Let’s talk about digital identity with Telia Company’s Lauri Immonen – Head of Security & Identity – and Joni Rapanen – Global Product Manager.

In episode 4, Oscar talks to Lauri and Joni about why the Telia Identification Broker Service (TIBS) came about and the challenges of creating an award-winning cross-border service.

The TIBS offers several strong authentication methods with just one service agreement and integration. It relays strong identification events and data between identification service providers and customer services used by end users. The strong authentication methods offered today are TUPAS and Mobile ID. Additional authentication methods will be added and they will be immediately available to all TIBS customers – including methods from multiple countries, to enable a global solution.

Read this case study to find out more about the Telia Identification Broker Service, including how and why it was built, plus the benefits for all parties – https://www.ubisecure.com/wp-content/uploads/2019/10/Telia-Identification-Broker-Service-Ubisecure-Case-Study.pdf

[Scroll down for the transcript of this podcast episode]

Lauri Immonen

Lauri Immonen

Lauri Immonen has held various positions within Telia Company for the last 17 years and now leads the Commercial Security & Digital Identity portfolio on a group level. He is an experienced speaker on Digital Identity, Privacy and Cyber Security. 

Joni Rapanen

Joni Rapanen

Joni Rapanen is the Global Product Manager for Identity Services at Telia Company. He has 15 years of experience in the identity & digital signing area – from national ID cards to private b2b identity – and drives strong authentication, attributes and identity federation to support more secure overall digitalisation of thousands of different services.

Telia Company is a telecommunications service provider offering mobile, broadband, television, and fixed-line services to both individuals and organisations. It also provides business services from the Internet of Things (IoT) to system integration services and financing solutions. Headquartered in Stockholm, a hub for innovation and technology, Telia Company serves millions of customers every day throughout the Nordics and Baltics – one of the world’s most connected regions.

You can find information about Telia Company’s B2B identity services here – www.telia.fi/yrityksille/infrapalvelut/tietoturva/tunnistuspalvelu – and about their B2C mobile ID here – www.telia.fi/kauppa/palvelut/mobiilivarmenne (both links in Finnish).

Read more about the European Identity and Cloud award for the Telia Identification Broker Service at ubisecure.com/telia-award.

We’ll be continuing this conversation on LinkedIn and Twitter using #LTADI – join us @ubisecure!

Go to our YouTube to watch the video transcript for this episode.

Let's Talk About Digital Identity
Let's Talk About Digital Identity
Ubisecure

The podcast connecting identity and business. Each episode features an in-depth conversation with an identity management leader, focusing on industry hot topics and stories. Join Oscar Santolalla and his special guests as they discuss what’s current and what’s next for digital identity. Produced by Ubisecure.

 

[Podcast transcript]

Let’s talk about digital identity. The podcast connecting identity and business. I am your host, Oscar Santolalla.

Oscar Santolalla: Hello and thanks for joining today. Today we’re going to hear about Telia, what Telia is doing specifically in identification, as a broker service.

For that, we have two guests today. So let me introduce you to them. Lauri Immonen has held various positions within Telia Company for the last 17 years and now leads the commercial security and digital identity portfolio on a group level.

Then we have Joni Rapanen. He’s a global product manager for identity services in Telia Company. He has 15 years of experience in the identity and digital signing area, from national ID cards to private B2B identity, and he’s driving strong authentication attributes in identity federation to support more secure overall digitalisation of thousands of different services.

Hi Lauri and Joni. Welcome.

Lauri Immonen: Hello. Thanks for having us.

Joni Rapanen: Yeah, thanks.

Oscar: It’s great talking with you. So Lauri and Joni, let’s talk about digital identity and I would like to hear first how you entered into this world of digital identity.

Lauri: Yeah. Maybe I will start. So I’ve been working in the company for 17 years like you mentioned and during that time, I’ve also worked as a product manager for identity services on a group level and that I think it was around the time when the eIDAS Regulation started to arise. GSMA work for a global authentication of Mobile Connect started to be developed and I got really interested in this – basically the problem statement of strong authentication of identities in Europe and of course in a global context as well. And how it is really morphing ourselves.

