Let’s talk about digital identity with Max van de Poll, Product Manager for SplitKey at Cybernetica.

In episode 3, Oscar and Max discuss how Estonia is leading the way with an advanced digital government and what other countries can learn from them. Max also educates us on SplitKey – Cybernetica’s authentication and digital signature solution, which provides secure two-factor authentication and legally binding signatures. Find out more here – cyber.ee/products/digital-identity.

[Scroll down for transcript]

Maximiliaan van de PollMax is the Product Manager for SplitKey at Cybernetica. Cybernetica is a research and development intensive ICT company, based in Estonia, that develops mission-critical software systems and products, maritime surveillance, and radio communications solutions. cyber.ee.

Max’s focus, beyond his product, is in digital identity in the real world, promoting Estonia as one of the best examples of where a long term, national digital identity has enabled massive efficiencies in both the public and private sector, with many lessons ready to be learnt by those that might follow.

Prior to joining Cybernetica, Max worked in consulting as a digital transformation project manager in London, working on large scale, business critical programmes.

Reach Max on Twitter – @MaxCvdP – or LinkedIn – www.linkedin.com/in/maxvdp.

We’ll be continuing this conversation on LinkedIn and Twitter using #LTADI – join us @ubisecure!

 

Subscribe to
Let's Talk About Digital Identity

Or subscribe with your favorite app by using the address below

 

[Podcast transcript]

Let’s talk about digital identity. The podcast connecting identity and business. I am your host, Oscar Santolalla.

Oscar Santolalla: Hello and thanks for joining. You might have heard of Estonia as one of the most advanced digital societies in the world. And this success has been led by government initiatives. And there was a company that has played a major role in developing and maintaining much of Estonia’s digital government technology over the last 20 years, such as internet voting, the X-Road platform, tax and customs. We’re talking about Cybernetica. And from this company today, we are going to talk with Max van de Poll.

Max currently works in Cybernetica in Estonia as a SplitKey Product Lead. SplitKey is their mobile authentication technology for digital identity and signing. Prior to Cybernetica, Max was a Digital Project Management Consultant for large scale digital transformations. Besides his actual role in Cybernetica today, he has a strong focus on digital identity in the real world looking at Estonia from the inside with an outsider’s perspective, and other countries that have successfully implemented high penetration digital identities like its Scandinavian neighbours. Hello, Max.

Max van de Poll: Good morning.

Oscar: Good morning and it’s great talking with you.

Max: It’s fantastic to be on. Thank you very much for inviting me.

Oscar: Yeah, it’s going to be pretty fun. And I’m really interested in hearing about Cybernetica. And actually to give more background to people who are not so familiar with how Estonia is today, could you start telling us briefly what are the main achievements of Estonia in e-government? So what citizens can do in Estonia today that in other countries they cannot.

Max: Absolutely. Well, Estonia is an incredibly interesting country, much of it coming from the digital government. And like you mentioned there, it’s seen as one of the most advanced digital governments in the world. If you Google “most advanced digital government”, Estonia is what comes up most of the time. And like you explained, Cybernetica has been at the heart of that.

But what that means for the individuals, the citizens here, is much better interaction with not only the public sector and the government services they use for tax and for medical and for healthcare and things like that, but also the private sector – how they can interact with the public but also utilise the other government offerings to make the service as a whole much, much smoother.

So, like as you were introducing me there, you explained that I’m coming as an outsider looking in. And I think the experience I’ve had so far in my life, I’ve lived in five or six countries and set up different lives there, different identities, opened bank accounts and maybe bought property and cars and things like that. In Estonia, that process is incredibly straightforward and smooth.

One of the best examples I have is just recently I bought a house – maybe four months ago – with my wife. And that process from applying for my mortgage online, never having to step into a bank, to signing the documents in front of a notary, took 12 days. And the only way that’s really possible is when the bank can carry out checks. Once I have given it permission, it can carry out the checks on me and my wife, it can carry out checks on the sellers of the property that he and his wife owns, who else might have ownership of that property and also look into what debts I may have or other outgoings.

And all these checks are made possible because of all the governmental departments that are connected and the private sector companies that are involved are all connected and can all use the single digital identity they have for me and confidently use it knowing they’re all talking about the same person and not having to have so much interaction from humans in between. That’s one of the best examples I have.

