Sami Lindgren The Suomi.fi identity brokering service provides a list of authentication methods for the Tax Administration e-service.
Nowadays, people handle so much sensitive information online that the need for strong authentication is apparent. People cannot rely on username and password authentication for services such as banking, insurance, health care and tax administration, to mention a few. Traditionally, in Finland, we have had three classes of strong authentication methods available for citizens: BankID, Mobile Certificate (Mobiilivarmenne) and the national ID card (HST card). Since the end of October 2024, a fourth type of official strong authentication method has been made available, hightrust.id.
Overview – Hightrust.id
Hightrust.id is a digital wallet solution designed for mobile devices. It aims to offer a centralised solution for managing individuals’ online identity credentials without remembering various usernames and passwords or carrying several documents. When I write this, higtrust.id provides strong identity verification and legally binding electronic signatures, but the solution has much more potential. In this blog, I will review hightrust.id mainly as an authentication method.
Hightrust.id as a Strong Authentication method
It’s not every day that new, strong authentication methods are introduced. But what makes these methods strong? Multifactor authentication methods (MFA) are often seen as stronger options than methods that rely only on a username and password. However, MFA capability alone cannot define a particular method as an officially strong authentication method. It must undergo a complex certification process to prove the solution’s maturity. This is indicated by using a level of assurance (LoA) level. The National Cyber Security Centre of the Finnish Transport and Communications Agency, Traficom, makes the certification guidelines in Finland. From the current strong methods, BankID and Mobile Certificate are on the second highest LoA level of eIDAS Substantial and the HST card on the highest level of eIDAS High using the EU 3-step scale. Hightrust.id has been certified oto the highest level of eIDAS High, although when used in the Finnish Trust Network, it is registered on the same LoA level as the Bank ID and Mobile certificate, eIDAS Substantial.
Digital Wallets
Generally, a digital wallet is an app that includes personal identity data (PID) based on different types of identity and payment documents and potentially additional attributes that could indicate, e.g., your profession or the organisation you work for. Soon, various kinds of cards, such as identity cards, driver’s licenses, debit cards, credit cards, and cryptocurrencies, can be added to the wallets.
The hightrust.id digital wallet is a smartphone application that can be downloaded for free from Android’s Google Play or Apple’s App Store. The solution enables user identity verification in a smartphone application with a citizen certificate scanned from an HST card, and it can be used without a separate card reader. The user can also sign documents electronically using the app. Other cards supported now in the hightrust.id wallet include the Finnish Sote card (for healthcare workers) and the Finnish DVV organisation card (generally used by public sector employees).
Another interesting digital wallet solution is the EU’s long-planned EUDI wallet, which will be launched around 2026 to 2027. The EUDI wallet will harmonise how EU citizens verify their identity across borders in different e-services. It ultimately provides a cross-border digital identity that will benefit citizens across the 27 EU nations. You can read more about it here.
Citizen Digital Certificate
A digital certificate is an identifier verified by a third-party organisation. It can be used to identify its subject and reliably sign in to information networks and systems. Several certificate types, such as server certificates, are available to identify Internet service providers and secure data exchange. The mobile certificate method is based on a certificate stored in a SIM card on a smart device. The certificate stored in an HST card is called the citizen certificate, and the user must enable it before use. Passports cannot be used for this because their chips do not include the citizen certificate.
If you have not enabled the citizen certificate of your HST card, you can do it in hightrust.id app. This is a great feature, as previously this would require using a device with a smartcard reader or attaching a smart card reader to a computer. Your card must be issued after August 31, 2021, and you need a smartphone or tablet with a near-field communication (NFC) feature. Also, you must have the activation code that is delivered to you on paper separately from the card. This code is used to activate the citizen certificate and create a PIN1 for authentication and a PIN2 for signing. If you do not have the activation code available, you can visit the police station to get a new one for a fee.
To start using the citizen certificate, do the following:
Adding and confirming your email address in the hightrust.id wallet is essential. It speeds up the revocation operation of the citizen certificate in case you accidentally lose or break your phone or change it to a new one.
Detailed instructions in Finnish, Swedish and English on how to proceed with all the steps are here.
Signing in with the hightrust.id
In the following example, I will sign in to a social and healthcare mobile application called Maisa. It is a personal health record (PHR) application used by some of the largest public health care regions. The app requires strong authentication due to the sensitive information it contains. Here are a few observations of the procedure.
