not just a typical piece of plastic with a picture, but a highly sophisticated digital access card for all of Estonia’s secure e-services. The chip on the card contains embedded files which, using 2048-bit public key encryption, enable it to be used as definitive proof of identity in an electronic environment.
It is used as the national health insurance card, as proof of identification when logging into bank accounts from a home computer, for digital signatures, online voting, accessing government databases to check medical records, filing taxes and picking up e-prescriptions. What is most important – the majority of the Estonian population uses the eID card. Over 98% of bank transactions are completed and 98% of prescriptions are prescribed online. The eID card also makes life easier when it comes to tax declarations and 98% of those are conducted online.
The well-established eID card system also enabled Estonia to launch its e-residency program back in 2014, allowing non-citizens to take advantage of the digital authentication solution. But the development process for the Estonian eID has not stopped and according to the country’s Information System Authority (RIA), a steady upgrade is taking place. “RIA is constantly improving the eID software, based on users’ feedback and technological advances. eID is a crucial field – the security requirements raised towards national identity cards are very high and could not be alleviated for convenience or user experience reasons, while browser vendors are continuing to unexpectedly modify the standards to achieve higher security,” Margus Arm, eID domain manager at RIA, noted.
According to Arm, more users are moving away towards the mobile and smart devices, which are increasingly used for e-services and for everyday business, including signing digital documents. Addressing these aspects, RIA started to support Android and iOS platforms in addition to previous desktop platforms – Windows, Mac and Linux. “Both Android and iOS apps (RIA Digidoc) are now available for download at Google Play and App Store. It is possible now to sign documents using the certificates provided both by eID cards – including e-resident cards – and mobile phone based m-ID, as well as to check the validity of existing digitally signed documents,” Arm explained.
To enable eID cards in a smart device context, special card readers are currently needed, such as mini-USB and BlueTooth, but the near-field communication (NFC) option is in the works. “NFC solution is still in the planning phase because the current eID cards do not possess NFC interface. It has been rather challenging to maintain strong security standards while adding NFC interface to our national identity cards. However, we have already succeeded in the pilot project. NFC-capable eID cards will be issued starting late 2018 or early 2019. A very natural follow-up will be the integration of NFC capable eID cards to both Android and iOS phones,” Arm disclosed.
Arm conceded that there are some tough challenges ahead – and as always, the security is the priority. “A very challenging development direction is to enable authentication capabilities for Android and iOS operating systems, too. While eID cards provide the strongest authentication capabilities, their integration with mobile devices has traditionally been weak. There are complex technical reasons behind the problem. For desktop computers, browsers are responsible for the authentication layer but in the case of smart devices, browsers lack that functionality, thus an extra layer has to be created for strong online authentication to succeed.”
Margus Arm emphasized that RIA is aiming to enable the strongest security characteristics of Estonian eID based identity cards in the context of smart devices that will create prerequisites for service providers to launch numerous new e-services. In the meantime, other countries, such as Singapore, have shown an interest to implement a digital identity program that is inspired by the one in Estonia.