In late 2014, the country of Estonia established what they refer to as their “e-Residency” program: the Estonian Government offers a digital identity card, similar to those given to their citizens and permanent residents, to foreigners. One of the benefits of the e-Residency program is to make it easier for non-residents to do business in Estonia. Digital identity cards can be used for secure authentication (at Estonian banks, for example), and make it much easier to set up a corporation there. Electronic signatures made with the cards are considered to be legal signatures in Estonia.
Initially, during the program’s pilot phase, one had to travel to Estonia to be issued a card. But recently it became possible to apply online and pick up one’s card at an Estonian embassy or consulate. Since my consulting work deals with online authentication and credential issuance, and I travel to Washington, DC from time to time, I decided to apply for one.
The application process was straightforward: you fill out an online form and attach a scan of your passport and a recent photograph. The form also asks why the applicant wants an Estonian ID card; I explained that I am a computer authentication researcher. There was a 50 Euro fee that I paid by credit card.
I received an email acknowledgement, and about two weeks later a message indicating that my application has been approved. About 10 days after that, another message told me that my card was available to be picked up at the Estonian Embassy in Washington. About 10 days ago, I made an appointment and visited the embassy, located a couple of blocks from Dupont Circle.
When I arrived, I was met by Christian, an embassy staff member who completed the issuance process. He verified my physical passport against the scan I had provided, and obtained images of fingerprints from my two index fingers. I also signed a form acknowledging the terms and conditions. I asked about the various numbers on the card and Christian explained them. There is a document number, effectively a serial number for the card, and a “personal code” which is an Estonian national ID number that I had been issued. The personal code is discussed in more detail below. The entire issuance process took about 15 minutes.
Included in the package were the digital identity card itself, a small USB smartcard reader, and a sealed envelope with the initial PIN for authentication, PIN2 for signing documents, and PUK for unlocking the card in the event that I enter the PIN wrong too many times.
Upon returning to my hotel, I tried using the card (I had previously downloaded the necessary software and installed it on my Mac). At the “welcome” website, I entered my document number and was told that the card had not yet been handed to me. Probably due to time zone issues, I had to wait until the next day for the issuance of my card to be recorded, probably by an OCSP server in Estonia.
The following day, I made my first successful authentication to their website. The login process consists of attaching the reader to my Mac and inserting my identity card, then pressing a Sign In button on a website that accepts it, such as https://eesti.ee. A pop-up prompts for me to enter my PIN, and I’m signed in.
I initially had problems signing in with the Firefox browser on my Mac, although Chrome worked fine. After a couple of interactions with Customer Support (who were very responsive, by the way) we determined that disabling and re-enabling the Firefox extension cleared the problem.
Here are my initial impressions from using the card:
Things I like
- Logging into a website using the digital identity card is convenient and secure, and does not involve sharing a password, or my PIN, with the site.
- The software used by the digital identity card is open source, on GitHub.
- The issuance process was well thought out. They understand the importance of in-person identity proofing for a secure credential. Their collection of a couple of fingerprints provided non-repudiation for my registration, which is especially important when it is being used to generate legally binding signatures.
Things that could use improvement
- Estonian ID numbers (the iskukood, or personal code) reveal too much about the user. The first digit gives the user’s gender, and the second through seventh digits give the date of birth. A good identifier should be fully opaque, not revealing anything about the user. This is really an issue about Estonian ID numbers and not specifically about the identity card.
- The user’s full legal name and ID number are always revealed to sites when you log in. This allows the sites to correlate your behavior with other sites and perhaps with offline activities as well. A better approach would be to generate an identifier that would be unique for each site, and release the name and personal code only when required for the transaction and authorized by the user. However, they are very transparent that this is taking place.
- After logging out of a website, it’s necessary to exit and restart the browser. This is inconvenient, and from what I can tell has no security benefit.
- After restarting the browser, I was surprised to find that it is possible to log in again without entering the PIN. Apparently it is cached somewhere. I haven’t been able to find any place that this caching is described, and being surprised is not a good thing for a security product such as this.
- It is possible to sign out and back in while leaving the card and reader physically connected. This means that it might be possible for malware on my computer to log me in by proxy on an attacker’s computer. It would be better to require some local physical action to ensure that the card isn’t being used without my knowledge.
- There isn’t any way to be absolutely certain that the pop-up window prompting for my PIN came from the identity card software and not from some other malware running on the computer, in the browser, or even on the website I’m currently on.
These are first impressions; I plan on updating this blog post if I discover anything in conflict with the above. The Estonian identity card is a fine experiment, and further demonstrates Estonia’s sophistication in use of the Internet to do business. I’m looking forward to doing more with this identity credential.