When we enter into different contexts and roles, we are still the same person. But how do you prove that online? And I think it’s an extremely interesting development and changes our way of working but also our normal individual selves.

Joni: Yeah. So personally I started as a software engineer in a software company, smaller one that did encryption-related software and after that I was an information security consultant for companies.

As an IT security consultant and with the wide area of that, I got more and more of these ID-related tasks, maybe based on the encryption background and related to that, here we are still. So basically it has continued to the more like wider identity area and tied into the services because when we look now compared to 15 years ago, there is a lot more e-IDs and e-services used. So – and I think it’s still a growing area.

Oscar: Yes, I agree with what you say Joni that now you guys have much more experience than I do in digital identity and we have seen how things have changed in 15 years around the – in this world. And it’s true, today digital identity is much wider. So we’re going to talk today about something much more specific. It’s about – it is called identity broker and specifically because Telia has been awarded recently – in the European Identity and Cloud Awards 2019 – as the best consumer identity project and this project was Telia Identification Broker Service. So please tell us about this project.

Lauri: Sure, I will start. So Telia has been in the identity field or market for a long time. And specifically in the Nordics, the countries are formed by post-paid subscriptions which by default requires that we know exactly who the end customer is.

And at the same time, there’s other movements in these markets and every country is different and there’s the predominantly – it’s three types of players. It’s governments, banks and telcos.

This is not the same all over the world but in the Nordics, it looks pretty much like that and without going into smaller details, this creates a situation where there are multiple authentication methods used by the people, with the exception of Sweden where the BankID predominates the strong authentication market.

But this creates a situation where in the pan-Baltic Sea region, we as citizens are authenticating ourselves in various different ways provided by these solution providers. And this creates complexity but it also creates a position where people are used to authenticating themselves online for various reasons, for public and private sector services and also within B2B.

And this is both a blessing and a curse in a sense that when you have enterprises operating in this region, for example, they don’t have a unique solution that roams or crosses the country boundaries.

But at the same time also digital service providers like e-commerce and what have you, they need to be – a way of integrating with this, all of these multiple sources of authentication.

Then you have also regulations around it. Like how can you re-enrol different types of identities across the platforms? But maybe Joni can go into more specifically into our winning identity brokering service.

Joni: Yeah. So basically in Finland, there are about 18 different strong e-ID solutions that you can use to fill your tax declarations and basically whatever. And as an online service provider, to provide this e-services, you had to integrate all of these 18 different like e-ID vendors, individual APIs and make your commercial negotiations and make your like agreements and data privacy agreements with them.

So it’s quite a hassle as a one-time task for the service provider. But it’s not only as like a hard one-time task but more of a bigger issue is actually in life cycle management because then you have to follow all of these 18 different vendors and how their APIs are changing and now when the world – at least in Finland – has gone to the mode that almost any companies have their own software developers but they are outsourced to big integrators and that means that always when there is a small change in the – one of the APIs, you will need to have a new project basically with the outsourced integrator and then between those times, no one is actually following all of those 18 different vendors and how their services keep changing.

So you usually find out by your customers that have complained that for some reason they cannot access the service and of course it’s too late at that phase. So basically we are buying those ID transactions from all of the legal, strong e-e-ID vendors in Finland and we are federating them behind one Telia Identity Brokering Service API where you have easily – easy to integrate standards-based APIs that a service provider can choose a couple of options that best fits their need. And then you can only make one commercial contract and agreement with us and get all of those different solutions, behind one solution basically. So that’s the main thing for the service.

Oscar: And what makes it difficult to have this cross-border identification?

Lauri: Well, in the Nordic countries, the people have been used- and both on a cultural but also governmental aspect that every single citizen has a social security number that is provided by the government and it uniquely identifies who you are as a legal person.