Similarly, when I bought a car and I registered it, registration was done instantly. And then when I went to insure it, once I submitted the insurance, again, it’s online, that’s pretty standard elsewhere. But by the time I had gone back to the registration tab and refreshed, it showed that my car was recognised as insured.

So, these are kind of examples that show how the services we use and where we’re used to maybe having to go into physical offices and sign things, or present documentation to prove who we are, or maybe send these things through mail, none of it is necessary in Estonia. Things are mainly online. I think they say 99% of government services are available online. And the only two things you can’t do are get married and divorced, or purchase property or land. Everything else is convenient and a streamlined solution available to everyone.

And like you mentioned, internet voting – Estonia is the only country in the world that has parliamentary elections that allow voting over the internet for all of their citizens. And the most recent election I think 44% of people who voted, voted online. And that’s only possible when there’s a solution in place that’s trusted, it’s transparent and it’s secure.

Similarly, taxes take just a few minutes each year, again because of all the governmental departments in the private sector employers having the ability to connect and talk about each individual confidently and securely because of their digital identities. It means that really the actual activity of declaring taxes, you have all the information in front of you, and it’s a case of just saying, “Yes, that looks correct”. And you submit it and you sign it with your private keys.

So, just a few examples of what you can do here that many other countries are working towards and are getting there. And certainly, in Scandinavia, I know that the digital identities there offer many similar advantages. And other countries in Europe are working like UK, Ireland and Germany are working towards services like this. But Estonia has been here for a long time, about 20 years has had digital identities, digital signatures and it’s learned the lessons. And it’s a great example. This is why I really- I do try to promote Estonia as a great example of successful digital government with digital identity running very smoothly.

Oscar: Yeah, certainly, it’s quite impressive what you are saying, of course. And it is a paradigm for other countries that hopefully, in the short future, can achieve similar benefits for the citizens.

Max: Absolutely.

Oscar: And you said that you have been traveling- living for a few years in several countries and also– so you can compare how difficult was to do all of these procedures in other countries. Yeah.

Max: That’s right. You get caught in silly loops. I know I bought a car from Ireland to Scotland. And when I went to register it, I wasn’t able to register it until it was insured and I wasn’t able to insure it until it was registered. Similarly, sometimes when you want to rent a property, they won’t allow you to rent until you’ve got a bank account. And they won’t allow you to have a bank account unless you’ve got a permanent address. So, you get caught in these silly loops because the different departments or government agencies, they are not talking to each other.

Oscar: Yes.

Max: Allowing kind of the process to take place simultaneously.

Oscar: Right. The fact that all these government agencies that you say are disconnected, they don’t have… they don’t share the same identity and the same database in fact.

Max: Yeah.

Oscar: OK. And tell me when you got involved in this world of digital identity.

Max: So I think I came at it from two angles and it’s really quite- maybe a short space of time but quite a focused space. So, I moved to Estonia actually a year ago tomorrow. And I started working for Cybernetica around the same time. And since moving to Estonia, I’ve obviously experienced with my personal life and how things work for individuals. And then working for Cybernetica, I see from the inside, I see the technology. I have access to the people that have been involved in the development and the maintenance of this technology and the history that has led to Estonia getting here.

So, like sometimes I feel like I’m an outsider looking in from the inside because they’ve got a wealth of experience and information in Cybernetica that’s been at the core of digital- Estonia as digital government, the implementations and technologies for over 20 years now. And it’s just– and it’s not just Estonia’s digital government but Cybernetica has been involved in several other digital governments’ implementations around the world and that number is growing. So you can see how same the lessons learned here in Estonia are being applied again and again. So that’s maybe a relatively short, a short background or certainly with regards to timeframe. But in that short timeframe, I’ve had great access both personally, my own life, and then professionally, with people who have been at the core of world leading technologies in digital government.

Oscar: And seeing in a broader spectrum, not only seeing the e-government but also business to business, business to consumer, what would you say that today are the main challenges in digital identity?

Max: Yeah, great question. I think a lot of it comes down to balance. I spoke to a lot of people in the industry and what I find is that many people have different views around what’s the most important thing when it comes to digital identity. Often privacy comes up, privacy and anonymity, which certainly makes– it makes a lot of sense when you offer specific information maybe you only want to offer what’s absolutely vital and not offer more than is necessary.

