Let’s Talk About Digital Identity with Petteri Ihalainen, Senior Specialist at the National Cyber Security Centre, Finland (part of Traficom – Finnish Transport and Communications Agency).
In episode 33, Oscar’s on home turf talking to Petteri Ihalainen about the identity landscape in Finland and all about the Finnish Trust Network (FTN) – what it is, why it came about and what the benefits are for Finland’s population. They also discuss Katso, Finland’s business-to-government national delegation solution (read more about Katso here), and eIDAS, a regulation that Petteri is deeply involved in.
[Scroll down for transcript]
“You get basically the whole population of Finnish people through a single contract.”
Petteri Ihalainen has an extensive information security background, having worked for organisations like SSH, Ubisecure, the EU Commission, Gemalto and GlobalSign. During his career he has participated in advanced initiatives and digital identity programmes in various roles. He’s currently working as a senior specialist at the National Cyber Security Centre of Finland (part of Traficom – the Finnish Transport and Communications Agency) in a team that supervises and advises organisations deploying digital identity solutions. Petteri also acts as one of the country’s representatives at the EU-level in eIDAS related tasks and programmes.
Or subscribe with your favorite app by using the address below
Let’s Talk About Digital Identity, the podcast connecting identity and business. I am your host, Oscar Santolalla.
Oscar Santolalla: Hello and thanks for joining today. In Finland, people are used to accessing many services completely online and authenticate using verified identity, I would say almost on a daily basis. So this has been the norm for already many, many years. But recently, there have been some changes and as a result, we have something called the Finnish Trust Network. So, if you haven’t heard about that, you are going to hear from an expert in this matter who – let me introduce you today, is with me, Petteri Ihalainen.
He has an extensive information security background having worked for organisations like SSH, Ubisecure, the European Commission, Gemalto and GlobalSign. During his career, he has participated in advanced initiatives and digital identity programmes in various roles. He’s currently working as a Senior Specialist at the National Cyber Security Centre in Finland which is part of the Finnish Transport and Communication Agency, Traficom, in a team that supervises and advises organisations deploying digital identity solutions. Petteri also acts as one of the country representatives at the European Union-level in eIDAS related tasks and programmes.
Petteri Ihalainen: Hello, Oscar. How are you doing?
Oscar: Very good. It’s great talking with you after some time. So, as I said in your bio, you’ve been part of Ubisecure some time ago and it’s great to talk with you again and see what you are doing now in Traficom.
Petteri: Yeah, thanks for inviting me over.
Oscar: Fantastic. So, we’d like to hear a bit more from your own words what was your journey to this world of digital identity?
Petteri: Digital identity is kind of a long story. So, I have been interested in information security in general for ages, even in my first job at the healthcare sector had an aspect of information security. But it really got start information security career at SSH Communications Security in 2000. And I was then hired as a product manager for the PKI product family that was still being developed at SSH. And it was supposed to be the year of the PKI, but it didn’t happen and then we kind of like went, “OK, 2001 has to be the year of PKI and so on and so forth” which never happened. But that year 2000 got really the start for my information security career.
And regards to the digital identity, well, PKI is one of the basic technologies in digital identity. But it was more towards let’s say device-based identities and these kinds of things, at that time was we were developing. Then I joined Ubisecure in 2004. And 2005 where I started to participate in one of the greatest, or you know best, project of my professional career which was the dedicated authorisation management platform called Katso.
And Katso was all about digital identity. It wasn’t just authentication. It was much more than that. Authentication was basically a necessary evil. But it was management of the roles in a very large-scale environment. Katso system had over 300,000 organisations using it and the services that were integrated into the system at the end of the life, which is this year by the way, it was over 100 e-government online services and Katso was the enabling factor, enabling these services to outsource the management of digital identities to the customer organisations themselves. And that was also one of the at least, one of the key technologies that Ubisecure can deliver to its customers.
So, in 2008, I joined for three years European Commission and I was involved in the information security research for critical network infrastructure. That was quite interesting because during that time, for example, Stuxnet happened and it was quite fun because we had actually nuclear physicists residing in the same building as us and they were just downstairs and every time that we found out a little bit more about the malware, we just went downstairs and asked what are the implications of this to the nuclear refinement process.
So, after the three years I spent in Italy working for the European Commission, I came back to Finland and I thought that at that time that mobile ID, it’s time for now, this mobile ID to really take off. And I joined Gemalto, that delivers the technology for mobile ID and I worked there for one and a half years.
Then in 2013, I joined again Ubisecure which then later on became GlobalSign and then again Ubisecure. But 2018 was the last change of my career, and that was when I joined the Finnish Communications Agency and that was the predecessor of the Traficom agency that I work for now. And in that organisation, I joined the eIDAS division and that’s where I’m at right now as a Technical Senior Specialist. So, quite a lot of things happening around digital identity throughout let’s say 20 years and it’s been quite interesting and it’s been really nice to see how things have evolved during the 20 years.