And this also relates then also from – like I mentioned, about the post-paid subscriptions but also to any type of public contract that you want to create. However, these do not roam. So the cross-border authentication does not work in that way.

But this is also wider European context. Like the European Union Commission has published, or basically regulated, the eIDAS regulation that aims exactly to harmonise the cross-border authentication of citizens to enable business but also transparency between the public organisations and individual citizens. And we have been working along that with our trust services and also the ID brokering service across Nordics and Baltics where our company’s footprint exists and we are trying to solve this problem.

But I think it also goes back to where different players, the banks, governments and telcos have had a different market position, market share, and also maturity in that particular country, whatever we are talking about.

So that has created a situation where in some countries, banks are predominant. In some countries, like Estonia, the governments are very progressive in issuing digital identities. And in some countries, it’s telcos and in some countries, it’s a mix of this.

Then to create a solution like the ID brokering service that basically tries to solve the complexity is our answer to try to solve that particular customer problem. But I think to answer why is it difficult, it’s a mixed bag of, like Joni mentioned, 18 different solutions in Finland alone and it’s just a question of maturity.

Then going back to the eIDAS regulation, that is a regulatory approach to try to harmonise. And across Nordic countries also, there is Pan-Nordic government activities to harmonise the national e-IDs, so that we could – just like today, we can move to any country and register ourselves to live in that particular Nordic country as a Nordic citizen. But also we want to – or they want to -digitalise that.

But I think this complexity is really the question – that different players moving at different times in different countries and also the consumption of our– or cultural even, the aspect of like in some Central European countries, there is no government-issued identification number or social security number that can be traced and is used in many different transactions.

But in Nordic countries, we have these and everybody is accustomed to give that personal ID number or social security number when you are performing especially commercial transactions with any type of way. So not only for public sector use cases.

Joni: Yeah. So I would like to add that we are also driving as Telia and with GSMA. GSMA, the standardised global mobile ID solution called Mobile Connect that actually has standardised the APIs to our service providers and also provides this kind of global discovery service that you could actually get many mobile operators, mobile ID services with one global interface as well. And we are currently going towards that one and also to support these kind of public global cloud services that are growing all the time.

Oscar: So for instance Mobile Connect would be part of your – the same product, the same Telia Identification Broker Service. It will be part of that.

Joni: Yes. So the Mobile Connect is part of the whole offering and it’s one of the APIs that a service provider could integrate. But with Mobile Connect the main advantage comes from that you can actually get the Spanish Mobile Connect enabled users from their local operators to your service with the single standardised integrations and with less commercial contracts as well.

Oscar: Yes, and Lauri, you mentioned that eIDAS, the standard, is going to help somehow this challenge. How is it going to help?

Lauri: Well, what I’ve understood that it really points into is to increase the so-called fluidity between commercial transactions by private citizens towards enterprises or between each other. So like I could buy a car from Germany online without going there and trust that the other person is who he or she claims to be.

It cannot happen today. There is no digital passport, which I’m really looking forward to having. Instead I have to carry my passport wherever I go, but it’s a standardised way of proving who I am wherever you go. And I think in the future, maybe long or short term, we will progressively move into the digital passport era so to speak and the public sector or governments are progressively driving this. I mean it’s not only regulatory issues, it’s also the – you know -governments want to know who is where so to speak. And Mobile Connect is – and GSMA, for those who don’t know it, is basically a federation of mobile network operators around the world.

Like the Mobile World Congress for example in Barcelona yearly is what GSMA hosts and so on. And it also drives the standardisation of 5G and among others and Mobile Connect is one of the products that we co-develop within that community. And Mobile Connect can operate as a replacement so to speak on social log-ins that are very popular today but then you’re basically trading your privacy against the usability.

With Mobile Connect, you can prevent that. You have a secret pin code that you authenticate yourself with the application on a mobile phone and you log into the service. So it’s also a two-factor security add and very usable in that sense.