Maisa uses the Suomi.fi identity brokering service to provide all of the different strong authentication methods available. Since I use a mobile app to access the service, I must ensure that hightrust.id uses the app option. If using Maisa via computer, I would choose the QR-code scanning option and scan the QR-code from the computer screen using my phone. If I had several cards scanned in the hightrust.id application, I would choose the card manually, but since I have only one, it is selected automatically. Notice that the national ID card does not contain the social security number (HETU) but a SATU identifier (FINUID, Finnish Unique Identification Number). The SATU identifier will be changed to HETU in the background, utilising the national population information system. Face ID, fingerprint, or mobile device security code can be used to accept sending SATU to the population information system. After the SATU to HETU conversion, I need to give permission to send HETU information to Maisa. After this, I can start to use the service.
The authentication operation did not require typing any information such as passwords or PIN codes since I have the Face ID option on my smartphone. Other options would have been a fingerprint or typing the smartphone’s security code. In both cases, the operation is effortless and does not require the user to remember any additional passwords or codes that he does not know already.
Hightrust.id vs. other Strong Authentication methods
Hightrust.id is not the only ID document-based authentication method on the market. Suomi.fi offers the HST card method, but the downside is that it requires a physical card and a card reader device, which is not handy for me to carry outside my home. Also, there are various methods based on ID document scanning and taking pictures and videos of my ID documents and myself. These methods have many benefits, such as providing reliable authentication methods for people from countries outside of Finland and even outside of Europe and letting them use documents like passports, ID cards and driver’s licenses to verify their identity. However, even though many of these methods rely on advanced technologies, they are not officially certified strong authentication methods in Finland. You can read more about the ID document-based authentication methods here.
BankID has traditionally been the most popular strong authentication method in Finland. It has been used since the 1990s, and most eService users in Finland are very familiar with it. Since BankID enables access to users’ bank accounts, the current recommendation is to use it carefully and only for the bank’s services. The other strong methods, including mobile certificates, hightrust.id and identification cards, should be used for everything else. They work practically everywhere except when logging into online banking. Lately, the mobile certificate method has gained popularity alongside BankID. If criminals gain access to your mobile certificate, they will get access to your online services, but not your bank account. HST card and the hightrust.id methods also offer their benefits. It is always a good idea to have several strong authentication methods available. This is important not only for safety reasons, but also for situations when the bank service is unavailable, for example, during a service break.
See the table below for the basic characteristics of the different strong authentication methods.
| Method | Trust level (LoA) | Requirements | Password/PIN | eService Platform |
| HST card | eIDAS High | HST card, Card reader | Authentication PIN, Signature PIN | Mainly Computer *** |
| BankID | eIDAS Substantial | Bank account | Password, PIN code and OTP code ** | Computer & Mobile |
| Mobile certificate | eIDAS Substantial | Mobile device with Telia, DNA or Elisa subscription | PIN code, Anti-spam code (optional) | Computer & Mobile |
| Hightrust.id | eIDAS Substantial | HST card * Mobile device with NFC chip, hightrust.id app | Face ID, Fingerprint or Phone security code | Computer & Mobile |
* The card must be assigned after the 31st of August 2021
** Depending on the solution. Not all three are required during one session. OTP = One Time Password.
*** Mobile card readers are not very practical.
A critical part of any digital solution is the cost. Nothing comes for free, and the service provider must pay something to the identity broker service operators, Suomi.fi (public sector services) or the Finnish Trust Network (FTN, private sector services) to provide strong authentication methods for their clients. Sometimes, this includes an additional transaction-level fee paid per authentication transaction. But sometimes, we users must also pay a small fee for our chosen methods. See the table below for the basic pricing principles of strong authentication methods.
| Method | User fees | Service provider fees in FTN |
| HST card | HST card fee once every 5 years Optional card reader | Transaction-level fees |
| BankID | Free – 0-4,50€/Month depending on bank | Transaction-level fees |
| Mobile certificate | Telia: Free DNA: 2,01€/Month Elisa: 2,99/Month | Transaction-level fees |
| Hightrust.id | HST card fee once every 5 years | Transaction-level fees |
Prices checked and accurate as of 2025/04/11
Conclusion
Hightrust.id is a quick and convenient way to sign in to online services, especially when using online services on a mobile device. For those that already have a HST card, it is a great alternative to other sign in methods.
The digital identity management and payment industry is constantly changing. Criminals are constantly developing new, innovative ways to hack into our bank accounts to steal our money. Usually, when security is increased, it means more steps for the user to log in. This in turn makes it more difficult to use services. We need innovations like hightrust.id to provide a solution that combines security, convenience and efficiency so that we can use electronic services with peace of mind.
If you have questions about using authentication methods, get in touch with our expert IAM team!
About Megical Oy
Megical Oy is a Finnish company founded in 2011, headquartered in Helsinki. The company’s main business is software design and manufacturing. The company’s subsidiary name is hightrust.id.
About The Author: Sami Lindgren
As Sales Engineer at Ubisecure, Sami supports technical aspects of sales activities regarding Identity and Access Management (IAM) products.
More posts by Sami Lindgren