Privacy is just one piece. Other things that need to be balanced are trust, control, convenience and then of course the technology and the security that surround it. And we’re never going to be able to achieve the maximum of any of those things. We’re never going to maybe achieve a Zero Trust solution where we don’t have to trust anyone. And we’re never really going to achieve this 100% private or anonymous setup., really in the offline world. So that kind of is equivalent to maybe if I was to purchase something from someone I didn’t know, I never meet, I put some money in a box and I leave. They arrive. They put let’s say the product in that box, take the money. And then I go and collect the product. As much as that might seem nice that I can say, “OK, no one knows that I’ve carried out this transaction”. There’s no way of going back on the transaction if there’s any issues, any concerns about, maybe the product that I purchased. And so, that kind of scenario online is also the kind of has the same concerns around it.

Control is another big one. People often say they want the individual to control their data, be the ones that own it and the only ones that have access to it, which again is another nice thing to have and certainly kind of idealistic but it comes down to where is that data being held? Is it being held maybe on their mobile device? And if it is, if that’s the case, then we have to trust that the mobile device can protect that. And these days it’s not sufficient really, we don’t look at mobile phones as kind of dedicated security devices that can really protect everything that’s on them.

But we still the convenience and it has to be something that’s easy to use or people aren’t going to use it. And certainly convenience and security are a balance that we’re always trying to keep on the internet. And unfortunately, I think convenience wins most of the time. But you can see where I’m going from, where I’m going with it, that there are many different aspects or kind of pieces that need to be balanced. And unfortunately, I don’t think we’re ever going to be able to kind of please 100% of the people 100% of the time.

But this is where I kind of looked to say, look at what has been successful. Look at the Scandinavian countries, look at Estonia and look at their digital identity solutions that have been running for 10, 15, 20 years and seeing how they work, where the trust is being held. Certainly, banks are often at the centre of that. We trust them with our money. And they often hold some of the trust that we need to put in them. Maybe third-party trust service providers, we need to give some trust to them.

With regards to privacy, the systems can be different and maybe someone is always going to be able to see the transactions but not what takes place in those transactions. But it’s just the real world scenarios that we have to live in, the societies we live in and the regulations and the laws that we also have to obey that can sometimes force our hand in what we have to balance or how we have to balance it.

So I think they are the challenges, trying to get the right amount of trust in the right people with the right level of privacy and anonymity using the correct technology that’s secure enough but also convenient and allows us to have the right level of control that makes us comfortable.

Oscar: I think you have expressed this in a very, very good way because you mentioned all these aspects, and I know how many you mentioned at least 5, 6 of them.

Max: Yeah.

Oscar: And you said that the balance is– well, the challenge is to put the balance in every product or every service that exists.

Max: Yeah. Exactly, I certainly see that as a challenge. I’ve spoken to kind of advocates of digital identity, people who provide technology, people who provide services and they all have different views. Those who provide services see the real-world kind of difficulties, that maybe in certain societies they have to be able to provide transaction information to the police in that country, so privacy may be limited. Elsewhere in advocacy space, it’s all about privacy and anonymity and being able to interact without the government or third party being able to see it. And so there’s a gap and there’s maybe a happy medium that we have to meet there.

Oscar: Yes. OK. Going now what you are working, you are focused today, I know you are product lead of a product called SplitKey, that’s a very interesting product. I will definitely want to hear more about that. As far as I know, it’s a– that’s secure mobile authentication among other things, right?

Max: That’s right, really kind of authentication and digital signing.

Oscar: And digital signing, correct. And one of the– has a high assurance without using tokens or hardware as some banks provide these tokens, right?

Max: That’s right.

Oscar: These one-time passwords. And you provide a similar security without having the token, so everything in the mobile phone with a mobile app. So how you achieve? How this product achieves this similar level of security?

Max: Well, I think first – good question and kind of thanks for letting me explain. So SplitKey, maybe the vision behind it was to achieve the same level of security that’s achieved by other methods of authentication here in Estonia. So, every Estonian citizen, they got a smart card with their digital, their private keys on that card. And that was the first kind of method of authentication. It’s been around I think for about 18 years now.

Then in about, I think it was 2005, ’06, ’07, mobile ID came out which is using SIM cards where the private keys are hardcoded onto SIM cards and people devices. And of course, that’s incredibly convenient because now we don’t necessarily need to carry the card around anymore because our phones have the private keys and it’s on a hardware token.

