While the upgrade, dubbed Smart-ID+, will make logging into state portals more secure, it will also be somewhat more time-consuming to implement, "Aktuaalne kaamera" reported.

Swedbank says a key consideration is that new security measures always come at the expense of customer convenience.

"We have also included this in our action plan and are starting development, but it must be understood that developments like this are technically quite complex and take some time. So I cannot promise the people of Estonia that we will roll out this solution tomorrow, but work toward it is under way," said Raul Vahtra, Swedbank's head of financial crime prevention.

LHV meanwhile says Smart-ID+ is not completely immune to fraud either. "We are talking here about a QR code that a person can scan from another device. If fraudsters are actually in contact with the client, using a regular computer, and the person has a screen in front of them, then even with this solution they can display that QR code on a fraudulent website and the client can scan it in the same way," noted Annika Goroško, head of retail banking at LHV.

From the end of February, state portals like Eesti.ee and the Health Portal are to introduce Smart-ID+, which works in two ways: When using state services via a smartphone, authentication can be initiated and PIN codes entered only via the same device. When carrying out actions on a desktop, laptop, or tablet computer, the user must scan a QR code off the screen, with their phone.

"These are usage flows where the devices must be in the same room, meaning the session cannot be started remotely," said Anna Õuekallas, head of the e-identity department at the Information System Authority (RIA).

Up to now, authentication using Smart-ID often involves the user having to give their national ID code, which is often publicly available anyway, or other personal data, making fraud more likely.

Scams costing millions of euros have been seen in which the fraudster initiates a "transaction" and prompts the victim to share the two PIN codes Smart-ID comes with.

The state cannot coerce the banks into adopting Smart-ID+. The banks come under the regulation of the Estonian Financial Supervision Authority (Finantsinspektsioon) and are subject to EU rules, which require multiple security elements in electronic payments.

RIA added that each service provider can decide for itself which tools it opts to use to protect its customers. "In reality, it is not possible for the Estonian state to make a separate move here in any way, because all these requirements that e-ID tools must meet also come from Europe, and if those requirements are met, then from the state's perspective it is a secure tool," Õuekallas noted.

Existing users of the Smart-ID app can upgrade to Smart-ID+ when it rolls out, via updates. No new app installation is required.

"Aktuaalne kaamera" reported that at the moment Smart-ID is the most commonly used authentication tool in Estonia with a market share of nearly 60 percent. Using the national ID card with its chip and pin system has a market share of close to 23 percent, and Mobiil-ID, which requires a specific SIM card in a smartphone, making up the balance.

--

Follow ERR News on Facebook and X and never miss an update!