Oscar: Yes. Well, I can see you have had the privilege and also the impact of working in all these projects. You mentioned the beginning of Katso. You mentioned the mobile PKI implemented in Finland, mobile ID. And now you are also involving in eIDAS. So, several super interesting projects and very influential projects in digital identity, not only in Finland but also at the European Union level. One number that stuck to my mind what you just have said is that if I’m correct, if I took it correctly, you mentioned that Katso has allowed around 100 public organisations in Finland to manage their online services, if that’s true, it’s an amazing number for I think I don’t know if there are many countries in the world that can have 100 public or completely different public organisations connected by digital identity.
Petteri: Yeah, it was over 100 digital online services and I think it was close to 20 government organisations that were using this but the customer base was over 300,000 organisations that were using the Katso system. So it was a business-to-government type of scenario.
Oscar: Yeah, definitely a massive project. Today, let’s focus more on Finland. We are going to touch also about European Union, but focus on Finland. What would you say, based on your experience, are the main challenges that the government and also the identity providers as you mentioned, the identity providers, in Finland, had that led to the inception of what we are going to discuss today the Finnish Trust Network.
Petteri: Yeah, I mean it’s the overall digital challenge, moving all these processes from the traditional brick and mortar places to online and transforming the paper-based processes into digital processes. And this is not just for the government, it’s all around us and it’s still ongoing, it was a hype work let’s say five years ago, but it’s still strongly going and still new services are coming up every week or so, it might be every day, I don’t know.
But we already touched upon Katso and that was a really big step towards creating the basis for government-to-business services. But the Finnish Trust Network that has its roots in the citizen realm – so us, Finnish citizens or residents in Finland, who have a social security number, can get a strong authentication means at our disposal. And then use this means to access online services, meaning they do strong authentication towards government services but also towards commercial services.
And one example that I have used is the Viking Line example that Ubisecure implemented quite a few years ago, where the cruise line has this pre-order shop, where you can buy alcohol for your cruise and it will be then waiting for you when you disembark and start your journey towards home. So, for that they needed a strong authentication solution because they need to verify the age of the passenger that he or she is allowed to buy this alcohol. So, a good example of how you can use this strong identity is in the private sector as well. The main user of course, I think still in Finland is the government sector meaning tax and social security and these kinds of things.
But the Finnish Trust Network, let’s say that Finland is a kind of a unique place in the world that we have 13 commercial IdPs and one government IdP. And these 13 commercial IdPs are divided to 10 banks and three mobile network operators. And from each of those, if you’re a customer of a bank you can get a strong authentication means. Or, if you are a customer of these mobile network operators, you can of course get a strong identity from them as well. And the growing number of digital services requiring strong authentication is one of the things that is behind the Finnish Trust Network.
The situation before Finnish Trust Network was that if you were an online service provider, you had to integrate your service to all of these IdPs separately, not just technically but also commercially. Well, you can do away with the one mobile network operator integration because they were roaming and are roaming within themselves. But let’s say that you are online service provider, you have to do 11 different integrations and 11 different commercial agreements. And that is a major obstacle for anyone who’s – let’s say a big online service. So it wasn’t good for the competition and talking about competition it was also very stagnant. So you had to do these things and there was no real competition in terms of commercial side of these authentication events because each and every authentication event is something that you need to pay as an online service provider if you get it from the private sector. And this is the de facto way of doing it in Finland, the commercial and private sector identities are used in the government IdP is not used in the citizen services. The government IdP, or let’s say government-issued eIDs, are very widely used in healthcare sector. But as a citizen, they were not that widely used. So that’s kind of the background for the Finnish Trust Network.
Oscar: Yeah, I can see. It’s very interesting that from the user or citizen point of view, there are three types of strong authentication. One is a mobile, as you said, based on mobile PKI, the other is the bank authentication based on 10 or 11 banks, you mentioned. And the other is the governmental base on a physical, an ID with a chip, with a certificate as well so there are three ways.
From the point of view now of an organisation, a business that still hasn’t used strong authentication, none of these mechanism for authentication, it’s not on their login pages on the websites. Because I know there are many companies like there are some supermarkets or department stores, there are some clinics that have that besides the user and password they have some of these bank authentication or mobile ID. But for the ones that still have not done that. So what are the main benefits for an organisation like that to integrate the Finnish Trust Network?
Petteri: Main benefits? Let’s go through the concept of the Finnish Trust Network before going into the benefits themselves.