But kind of looking at the future, Google, Samsung, Apple, they’ve been kind of threatening to remove SIM cards for a long time. And then even in other countries they kind of– they don’t always have that option, where a very large company with many, many telcos, they might not be wanting to play ball and put private keys on SIM cards. So SplitKey was required basically- that there was need to look into a third solution that achieved the same security as this other two tokens. But just a mobile solution that didn’t rely on hardware for the user or the telcos.

How it achieves that is it uses something– it kind of makes use of threshold cryptography and I’ll explain that kind of on a high level maybe later on. But what it means is that we can share the responsibility of protecting the user’s private keys between the user’s device and dedicated security hardware. So, this could be a service provider, like a third-party service provider that– a trust service provider that offers the digital identity service, maybe they have the hardware security module, the servers. And it could be a bank offering this service to your customers. It could be a large business that’s offering this or providing this for their employees.

How it works is the individual’s private key is generated in two shares from the beginning. It never exists in the whole. So, it means that it’s never– we never align a single device to protect the user’s private key. It can never be stolen in one go from one place. One share of that private key is, like I mentioned, it’s stored and generated on the HSM of the service provider or the business. The other share of the private key is generated and stored on the user’s device. And that piece that’s on the user’s device is split, using a randomly generated number into two individually unusable pieces. One is securely sent to a server which now holds two of the shares of the private key. And what’s left on the user device means that they have control, they have ownership of their private key even if it’s only a share, it’s enough that they have that ownership.

Then this is where it kind of mimics a smart card or a USB key or something like that wherein the same way, the user owns their private keys. The user owns some of their private key on the device. And this piece that’s left over, like I mentioned, it’s kind of individually unusable. So, if someone were to steal my device, that piece of the key is useless to them because it’s protected with PIN codes, it’s actually encrypted with a PIN code.

This might seem kind of a simple factor to encrypt something but how it works is that this PIN code is cryptographically tied to that private key. It’s actually what encrypts the key. Unlike say, often now we use passwords or biometrics. Biometrics is usually when we put our fingerprint on a scanner, or we show our face. What we’re doing is we’re giving the phone permission to decrypt the key using the phone’s encryption methods.

So there’s– the encryption key is on that device, the templates of our face and finger print are on that device. And often, in other situations, the whole key is on that device. So, on a single device, there’s everything you need. If you have enough time and power, you may be able to get what you need and act on someone else’s behalf. But with the PIN code being actually cryptographically tied to the key, it means that when I use my PIN code to decrypt it, it doesn’t need to be stored anywhere. It doesn’t need to be sent anywhere. So, when I decrypt it, that share of the key is able to sign a hash and send that signature to the server.

The server carries out the same activity using its shares the keys to also sign hashes and create three signatures which come together. And when those three signatures come together, it’s at that point the server is able to say, “Yes, that’s the signature I expected, that’s Max. I know it’s him.” And the only way that’s possible is if I’d put in the correct PIN code. So this means we don’t need to store anywhere. There’s no password management or PIN management or anything like that. And so, what we achieve really is kind of- maybe there’s three points that makes SplitKey standout.

And one of course is that there’s no token, which I know isn’t unique, but there is dedicated and security hardware, which again isn’t unique. And the third piece is that there’s still ownership and control with the user. And again, it’s not unique. But when we put all three together, that’s the difference. We can have any two of those and it’s another service. So, dedicated security hardware and ownership and control is basically tokens, smart cards or USB keys.

Ownership and control with no tokens is when we have a software, software encrypted keys, software tokens on users’ devices where we have to rely on the user’s phone to protect those keys and security on the phone. And maybe when we think of iPhones and Samsung Galaxy S phones, the kind of the flagships, they’re pretty secure they’re at the top end. But we have to think that we’re trying to cover the whole range of smart devices, smart phones, all the way down to the cheapest that maybe don’t have the best security. So, we don’t want to have to rely on those devices.

Of course, there is cloud signatures or cloud solutions where we have dedicated security hardware without the tokens, but this is when the user’s keys are held somewhere else in a cloud. And then when they put in their PIN code or their password, they’re merely giving permission to the cloud service to use those keys that the cloud service already possesses. So if there’s ever a breach or maybe even an insider attack which are more common than we think, then the user doesn’t have control/ownership of those keys. It can happen without their input.

