Smart-ID+ upgrade aims to outwit scammers with new authentication tools
The State Information System Authority (RIA) is to roll out the new Smart-ID+ authentication service next month.
Smart-ID+ will improve on the existing Smart-ID authentication app, to make logins safer and to help prevent fraud and social engineering, including by removing the need to enter a personal ID code and other personal information.
It requires an update to the Smart-ID app and existing users do not need to install anything new.
"Smart-ID remains a secure authentication tool, but the threat landscape in the digital environment is constantly changing. Smart-ID+ is one of the steps through which the state is preventing increasingly complex scam schemes by adding an additional layer of protection to the authentication process," said Anna Õuekallas, head of RIA's e-identity department.
The new Smart-ID+ option will dispense with the need to enter a personal identification code when using a website, and the login session will be securely linked to the individual's Smart-ID application. This is done either by scanning a QR code or via a direct app-to-app connection, both of which make it harder for fraudsters to get a potential victim to inadvertently confirm any action they did not initiate themselves.
The QR code as displayed to the user of a desktop or laptop is constantly changing for security purposes.
When using a smartphone to access an e-service, the Smart-ID app will automatically, with the user then confirming their login through their PIN1 code.
Only Smart-ID login QR codes can be scanned with the Smart-ID app, which should be done only if the user has initiated the login process themselves. A user's digital identity will remain protected provided login details are kept private and PIN codes do not fall into the wrong hands, RIA noted.
Smart-ID+ is new Smart-ID functionality developed by SK ID Solutions and can be used only in those e-services where the service provider has enabled it separately.
Using Smart-ID+ will require an update to the Smart-ID app on the user's phone. If automatic application updates are enabled on the phone, the user does not need to do anything further.
The state authentication service is an RIA service which allows users of the Estonian ID card, Mobile-ID, and European Union eID, as well as Smart-ID, when using e-services.
Smart-ID+ is to be rolled out at the end of February.
Personal ID codes, featuring the individual's date of birth, are often publicly available, and fraudsters have reportedly been taking advantage of this vulnerability.
--
Editor: Andrew Whyte