And another thing that it can help is the cloud services that Joni pointed out. Like Office 365 phishing and CEO fraud are one of the biggest practical threats that are actually happening right now as we speak when it’s the holiday season.

So phishing emails are being sent and fake invoices and if you lose your Office 365 password, somebody can log in from anywhere to your account and so on. And the Cybersecurity Centre of Finland has published warnings in the past regarding this, so it’s a very real topic.

By using a two-factor authentication, such as Mobile Connect or mobile ID service, you get a unique way of securing your account and we look very much forward to publishing this.

Joni: Yeah, and it actually goes a little bit backwards here security-wise because if you look a couple of years ago, there was no way that big companies would allow you to access your corporate email and your corporate document storage by only using username and password. Like basically many of these global B2B cloud services are working today.

So you needed to have a VPN and you needed to have a strong authenticator, two-factor authenticator for that. But now the transition has happened in the way that most of the big companies nowadays use these kind of cloud services for document storage and emails and such, and there will be really big issues with those and I think that’s only kind of a question of time that when we can start to see those happening.

Lauri: Yeah, and it’s – as always it’s a balance between usability and security in a sense. But nowadays, you really need to use – look into the usability aspect because everything needs to be easy and I think that is a good transition and a trend.

But in order to support the mega trends of hybrid cloud transition, mobility and overall digitalisation, and especially in zero trust environments, the two factor – or in our case, we believe in the Mobile Connect, the mobile factor authentication as a two-factor. That is our bet on how do you secure the digital identity of the user and that is for sure required in the future because like Joni said, when everything is accessible and you have a zero trust framework, then that by definition needs a strong authentication of who is actually accessing what and when, if not where.

Oscar: Yes. Coming back to the service you have, the Telia Identification Broker Service, Joni mentioned about the APIs. You have to maintain and integrate many APIs that are changing at different times and there’s always technical complexity I see. But what else would you say are the behind-the-scenes elements that have to work very well in order to have this service?

Joni: Yeah. Well, the identity brokering service is like a true real time service as we don’t actually, as Telia, get to use or get those user social security numbers accessing the tax office for example to – or FILI] or some kind of government things.

So it has to work in real time between the actual original e-ID vendors and the online services that the actual transactions are going to. So we don’t store any information in the identity proxy of the users and that’s why it’s very important that all the different parts and connections are working 24/7 and that there is no cuts because it instantly destroy the function of the whole service. So at least by now we have everything running 24/7 without breaks.

Oscar: Oh, excellent. And what are the type of companies or organisations that would benefit the most by taking a service like Telia Identification Broker Service? So what companies need it?

Lauri: All the companies [laughs] because as we are looking into the – well again, the mega trends around us, I mean physical brick and mortar shops are closing down, especially in banking. We still have the reality of those – all those multiple e-IDs around. So you need to be able to support them as a service provider, whatever service you provide.

So I think this is the useful way of enabling strong identities in your business. We could also elaborate into what we have done in Telia Company which is that our internal VPN for example, is only accessible by authenticating yourself with your mobile ID service that we provide externally.

So we use that internally instead of having a let’s say third party authentication method, multiple factor authentication method. So we use our own service to provide that. At the same time, actually it’s based on your social security number.

So you are actually identifying yourself at work for our internal tools by providing information that who you are as a real person, as a citizen of that particular country. So that evolves into a situation where you actually bring your own identity into work and also as a private person. And going back to the ID brokering service, we combine all of these availabilities and those can be then used in whatever use case you have, as an enterprise service provider business. So ecommerce is definitely one of the biggest industries.

Oscar: So you have many customers in ecommerce for instance.

Lauri: And public sector also. And for example and Joni can actually maybe elaborate a bit on our Finland public registration centre that provides, well, public sector services from the government to the citizens and that, by definition, needs strong authentication of your citizenship and maybe Joni can say a couple of words about it.