So, it’s really those three pieces coming together that mean that SplitKey can stand out and achieve the same level of security as hardware tokens, give the user the ownership and control but not require them to carry around anything more than the smart device, the smart phones that they usually do.

Oscar: Of course, of course these three elements together make a definitely very strong solution as the way you described it than all of these other cases that are weaker. And you mentioned that this could be installed in virtually any type of mobile phone, not necessarily the high end, how is this possible?

Max: So, the philosophy behind SplitKey is that – or some of the plus behind SplitKey – is that we don’t want to rely on the device to protect the user’s keys. So, it’s encrypted with a PIN code and that PIN code isn’t stored on the device. So if someone wants to steal my phone, and they were able to strip away all the security of the device and they were able to strip away all the security of the app, the code obfuscation and everything else. And they were able to extract my share of the key. Without my PIN code, it’s completely useless to them. And say a four-digit PIN code, there’s only 10,000 possible combinations there. And a computer these days blow through that in less than a second.

So, the magic here, well, not the magic but the point here is that if someone got my key share, they applied all the 10,000 combinations to it, they would decrypt the key. One of those 10,000 would be the decrypted key but they have no way of knowing which one it is. The only time that PIN is verified is online. So they could try three different PINs on the server, it’s counting and three incorrect attempts will just lock the keys. So, this is where we try to remove the responsibility of protecting the user’s keys from their devices. So in businesses, where they want to promote bring their own device but there’s maybe that concern about how secure is that device so whatever they’ve got.

SplitKey removes that concern. And as long as they’ve either not given their PIN code away or they hold the device in their pocket, no one can act on their behalf. And it’s being evaluated so I don’t think I’ve mentioned like EAL4+, it achieves the common criteria level there which is often the criteria that’s applied to two tokens, Smart cards and USB keys and SIM cards.

And the other kind of PSD2 and eIDAS in Europe as well, it was really designed to achieve these because it’s aimed at those companies or those services that require the highest level of assurance. So, digital governments, banks, maybe businesses that have a large number of employees which means a lot of data and can really get hurt if the cyberattack takes place.

Oscar: Regarding the server side, so question now is who usually runs this server side and I didn’t understand you completely if this server requires some security hardware module or it doesn’t.

Max: So it does. So the EAL4+ evaluation is based on a secure zone in a Hardware Security Module, in an HSM. It’s also being evaluated to EAL4+.

Max: Who controls this is who offers the service. So, here in Estonia, there’s a service called Smart ID and there’s a trust service provider that offers the service to the population. And that’s its job. It’s a digital identity service provider. But in terms of say if it’s a bank, then the bank, they host the servers and they offer the service to their customers so they can move away from one-time passwords or passwords all together, they don’t have to send out say PIN calculators or one-time password applications that are certainly better than passwords but in my opinion they’re really the next worst thing. There’s still a password there. Still something is being stored that can be stolen and it doesn’t use PKI. So servers are hosted by the service provider. So whether it’s a bank or maybe it’s a government department or a third party trust service provider that offers digital identity.

Oscar: And what makes possible this splitting the key – the fact that the whole key is never stored neither in the phone or in the server. What makes possible is this, you said threshold cryptography?

Max: Threshold cryptography. Yeah, that’s right. I said I’d explain it a bit more. I think threshold cryptography has been– it’s been around for maybe 40 or 50 years now but it’s only more recently that the little super computers in our pockets are powerful enough to really actually make use of it. So kind of the simplified explanation is if you have a secret, threshold cryptography would be used in the case where the secret could be broken out into several shares. And then when we want to use that secret, we need to bring back a certain number of those shares.

So, say we broke it up into seven shares, the threshold cryptography can create a scenario where we need five of those seven shares, any five of those seven shares back together again to use say the private key design something or the signature to authenticate something. And in our case, we look for three out of three systems. So we have three shares of our secret, our private key and we require all three of them to come back together, so the sort of signatures as opposed to the keys, key shares.

So, it’s like maybe on a nuclear submarine you’ve got two people with keys on either side of the room then if we had to both put their key and turn it, you could look at that in a really simplified way, the two out of two threshold system where you need both pieces of the secret to do the action. But maybe if you had seven key stations, you only need five people with keys. You could also do that with threshold cryptography.

