eServices must prepare for changes in banking credentials-based identification

Published 28.06.2018

The TUPAS protocol Finnish banks currently use in their e-identification services is no longer compliant with the Finnish requirements for strong electronic identification that have been harmonised with EU legislation. The stricter information security requirements require banks to adopt a more advanced protocol. Moreover, changes are required in all online services that use banking credentials-based identification. FICORA requires online service providers to implement the necessary changes by September 2019.

In the future, strong identification procedures are more likely to be based on the SAML or the OpenID Connect protocol instead of TUPAS. Finance Finland (FFI) has announced that they will not continue to develop TUPAS to meet the new requirements for strong identification.

Changes needed in eService identification interfaces

FICORA Regulation 72 on strong electronic identification imposes a deadline for implementing message-level encryption in TUPAS-based identification services. It is very likely that the security requirements of the FICORA Regulation will lead to TUPAS being replaced with other protocols. A long transition period is provided, as this is a major change for online service providers.

The implementation of the SAML or the OpenID Connect protocol and message-level encryption requires action from all online services that identify customers on the basis of banking credentials. The information systems of online services must be adjusted to support identification message-level encryption. Both the identification service provides and the online service providers are required to add message-level encryption to their system interfaces. For this purpose, the identification service providers and the online service providers must create and exchange new encryption keys. Message-level encryption reduces the risk of, for example, a user’s personal ID being logged in clear text format.

Banks must make the updated identification interfaces available to eServices by March 1, 2019. Current TUPAS protocol-based strong identification services can be provided alongside the new interface until the end of September 2019. Online service providers must apply the necessary changes to their systems during this period. From the start of October 2019, TUPAS identification services can no longer be provided in their current format as a means of strong identification.

Trust network for easier acquisition of identification services

During the transition period, online service providers are encouraged to consider acquiring their identification services on a centralised basis from an identification broker service that belongs to the trust network. The trust network is comprised of registered and monitored strong electronic identification service providers, listed in FICORA's register.

In the trust network, two types of strong electronic identification services are provided: identification device providers offer identification devices (identification means) to users and identification broker service providers offer customer identification services to online service providers. The identification device providers conclude agreements with the identification broker services to allow them to provide online service providers with centralised customer identification services. This means that as soon as the agreements are in place within the trust network, online service providers will have improved opportunities to acquire identification services, because they no longer need to conclude separate agreements with each bank or other identification device provider.

The aim is that, in the ideal case, an online service provider could acquire all its customer identification services from a single identification broker service based on a single agreement, and it would only need to exchange encryption keys with that broker service. The online service provider would not need to know which protocol solutions are used between the identification broker service and the issuers of the identification devices.

Contact information:

Marko Priiki, Legal Counsel, tel. +358 295 390 596

Anne Lohtander, Legal Counsel, tel. +358 295 390 618

Jukka-Pekka Juutinen, Head of Security Supervision, tel. +358 295 390 523 +358 (0) 295 390 523

Email addresses: firstname.lastname(at)

Further information

News published on 10/4: TUPAS-tunnistamista käyttäviltä asiointipalveluilta edellytetään muutoksia

News published on 24/4: Enimmäishinta tunnisteen luomiselle - luottamusverkoston neuvottelut takkuavat

Background information

Strong electronic identification devices (identification means) currently in use in Finland include online banking credentials, mobile certificates provided by telecom operators and the certificates for citizens and organisations provided by the Population Register Centre. Strong electronic identification devices are rec-orded in a FICORA register that can be found on the FICORA website.

Identification device providers grant strong identification devices to users. Identification device providers include banks and telecom operators that offer strong electronic identification devices, such as banking credentials or mobile certificates, to the public. The identification broker service provider relays strong electronic identification events to various eServices, i.e. to parties relying on electronic identification (for example an online store or an e-government service). These are referred to jointly as identification service providers.

Identification service providers belong to the trust network. The trust network was established to ensure that eServices offering different types of online services could acquire their customer identification services on a one-stop basis from a single identification broker service, regardless of which Finnish identification devices their customers are using.

Key words: Information security , Cyber security , Electronic identification , News

LinkedIn Print