Joni: Yes. So we have lately won the – or almost a year ago now – won the biggest public bidding in Finland to provide this e-ID transaction and that means that we are basically providing all the e-ID transactions for all the government-based public services. And today we currently have more than 3000 services you can actually use behind our service.

So there is quite a lot of different industries. So I can tell for an example that I just bought a house and I actually made that bid for the salesperson with my mobile ID and signing digitally the bidding document online. And then I made registration for the land registry online and the declaration of the property tax in Finland and your water subscription and electricity subscription.

And then I rented a van online to move my stuff from the old house to the new one and it was completely done online with my mobile. So I also used my mobile ID to rent the van and I picked it up actually from the local IKEA’s parking lot where they have left the van, as the van rental company, and then when you access it with the website with your mobile and authenticate with your mobile ID to that one and sign the renting contract, it actually opens remotely the doors to the van and you can start it and so on.

And there is not a single person involved in this kind of car rental as well. So the whole kind of thing is done online nowadays and based on this kind of services. So basically it’s – let’s say quite advanced but also quite reliable to the service and dependant on those online like e-ID solutions work or otherwise any of the solutions that will not work.

Lauri: And that they can be trusted and that they are trusted by all the parties involved. So you need to fulfil the regulatory things but you also need to fulfil kind of like a global internet community standard if you will. And basically for this reason, what Joni explained from this personal life, we as Telia, we are the only telecom company in Europe that has a root certificate authority platform and we used that as the base of the digital identities of humans and machines into solutions that we provide, such as signing and archiving and time stamping so that who you are, what you want to do can be trusted and traced back essentially.

But also of course we sell like SSL certificates as well for websites. But the certificate authority-based digital certificates are required in order to fulfil this kind of use case that Joni went through and we believe that the paperless transactions are of course the future.

We like to say that as an enterprise, you – the more you deal with paper, then 99 percent you can save in costs when you move into the digitalisation of the trust-based services that you need.

Oscar: That was a very, very good example and quite impressed that you have done – bought a house plus every single other service that you need from your mobile phone. And who is running this service? It’s some real estate company or who has integrated all this?

Joni: Yeah. So these are mostly like individual services. So it’s not a single place but you can handle all of those from those services’ websites. And like I said, this kind of – it’s very important that these services are running 24/7 because if you are like running a car rental company, that doesn’t have any like physical locations for employees to fill this paper with you, it basically means that your business is dead if that …

Lauri: There is no room for downtime in this kind of services.

Oscar: OK. Then I would like to hear about the future. You already– I also want to ask about Mobile Connect. You already mentioned that Mobile Connect is already integrated on your service. What are your future plans about this service or in general in Telia in terms of digital identity?

Lauri: I would say that the user centricity becomes more of the need of the future in the digital and mobile world as contra the B2C customer-centric. So we have GDPR. Of course everybody knows about that. And this kind of user-centric, consent-driven utilisation of your identity online, this will become the issue, and who facilitates that the best will win.

And the race is to get rid of passwords and the competitors are the governments, banks, telcos and social media login providers – who by the way will steal your privacy. [Laughing] But I think this is really the future. We start to get more and more rid of physical transactions, signing papers and so on because it’s so costly. Archiving, we can elaborate on public ledgers or that technology. It might be one of the solutions for these future platforms. But the trend is definitely in this – well, mobility, cloud transition and digitalisation overall and who facilitates the digital identity of you as a user will win.

Joni: Yeah. We can also provide some additional attributes to the transactions. So like your physical address and such. So it doesn’t only bring added security because if someone has like stolen your identity and tries to use it to order some sofa or whatever online, it would actually still come to you. So – and these are of course done with the user’s explicit consent. But this is a very good example of the service that’s not only adding security but also usability for the end user because at least in the mobile business, when you are a lot harder to type this kind of things to the shopping carts and whatever you need. So it also makes our life easier in that sense.