Certainly, I know kind of the basics and – but if anyone wanted to go even deeper, there’s an academic paper. It’s actually written- kind of explains the cryptographic concept that SplitKey is based on, which is on the site on cyber.ee. So I mean it goes a lot deeper and certainly it’s a lot heavier. But it’s really interesting how it’s used and it’s a simple concept that can be used to share the responsibility amongst different parties.

Oscar: And the product is mostly focused on authentication and also identity management.

Max: Yeah, so authentication and digital signing, so really it’s a case of once there’s a service or system or a portal set up through APIs – it’s kind of standard protocols and APIs – SplitKey can be used to basically enable people to authenticate the identities known on that system. And if they want to make a transaction, say they want to move money like in banks when you move the money you want to verify that transaction, you can sign the transaction. Or, if you have a contract or you want to submit your taxes and you want to sign the declaration or sign the contract. In the same way as authenticating really just but with a different private key and you can sign that digitally which connects back to the ID that’s known.

Oscar: What types of companies or organisations are already using and can benefit the most with this?

Max: So definitely those that require high assurances – really have to know who they’re interacting with and be confident that when that person is acting, it’s definitely that person acting. In Estonia, the service here, I think it’s used- almost 100 services use the service that uses SplitKey. But the ones most used are banks, all the major Nordic banks here in Estonia here use the service, the smart ID service for their customers to authenticate themselves, get access to their accounts and of course to send money, to apply for maybe loans, mortgages, things like that.

So, like I mentioned in the beginning of our talk, when I was buying the house, I never needed to step into a bank. I changed banks to buy my house, I applied for my mortgage application online and everything was carried out online. They never needed me to come in and show my passport or sign documents apart from the documents of actual kind of property exchange, exchanging hands. So certainly, I see banks as a big one.

And of course then digital governments that want to be able to interact with their systems more easily where they don’t want to have to have their citizens come in, sign documents, or post documents, or present kind of identity documents, like passports, or proof of address and things like that. They were able to move all of that online. Certainly means staff numbers aren’t necessarily need to be as high. But it also speeds things up.

And there’s a really good example, in Norway, one of the banks there said that they went from 70 pieces of paper, nine mail correspondence and 16 days for one mortgage application down to no paper, no mail correspondence and one day. So you can imagine just the massive savings for that. And I know across Scandinavia the bank branches or banks have cut down on something– something insane like 20% to 40% of bank branches were to be removed or closed because the people were able to act online instead of having to come in to branches for the more high assurance activities. So it’s… really we do focus on banks and digital governments. And those are the main use cases for the SplitKey technology at the moment.

Oscar: Yeah, it’s quite impressive that many banks are already using in many countries as you mentioned and seeing these benefits. And about the banks, they were in your first let’s say pilots of your product or how did it come? You sold to the banks or the banks were part of these projects from the beginning?

Max: So, we’re the technology providers. We developed SplitKey for a service provider. And let me say it was banks that were actually- who also invested in this service because they wanted

this solution to be available. And with any digital identity there’s a challenge in getting it out there, to basically getting it a success, for making it successful because it’s really- it’s a two-sided market. The citizens, they’re not going to really want to get involved, sign up for this, or kind of activate cards or download apps if there aren’t really services that are valuable or that they use frequently available to use it. And just like on the other side, those services that may be valuable and frequently used, they don’t want to integrate these solutions, kind of invest the time and energy into doing it if there aren’t customers that are already doing it. And so, you kind of get neither side want to be the first one.

So, I think the UK and Germany are really good examples of where that’s been a struggle so far but I know that both UK and Germany now are looking to the private sector to kind of take the reins and kind of push out this digital identity, these digital identity solutions, by offering high value frequently used services. And when you think of high value frequently used services, banks might be what come to mind. And if you look at the Scandinavian countries and Estonia and the Baltics, Latvia and Lithuania, banks have been at the centre of all of them. Either they are the ones that actually developed it and offered it or they were the first to get in on it. And they actually create a bit of – well, they create a lot of trust in the solution itself.

If the banks can trust it and that’s a very heavy regulated industry with anti-money laundering and Know Your Customer kinds of things, if they trust it then the other private services go, “Oh, wow, that really simplify things if I didn’t need my customers in my insurance company, the customers to come in and sign documents or mail documents to me anymore. And if the bank says they know this person and are confident about it, then I’m confident that I can know that person too using the same solution”. So yeah, I really do push– and this is kind of my point about the real-world solutions, banks really are so very often kind of the key to having kind of high penetrating successful digital identities.

