Authentication in e-services

If you wish to enter a national e-service, you must first authenticate yourself, i.e. prove that you are who you claim to be. Authentication must be reliable and secure, because no one wants their data to be accessed by strangers or a villain to make transactions on their behalf. In national e-services, personal identification takes place through a central secure channel (National Authentication Service), where you can authenticate yourself through ID-card, Mobile-ID, Smart-ID and the authentication tools of European Union countries.

What is SSO and how does session management works?

If you use Google Services, you know that one login is enough to access your emails, documents, and photos. When moving between e-services in the Estonian public sector, you can similarly use the one-time login option. As the name implies, such a solution requires only one authentication: if a user has entered an e-service through the State Authentication Service, he or she can use other e-services without having to re-identify in all of them.

The following is a step-by-step example of how authentication works with session management in e-services.

1. Login to e-service by e-portal eesti.ee

The user goes to the e-service page (state portal) and clicks "Log into self-service" to log in.

2. Personal identification, i.e. authentication using the example of Mobile ID and creating a new session

The user is redirected to the authentication service to log in, where a page for selecting authentication tools is displayed. In the background, the authentication service checks each time whether the user already has a valid session in the state portal for the given web browser. In this case, there is no valid session and the user is authenticated.

In this example, the user selects Mobile-ID as a means of identifying the person. To do this, the user enters his/her personal identification code and phone number and presses "Continue."

The user's mobile phone is then sent a verification message with a verification code, which the user confirms by entering PIN1 on their mobile phone.

3. View of the logged-in user in the e-service (state portal)

Upon successful completion of the authentication procedure, the user is routinely redirected to the service/self-service environment home page, where access to the operations is available, when logged in to the e-service.

4. Continuation of session in another e-service (e-population register)

In this example, the user selects the action "Change of data in the population register" in the state portal, which directs the e-population register to the environment of the self-service portal in order to start the operation.

In the background, the authentication service verifies whether the user already has a valid session for this web browser. If the user has an active session in the authentication service, the consent page will be displayed for the user to transfer the data to another e-service. If the user agrees to continue the session, a new session for the e-population register service will be created in the background. This will prevent the user from signing in further, and the user will see the view already logged in in the next e-service.

5. Ending the session, i.e. logging out of the e-service

Once the user has completed the operations in the e-service, he/she will press "Log out" on the state portal to exit the e-service. In the background, the authentication service finishes the session in this e-service (state portal) and the user is asked about other active sessions in the authentication service (e-population register in this example). The user can choose to continue using other sessions by pressing "Continue session" or to finish all sessions at once by pressing "Log out of everyone." When a user completes all sessions, they will be redirected back from the authentication service to the e-service page, where they will receive a message about successful logging out. Thus, the user has been safely logged out of all previously logged-in e-services at the same time and no longer needs to log out of e-services individually.

Management of user’s active sessions on multiple devices

The self-service environment of the State authentication service https://minuautentimine.ria.ee offers an overview of the user's active SSO sessions in the State authentication service, where the user can see their active sessions and terminate existing sessions centrally. To do this, the user must first identify himself on the https://minuautentimine.ria.ee page, after which a list of active sessions will be displayed.
For example, if a user logs into several e-services on a shared computer and forgets to log out, he has the option to end the session on any device (for example, a mobile phone).

The user can also navigate to the self-service environment via the link on the authentication, session continuation and logout pages in the state authentication service:

Management of user's active sessions on multiple devices

The self-service environment of the State authentication service https://minuautentimine.ria.ee offers an overview of the user's active SSO sessions in the State authentication service, where the user can see their active sessions and terminate existing sessions centrally. To do this, the user must first identify himself on the https://minuautentimine.ria.ee page, after which a list of active sessions will be displayed.
For example, if a user logs into several e-services on a shared computer and forgets to log out, he has the option to end the session on any device (for example, a mobile phone).

Asking for a higher level of authentication when continuing authentication in an e-service

In order to prevent access to e-services with an authentication tool with a lower level of security than permitted by the e-service, the authentication service checks in the background, before referring the user to the next e-service after the session has been resumed, whether the authentication tool used to create the existing session meets the minimum level of security required by the e-service. However, if the user has entered the e-service with a less secure authentication tool than required in the e-service, the user will be re-authenticated and the previously valid authentication session will be automatically terminated in the background. After successful re-authentication, a new session is created and the user is redirected to the e-service.

This special case occurs only in authenticators with certain personal identification devices of certain European Union countries, the security levels of which may be lower than the authentication devices used nationally in Estonia (ID-card, Mobile-ID and Smart-ID). A list of authentication tools recognised in accordance with the requirements of the eIDAS Regulation in the European Union and descriptions of their security levels (LoA, Level of Assurance) can be found here.