Identification principles for FTN
The Finnish Trust Network (FTN) is established by the Finnish government and is supervised by Traficom. The aim of FTN is to provide strong authentication services for citizens to access public and private services in Finland.
FTN includes electronic identities for Finnish Bank eIDs (FTN) and Mobiilivarmenne.
Signicat acts as an intermediary for these electronic identities.
# Signicat identity broker service
Signicat is a member of FTN and offers strong electronic identification of natural persons at substantial (korotettu) level of assurance. The principles for strong identification have been established in Finnish legislation: Laki vahvasta sähköisestä tunnistamisesta ja sähköisistä luottamuspalveluista 533/2016
Any online service provider can take advantage of Signicat's services as a one-stop shop.
The central part of Signicat’s membership in the Finnish Trust Network is its Authentication product, used for end-user identification.
Signicat's identity broker service is an easily integrated service, which appends different online services providers’ identification options with a growing number of methods via one point of integration.
The following diagram shows the identification flow from the end-user perspective.
# Service pricing
An authenticating end-user does not have to pay for using Signicat's broker service, instead Signicat has commercial agreements with the online service providers (online shops, service portals, etc.). Pricing is based on subscription (fixed monthly fee) and transaction fees (dynamic based on usage). Signicat bills through the third-party fees for identity service providers (e.g. online banks) as described in Finnish legislation: Laki vahvasta sähköisestä tunnistamisesta ja sähköisistä luottamuspalveluista (29.3.2019/412), section 12 c §.
# Applicable terms and conditions
Signicat follows the code of conduct provided by Traficom when concluding trust network agreements with the identity providers. In its customer agreements, Signicat follows applicable privacy legislation.
In identification processes, Signicat acts as Data Processor according to EU data protection regulations. Signicat transmits the Personal ID number (Henkilötunnus, HETU), first name, last name, and date of birth (extracted from HETU) according to Traficom’s decree 72.
The identity service provider (such as an online bank) returns the information mentioned above to Signicat. Signicat forwards the received identity data to the online service provider as it is. Signicat does not use personal data for any other purpose.
Signicat stores transaction information of identifications in technical logs to support the security and stability of the service as required in 24§ of The Finnish Act on Strong Electronic Identification and Electronic Signatures.
The personal data that is used in the identification process is handled according to the applicable regulation, such as the Finnish Data Protection Act, the EU’s General Data Protection Regulation, the Finnish Act on Strong Electronic Identification and Electronic Signatures and the regulation on the Finnish Trust Network.
The security of handling personal data is guaranteed in the following ways:
# Data transport
All data communication between the service provider infrastructure and Signicat infrastructure is via web services. The authenticity, integrity and confidentiality of the communication is secured using all of the following measures:
- Mutual TLS, with client authentication. The service provider has their own client certificate.
- Message-level encryption: All messages containing personal data are encrypted to ensure that only the service provider can read the data. The service provider has their own certificate for this purpose.
- Username and password (message level).
- The service provider has their own username and password.
# Data security
Signicat does not use the data the service provider sends to Signicat for any other purpose than the agreed-upon services. Only authorised persons with explicit need have access to the data. All access to data is protected with personal accounts and logged.
# Business continuity management
To guarantee service delivery and availability, Signicat has a full high-availability configuration with fail-over running at minimum two different sites on separate power grids and Internet access points.
A backup (application + data) is done regularly and stored at a different location, under the same security requirements that apply to live data.
# Physical and logical access control
Security requirements for physical and logical access control in Signicat’s operations centre follow the Information Security Management System (ISMS) documented processes, in accordance with ISO 27 001.
# Key management
Secure Key Management is a central part of Signicat operations. Signicat uses a key management system which gives security benefits through fine-grained access control, audit logging and encrypted storage.
# Protocol and API security
Signicat offers the SAML 2.0 (Security Assertion Markup Language 2.0) and OpenID Connect (OIDC) protocols.
# Security principles
Signicat has published information security principles, which can be found at https://www.signicat.com/about/security-and-trust.
If you have questions about how Signicat processes personal data, contact us at email@example.com.
# Key partnerships
Signicat cooperates with international ICT enterprises such as CGI, TietoEvry, Salesforce and Microsoft. The local partners in the Nordics include Telia, Innofactor, Qvik, HiQ and Knowit. You can find more information about partnerships at https://www.signicat.com/plugins. Currently, Google Cloud is the hosting service provider for Signicat.
# Conformity assessment as described in legislation (Tunnistuslaki 29§)
Nixu Certification Oy has assessed Signicat’s services as of June 2017. The report of the assessment has been approved by Traficom as of September 2017. The conformity assessment will be conducted every 2 years or sooner if the Signicat Authentication service is changed significantly.
In the context of the Finnish Trust Network, the controlling authority for identity brokerage services is The Finnish Transport and Communications Agency (TRAFICOM). More information can be found at https://www.kyberturvallisuuskeskus.fi/en.