Petteri: Because the listeners, they need to understand what this thing actually is. And again, like I said before, we have a unique situation in Finland having so many commercial identity issuers – banks and the mobile network operators. We also have now, thanks to the Finnish Trust Network, a unique legal framework that is supporting this scenario. So, the Finnish Trust Network, as a main, it implies a legal framework. So, we have laws and decrees around eIDs and how to issue them, how to manage them and how to make them secure and so on and so forth.
But it’s also about supervision. So, within the Finnish Trust Network, if you want to provide authentication services to the market, especially strong authentication so, we are not talking about let’s say normal authentication which is password-based and this kind of let’s say, weak authentication things. We are talking about strong authentication. Like you said we have the bank-issued identities, we have the mobile ID and we have the government issued eID.
It’s also about supervision. So we have these 13 commercial issuers of identities, we need to make sure that what they do is adequate, let’s say. Because there’s the eIDAS regulation behind it so there are some requirements that we need to take into consideration like how the registration is done and what kind of authentication mechanisms are deployed and so on and so forth. And the Finnish Trust Network is a collection of these approved identity issuers and brokers. And the broker is kind of like a key thing here because it’s what the online services nowadays see when they talk about the Finnish Trust Network. And the broker role was established in the 2016 legislation. And it meant that you as an online service provider can go to the broker and have a single contract and a single technical integration, and you get all the 13 issuing identity issuers through the same single contract, because the brokers have the connections to the 13 issuing identity providers. And that makes the life of an online service provider way easier than it used to.
And to kind of like also let’s say excite the market, there’s also a price cap on the wholesale of authentication transactions. That means that an identity issuer sells authentication transactions to the brokers but there’s a price cap which is at this moment it’s 3 Euro cents per transaction. And the combination made it easier for online services to adopt strong authentication because you only have one thing technically in the integration. And you have one single commercial contract and the prices started to become, let’s say, not cheap but affordable, in the sense that it makes sense for online services to start integrating strong authentication to their own service frontends.
And also for the FTN, it’s kind of like an umbrella term. Under the umbrella falls also the recommendations that we are developing at the National Cyber Security Centre and other documentation that try to level the playing field for all stakeholders of the Finnish Trust Network. And that’s basically what the Finnish Trust Network is. I might have forgotten something but you’ll get my contact information after this interview so you can contact me for further questions anyway.
Petteri: And you were asking about the benefits.
Petteri: I touched upon a few of those already, so if you need to strongly authenticate Finnish citizens, you just have to go to a broker and make a deal and that’s it. You get basically the whole population of Finnish people through a single contract and that’s a really good thing for any organisation trying to establish an online service where they need to strongly authenticate that customer.
Oscar: Yeah. Definitely what you said earlier the fact that before Finnish Trust Network, every – let’s say an e-commerce place or a department store, whatever all these organisations that would like to have the strong authentication will need to make 10or 11 different contracts and now it’s only one. So that already says like there’s a huge difference in terms of how easy it is for any organisation to embrace this strong authentication for their customers. And Finnish Trust Network is only for Finland or it could be beneficial for organisations outside Finland?
Petteri: Yeah. Well, the Finnish Trust Network, as a concept and as a regulation, it only concerns the identity issuers and the brokers. So when these stakeholders provide strong authentication they fall under the regulation and the concept of Finnish Trust Network. The online services fall outside of the regulation and that basically means that you have an online service that could be international, or it can be Nordic or whatever that is, just more than Finland or established for example in another country, but wants to serve customers that are Finnish customers and they need to have strong authentication in place. So, the fact is that the only way that they can do this is through the Finnish Trust Network and through an approved broker of a Finnish Trust Network. But let’s say there are also lessons to be learned in what we have done in terms of all the regulation recommendations and these kinds of things that can be useful for organisations that are outside of Finland as well.
Oscar: And you also mentioned that the Finnish Trust Network had to also comply with some other regulations such as eIDAS, and I know you are now, right now in your new position you are involved in with eIDAS. So, could you tell us first of all, a refresher what is eIDAS and which direction is this going?
Petteri: Yeah. We all have limited time at our disposal, so I don’t think that we can spend eight hours on going through eIDAS. But just a shortened reminder to anyone listening, it’s an EU regulation that deals with electronic identities and trust services. And sometimes trust services are kind of difficult to understand but mainly they are about digital signatures and so it’s related to digital signatures. And let’s say qualified certificates and these kinds of qualified services.
And so, we are in itself it’s a schizophrenic regulation. So, it could have been done in two different regulations but they decided in 2014 to put eID things and this trust services into one regulation. So that’s where we were standing at 2014. Now, it states that every five years these regulations need to be reviewed. And right now, we are in the review phase of the eIDAS, which is pretty interesting, because as a citizen of any European nation or organisation or wherever, you can try to affect or try to tell the European Commission what you think would be the best way to move eIDAS forward. And the commission has outlined at this moment, if we talk about the eID side – digital identities. They have three main avenues that they are investigating and the first one is the incremental improvements to the existing regulations.