Lauri: Yeah. There is something around 70 – depending on the research, about 70 to 80 percent of mobile-driven shopping carts are abandoned, as you would say, for the sake of usability. It’s not easy enough to – unless you populate it once and then you have a profile that is maybe a constant log-in or something. But still maturity of the mobile-initiated shopping carts are abandoned. So there is also a business opportunity there to facilitate things more easily in a secure way.

Oscar: Excellent. I would like to finalise asking both of you some tips that you can give us to anybody for protecting our digital identities.

Lauri: Yeah. Well, two-factor authentication is something that you really should enable. Bear in mind when you get those notifications to your email box that there is an initiated log-in from a previously untrusted device for example. Don’t reset your passwords.

One practical example is from Sweden. In Sweden the e-ID market is pretty dominated by BankID. It is a consortium company that is used and owned by multiple Swedish banks, that has created into a solution that there is a predominant position of BankID and nowadays on a mobile device, that is used as a strong authentication method of public and private sector authentications and signing.

This has led to a situation where when you have a big and predominant position of one single e-ID in the whole market, that criminals are starting to try to phish out your identity and today in the gross numbers, in Sweden there is more reported identity thefts than bicycle thefts and I think that’s quite interesting and the modus operandi of the criminals is basically that they find out – and this goes back to also like in the Nordic countries where you have a publicly-given unique social security number It is not so difficult to find out what is my social security number.

Then as a criminal – or somebody else’s. And then as a criminal, you would phish out in some way the information that what is your bank. You would initiate the log-in online and then you would call to that person, claiming that you are from the security department of that particular bank and in order to secure your digital identity, please authorise yourself on your mobile device and I can initiate that request to your phone by entering the social security number onto the web or online bank.

And then if you believe me and you authenticate yourself on a mobile device, the criminal actually logs into your bank account and immediately starts to transfer money away and this is the predominant way of stealing your identity online.

And when you do this 1000 times and you succeed sometimes, then it becomes a profitable business. And the Swedish police authorities are constantly warning people not to – never give – not to give out your secrets or basically in this case a pin code or to anybody calling you. Banks are warning constantly that they never call and ask for authentication. It still happens but I would say that that is the number one way to protect your identity online. Don’t believe those people who call you and want you to authenticate yourself.

Oscar: Yeah, because in the past, the bank used to call you or some – or an organisation called you to …

Lauri: Some of them, yes.

Oscar: Yeah.

Lauri: Yeah, yeah.

Oscar: But the norm is today …

Lauri: Never.

Oscar: Never. OK.

Lauri: That is the norm today. But it still happens so much and this is of course, you know, when – in Finland, if you have 18 different authentication methods, it’s much more difficult to try to find out what is the authentication method that you are using actually. But when you have only one predominant, then it becomes more of a – let’s say a criminal business opportunity.

Joni: Yeah. So maybe I should add please don’t do the same password between different services online and if you don’t do that, at least use a different one for your email with the password reset function that you use between the services, as we still wait to get the two-factor authentication for wider service base online.

Oscar: Yeah, exactly. It’s going to take a bit of time, yeah. We have to deal a bit more with this. Well, thanks a lot both Lauri and Joni for telling us about the service, Telia Identification Broker Service and what are the challenges. Very interesting and how you’re working to help all of us. Let us know how we can find more information about the service from yourselves.

Joni: Yeah. So you can find the identity services in your local corresponding Telia country’s websites. So we have the B2B as well as B2C services in the ID area and you could also use Google to find those or directly from the Telia website as well.

Oscar: OK. Again, thank you very much.

Lauri: Yeah, thanks for having us and let’s make passwords the thing of the past.

Joni: Yes, thanks.

Oscar: All right, thank you. Bye-bye.

Thanks for listening. Let’s Talk About Digital Identity is produced by Ubisecure. Be sure to subscribe and visit ubisecure.com/podcast to join the conversation and access the show notes. You can also follow us on Twitter @ubisecure or find us on LinkedIn. Until next time.

[End of transcript]