This blog takes a detailed look at exactly what it means when TUPAS no longer qualifies for strong customer identification, and answers some key questions around the Finnish Trust Network (FTN).
We are increasingly living our lives online. And, because of that, we are handing more and more personal data and sensitive information—credit card details and passwords, for example—over to websites, often without contemplating exactly whether the process is secure.
At Signicat, we understand the importance of security and safety. We are dedicated to ensuring consumers and organisations alike are able to perform tasks in an environment that safeguards and protects private information, while also increasing levels of efficiency and productivity.
TUPAS has been an integral cog in the online authentication wheel for a number of years, but it is soon set to become obsolete. So what exactly is changing and what do the changes mean to your organisation? Here are seven things you should know.
1. What is the change in law around electronic identification in Finland?
The Finnish TUPAS eID will become obsolete on 30 September 2019, as the transition period of Traficom’s regulation on electronic identification comes to an end in line with EU eIDAS regulation. Under the regulation, the TUPAS protocol will no longer meet the threshold of strong authentication, with organisations that rely on TUPAS for eIDs required to switch to new strong authentication protocols, such as OIDC or SAML 2.0.
2. What is online bank identification?
The TUPAS protocol—also known as the Finnish Online Bank Identification platform—is a Strong Customer Authentication (SCA) method owned and administered by several Finnish banks. TUPAS identification serves as the primary identification method for Finnish citizens, and has become the de facto standard for digital identification in Finland.
Online bank identification allows online service providers, be they businesses or public bodies, to authenticate their customers through the online bank identification platform by using the online banking credentials issued by participating Finnish banks. The service relies on the same bank-specific identifiers that customers use to access their bank's services and accounts; their online bank user IDs. These IDs can be used across a broad range of services including e-commerce, telecoms, and government eServices.
3. Which banks are part of the TUPAS platform?
- OP Financial Group
- Danske Bank
- Savings Banks Group
- POP Bank
- Bank of Aland
- Oma Säästöpankki
4. What does ‘strong authentication’ actually mean?
To be considered a strong authentication method under Finnish law, the protocol must include two of the following three identification methods:
- Password or similar code known only to the user;
- Chip card or similar item held only by the user;
- Fingerprint or similar identifier that is unique to the user
TUPAS doesn't have encryption at the message level so, come 1 October 2019, it will no longer be compliant with EU eIDAS regulation and Finnish law. Secure authentication providers will need to adopt a more advanced and secure protocol.
5. What is the Finnish Trust Network (FTN)?
TUPAS has been operated by the Finnish banks, and required service providers to negotiate contracts and perform integrations with each separate bank they deal with. As no real competition existed, TUPAS authentication was expensive to service providers. The eIDAS regulations provide the government with the opportunity to open up eID services to market competition. To that end, the government has established the Finnish Trust Network (FTN), a framework that allows strong authentication service brokers to resell eID solutions in Finland using a single standardised service contract.
These eID brokers act as intermediaries between the identity providers (banks and telecom operators) and online service providers, which enables them to operate as 'one-stop-shop' resellers of eIDs, as well as giving them the capacity to manage contracts and technical integrations. This new competitive environment has removed the main obstacles to developing strong identification services by:
- Capping transaction costs between the bank and eID broker
- Eliminating administrative hurdles, with a single contract serving all Finnish banks
- Streamlining integration, with only one standard technical interface required
6. What are the new options?
With TUPAS coming to an end, all businesses and services that use strong authentication will be required to switch to the new, more secure eID protocols, such as OIDC and SAML. The first decision they need to make is whether to rely on the Finnish banks for this service, or sign up with an FTN approved eID broker.
The benefits of using an eID broker over the banks are clear, as we demonstrate below:
The bank option
- Ten banks offer strong authentication
- Separate renewal of each eID interface is required for every bank
- Time and resources must be committed to perform ten separate technical integrations
- Each bank negotiates its own contract, sucking up administrative resources
- The banks are not part of the FTN, so transaction price caps do not apply
The eID broker option
- Only one contract needed between the broker and your business, meaning reduced administrative burden
- Only one technical interface between the broker and your service, which streamlines technical integration
- Without multiple technical interfaces, there is less IT maintenance required
- The broker is responsible for implementing any technical changes required by the banks
- The broker will be a member of the FTN, so price capping will apply
7. Why should I choose Signicat as my eID broker?
Signicat is the recognised leader in the Nordic digital identity market and is considered a key enabler for the digital economy. Some of the benefits include:
- Over 10 years’ track record of expertise
- Traficom has approved Signicat to the Finnish Trust Network
- Unrivalled performance and simplicity
- A high-growth provider
- Certified to internationally recognised standards