So, let’s move forward but let’s not make any getting drastic changes and maybe create some new recommendations through ENISA that has a new mandate now or maybe create some new implementing acts because the commission has the power to do these things, it’s in the act regulation and it hasn’t acted up on this. And this is something that quite a few member states have said that it would be nice to have implementing acts on a certain kind of topics within the eIDAS regulation. And not just for eID but also with the trust services side.
And the second avenue or let’s say proposal is in line with the actual Finnish Trust Network where they are saying that it could be so that the private sector IdPs and the stakeholders or organisations providing these kinds of services could get a qualified status of eID. And so, it’s kind of like we have the qualified stamp or status that can be granted to a trust service, but it cannot be granted to a service related to the eID. Now the commission is saying that what if we would create such a scenario where we could grant these kinds of qualified statuses to the eIDs as well. And that’s what we have been doing within the Finnish Trust Network for the past, I don’t know, three years?
And the third avenue is well, it’s been actually in the news, where the President of EU has said what about if we do an EU ID, so European-wide digital identity? So, I think that’s the most drastic measure proposed in a sense that it’s completely a new take on eIDAS and eID but I don’t know. I mean it remains to be seen what the actual avenue will be if and when the eIDAS regulation will get any updates or anything. And then there are of course the improvements and issues related to trust services of eIDAS. They also need some kind of updating as well.
Oscar: Yes. So as you said there are three avenues for what comes next for eIDAS. And the last one you mentioned sounds pretty bold like European-level identity. Sounds bold but OK, wow, how to make it happen. So it’s super interesting to know what will bring out of that. So now is the revision phase, right, revision phase for eIDAS, so how long this is going to take?
Petteri: I’m not sure if it’s open anymore. There was at least one questionnaire was open until 2nd of October, but there might be some ways to still get your voice heard. But yeah, I’m not sure about the exact current situation. There were several questionnaires published by the commission on the eIDAS in the previous months.
Oscar: Sure. But the decision will take still sometime, right? Correct?
Petteri: Yeah, yeah, yeah, absolutely. Absolutely.
Oscar: OK. Well, very interesting to see what are these three avenues, so eIDAS is evolving and yeah, thanks a lot for sharing this. We would like to hear now from you, practical advice, if you can give us a tip for anybody to protect our digital identities.
Petteri: Yeah. That’s a really good question. The first thing that comes to my mind is one word, “Don’t.” So, if you get an email, if you get a WhatsApp message, if you get a text message or whatever that has a link that requires you to then authenticate, just don’t. Don’t ever go through that avenue.
But there are some ways if you even do these things. There are some things that you can improve, let’s say the persistence to identity theft and all this kind of things of your digital identity. And one thing that is quite common and quite easy to use that you activate two-phase authentication wherever possible like Twitter, Google, Facebook, these kinds of services. And if your service allows you to do these things, make them happen right now. Don’t wait because once the database of the service provider is leaked and it’s only password based, your identity is out there. So, enable this two-phase or multi-factor authentication options if you have the possibility.
If you don’t have the possibility, the third option is to use for example, a FIDO-based authenticator or technology and that means that you can buy or acquire a USB token that can be attached to your computer and that will then hold identities to these online services in the FIDO token. And that’s a pretty secure solution. The downside of that is of course that if you lose the token then you will be in trouble. But combining all these things you should be fairly secure. And why I say fairly secure is that there is no such thing as a, let’s say 100% secure system. That doesn’t exist in the world. The only 100% secure system is one that hasn’t been invented yet. So when the first line of code is written it’s vulnerable.
Oscar: Yes. Yeah, you put it very clearly. And thanks a lot also for these tips, definitely important to follow. And thanks a lot for sharing all this information, your career and about Finnish Trust Network and about eIDAS in which direction it’s going. For the people who like to learn more about these topics, tell us please how we can get in touch with you or where to find more information.
Petteri: Yeah. I mean I’m quite active in LinkedIn, so the shortcut to my homepage is LinkedIn.com/in/door which is the thing that you open when you enter a room and home. So, indoor, in/door and Twitter handler is @ihalain.
Oscar: Excellent. Well thanks a lot Petteri for this conversation and all the best.
Petteri: Yeah. Thanks for having me, Oscar. It was nice to talk about these things. And hopefully for you listener there’s something new that you learned. If not, well, I think there it was.
Oscar: Of course. Thanks a lot.
Thanks for listening to this episode of Let’s Talk About Digital Identity produced by Ubisecure. Stay up to date with episodes at ubisecure.com/podcast or join us on Twitter @ubisecure and use the #LTADI. Until next time.
[End of transcript]