eIDas and Finnish Trust Network bring an end to TUPAS – is your company all set for the change?

More security and less bureaucracy in user authentication - OP Developer

19.8.2019

More security and less bureaucracy in user authentication

New legislation, new complicated acronyms, new services supplanting the old. eIDAS, together with Finnish national legislation is about to bring an end to TUPAS. Why is this happening, and what will be the future of strong electronic identification?

For a long time, TUPAS has been the standard solution for strong digital identification in Finland. Developed and maintained by Finance Finland, its time is coming to an end. TUPAS will cease to function at the end of September 2019, forcing all application providers hoping to use strong customer identification to update and move on to a new ID broker.

So what’s the future for digital identification in Finland? Is this just an annoying technical update, or do companies and private citizens stand to gain something in the trade?

From TUPAS to Finnish Trust Network

The reasons for abandoning TUPAS can be summarized with one word: security. Data is the new oil, and in the recent years, companies, the public sector and private citizens alike have woken up to the value and possibilities of data. Data security and privacy have been in the center of lively debate, inspiring and inspired by regulation on the allowed uses of the wealth of data available to companies today. GDPR in the EU is a prime example of steps taken to provide standards and legal frameworks for the fair use of data.

eIDAS (electronic Identification, Authentication and Trust Services) is another such step. It aims to regulate the standards for electronic identification and trust services across the entirety of the EU, while also laying out heightened technical requirements for such services. On top of this, Finnish laws on strong digital identification were recently updated to meet the needs of modern digital markets.

The new set of requirements is above and beyond the scope of TUPAS, which lacks many security features we now consider crucial. As an example, the social security number of TUPAS users is passed through without encryption. To fix these shortcomings, a new national framework was established: the Finnish Trust Network.

The Finnish Trust Network has two types of operators: the so-called Identification Device Providers and Identification Brokers. Identification Device Providers' role stays largely unchanged, as they continue to issue identification devices. In Finland, this group currently consists of banks (bank credentials), teleoperators (Mobile ID), and the Population Register Centre (Citizen Certificates).

On the other hand, Identification Brokers connect applications to Identification Device Providers. This new role acts as an aggregator of identification credentials. Brokers can be banks – such as OP – or any other companies that get approval from Traficom (Finnish Transport and Communications Agency).

Cutting bureaucracy, simplifying solutions

As new legislation pushes the security of services forward, it also enables better services. For service providers, integrating strong digital authentication becomes less cumbersome. While the change may cause some extra hassle in the short term, in the long run the Finnish Trust Network will significantly decrease the amount of bureaucracy.

Instead of having to deal with multiple different identification device providers, an application provider can now simply choose one identification broker and get all the same features as before with one single integration and one contract. As Finnish Trust Network obliges all brokers to offer same identification devices, brokers will compete for market share with different pricing strategies, developer support, service reliability, and ease of integration.

If you’re an application provider with needs for strong customer authentication and you haven’t begun to transfer authentication yet, it’s time to act. For an easy way to get started you can contact your own OP branch office.

OP Identity Service Broker uses OIDC (Open ID Connect), similarly to our PSD2 APIs. OIDC is an industry standard protocol for identifying and authenticating users. OP Identity Service Broker API is easy to set up, and we offer extensive documentation to support the integration work.

What about end users?

For a typical consumer, the change is not big. End users who are used to authenticating themselves online using e.g. their bank credentials can keep on doing so. For many users, the shift may even go unnoticed.

With time, an additional benefit will materialize. eIDAS enables cross-border identification services with notified national identification methods when accessing public services in EU member states, enhancing mobility within the EU. However, at the moment few EU states offer notified identification methods, and as the notification process takes some time, end users will see these benefits later on.

Service providers assuming new roles

Many Identification Device Providers, including OP, offer also brokering services, assuming double roles as both Device Providers and Service Brokers. Finance Finland has reported that no new applications have arrived for the role of Identification Device Provider, which means that bank credentials are likely to remain the most popular method of identification.

But while identification devices are issued by familiar faces, new players have stepped up in brokering. As the field of electronic identification shifts, the role that banks and other service providers take on remains to be seen.

But whatever changes are coming in the network of identification service providers, one thing is certain: consumers win. On top of the data security and privacy features, end users get the convenience of using their preferred identification method in the future, too – at no additional cost.