Legal, consulting, project leadership and know-how hub. Based in Sandvika, Norway.
High maturity electronic services need to be simple, convenient and attractive. Only personalized e-services can compete with real-life user experience (in simplicity and usability). In order for the user to receive the personalized services, the systems must authenticate the user. Usually such authentication involves user typing-in the login names and passwords.
In order to maintain adequate level of confidentiality and for protection of user’s identity, the Service Providers demand for separate user profiles in different electronic systems. The user must use different passwords for each e-service.
As the user starts using more and more (personalized) e-services, the number of passwords increase. Some of the Service Providers (like banks) demand higher security levels, so their password systems become more complicated (they issue password-cards, which contain many passwords, which must be used in specific order). Some Service Providers (to simplify the complicated password schemes) introduce password generators (PIN calculators) to make user experience simpler, however in such cases the user must protect their password device, maybe many such devices, which is extremely inconvenient.
The Internet community had long ago adopted a technology, called Public Key Infrastructure, which is capable of replacing all the passwords. The user is no longer requested to remember hundreds of their electronic identities: one secret key is used to authenticate to all the electronic systems. This secret key is never exposed to the world (it is stored in a secure electronic circuit, which never releases this key, so it always stays hidden since its creation until its expiry). The user must remember just one password (PIN code), which activates secret key on the electronic circuit to produce a unique login token for each authentication transaction.
This Public Key Infrastructure also allows to digitally sign electronic documents (like PDF documents): the signature can have a legally-binding implications for the signer (provided the local legislation allows such a framework to operate in legal way).
The mobile PKI solution (also called wPKI) delivers the best user experience so far:
- It does not require for the user to carry around the secure key (private key) token – this token is incorporated into the SIM card.
- The mobile phone is a personal device (or at least expected to be a personal device in the nearest future due to its dropping price) and the user carries their phone around, so whenever the user needs to authenticate themselves or sign some document, they can do it with their mobile phone right away.
- The mobile PKI infrastructure is maintained centrally, the user does not have to take any care of it, it always works, in case there are problems, they are always resolved centrally.
It is possible to implement this solution in every country where SMS service works and where SIM cards are used in mobile phones. The mobile phones do not need to be very high-end: every mobile phone, which support SMS, will likely support the wPKI, because it is implemented on SIM toolkit standard, which is supported since year 1998 by all the mobile phone manufacturers.
How does it work?
The wPKI framework consists of several independent players:
- The end-user is the one, who gets the private key token (SIM card) and the PIN code to activate it during transactions;
- The Registration Authority is an entity, which investigates user identity and provides/issues the private key token (SIM card) to user;
- The Certification Authority is an entity, which produces an “electronic passport” for the end user (can be several of them);
- The Trust Services Providers (can be several) is a mediation entity, which connects to all the CAs and to many Service Providers.