Oscar: Yes, yes, that’s correct. And what about FinTechs, have you work with FinTechs already?

Max: We haven’t actually worked with any kind of the new FinTechs on the market, these mobile solutions that have come around like say Revolut and Monzo and others. But it’s certainly– they are certainly growing and offering more and more services and maybe there aren’t so many at the moment that are maybe offering the really high assurance services that banks do like mortgages or loans that are in the hundreds of thousands of Euro range.

But if that’s something they start to want to do – and I imagine that that’s what they’re going to start offering in time and large scale loans maybe for cars and things like that – they are really going to need to know who they’re dealing with, and right now, many of them kind of as they launched, are launching with better than password authentication solutions. But there are such like there are kind of weak and strong passwords, it’s the same with two-factor authentication and multifactor authentication. There are weak and strong multifactor authentication solutions.

There are solutions that have been evaluated by third parties that have been pen tested by banks or by other third parties. Yeah, it’s that upper end that they need to be looking and certainly that’s where we sit. That’s where we’re aimed at, is the upper end of the spectrum where the banks have done their pen testing and even countries have done pen testing. And we’ve had the third-party evaluation up to really the highest level. So, it’s when they really need that high level of assurance that maybe we come in. Of course, even if they don’t need it and they want something that’s very secure and removes responsibility from their customers’ mobile devices, their smart phones, then that’s obviously where we fit in as well.

Oscar: OK. Yeah, as you say, as far as they do relatively small transactions, well they can handle with a relatively weaker authentication method, but yeah, they might be offering as you said mortgage services and others and that’ll be the time to use SplitKey- a solution like SplitKey.

Max: Exactly.

Oscar: Well, it’s very interesting to hear all this, what SplitKey is and Estonian government’s huge achievements and many things that both other governments across the world and also companies can learn from that. I’ll ask you a final question, it’s going a bit for anybody that is not necessarily involved in technology or in like say finance but wants to do something for their digital identity, what could you recommend for anybody? Give us a tip.

Max: Yeah, a tip for protecting your digital identity. You can look at the digital identity as anything that we kind of create online, we have little digital identities for Google and for Netflix and Amazon and Twitter and all those things. Kind of my tip, maybe it’s a three-part tip but it’s be careful what information you put and where you put it. If it’s credit card information and it’s a site you maybe only use once or twice a year or three times a year to send a birthday card somewhere, maybe don’t allow them to store your card.

But where you can, turn on 2FA, two-factor authentication. Like I mentioned there’s a range but anything is better than just a password. And all the major service providers online offer it now, Amazon and Google and Twitter and Instagram – they all do. And maybe it takes a few seconds to do it but highly, highly recommend you do.

And for those that maybe don’t offer two-factor authentication and you don’t want to put– you don’t have kind of a sense of information in there, then I think a password manager, for the less important stuff which is what I do. Because we have so many– so many things online these days, these accounts, so we can’t possibly think of passwords, the different passwords for all of them.

So really yeah, be careful what information you put and where. Turn off two– turn on the two-factor authentication wherever you can. And for those that are less important, let a password manager take over and create passwords for you because it means that you’re not using the same password you are using for maybe your work email or your Instagram account for this small site that maybe doesn’t take as much care protecting your passwords as the others do. I think that’s my three-part tip.

Oscar: Great. Great tip. Thanks a lot, Max. It was great hearing more about you and about Cybernetica. Please for anybody who wants to read or hear even more, please tell us we how can find you on the net.

Max: Yeah, absolutely. Well, at cyber.ee is the website for Cybernetica. But of course, I’m on LinkedIn, Max van de Poll. And good luck with spelling it. And on Twitter as well, MaxCVDP. And yeah, any of those where things you can contact me through to find out more, to learn more about the technology, or if you’re just plain interested in digital identity, digital government and what Estonia has done. I’m always happy to talk and share my experience and the things I’ve learned.

Oscar: Excellent. Well thanks a lot, Max. And all the best.

Max:  Thank you very much, Oscar. I really appreciate it. Talk to you soon.

Thanks for listening. Let’s Talk About Digital Identity is produced by Ubisecure. Be sure to subscribe and visit ubisecure.com/podcast to join the conversation and access the show notes. You can also follow us on Twitter @ubisecure or find us on LinkedIn. Until next time.

[End of transcript]