On 26 February, the Information System Authority (RIA) introduced the Smart-ID+ solution in the state authentication service. This change brought a new, more secure login flow to state e-services, reducing the risk of fraud and simplifying the user experience.
Smart-ID+ is implemented in state e-services such as the state portal eesti.ee, the Health Portal, the e-services of the Tax and Customs Board, the self-service environment of the Social Insurance Board, and other public e-services.
Helen Raamat, Product Manager of the Electronic Identity Department at the RIA, noted that the new solution will help to link the login process more clearly to the actions of the user. ‘Smart-ID+ makes logging in simpler for the user, while also more secure. All important authentication initiations are now performed on the device of the user, making it significantly more difficult for fraudsters to mislead people or perform actions on their behalf, said Raamat.
Although statistics from the state authentication service show that most authentications are carried out using Smart-ID, it will remain possible to log in with an ID card or Mobile-ID. The change will only affect the use of Smart-ID, which was upgraded to the Smart-ID+ solution on 26 February. From that date onward, when using Smart-ID+ in the state authentication service, users will no longer be required to enter their personal identification code on the website, nor will they need to compare verification codes. Instead, the login session is more securely linked to the Smart-ID application of the user, either by scanning a QR code or through a direct application-to-application connection.
Smart-ID+ introduced two new login methods to state e-services. If a user opens an e-service on their phone, they can select ‘Open the Smart-ID app’, after which the Smart-ID application will open automatically. To log in, the user simply enters PIN1, and the process is complete. There are fewer steps and smoother movement between applications.
If the e-service is used on a computer, the user must scan a continuously changing QR code displayed on the screen to log in. A dynamic QR code makes the solution significantly more difficult for fraudsters to exploit.
In order to use the new solution, users must ensure that the operating system of their phone and the Smart-ID application are up to date.
Smart-ID+ primarily helps reduce the risk of phone scams and social engineering, as authentication and confirmation steps are carried out on the phone of the user and are linked to actions initiated by the user. This makes it considerably harder for fraudsters to trick someone into approving a transaction they did not initiate themselves. At the same time, users must continue to ensure that they are using the correct e-service and that they enter their PIN codes only to confirm actions they have personally initiated.
Users should be aware that Smart-ID does not send SMS messages asking them to extend or renew the service via a link. All actions are carried out only in the official Smart-ID application or on the official Smart-ID website. If in doubt, users should log in to the Smart-ID self-service portal and check their Smart-ID accounts and the transactions made with them. Assistance is available only through official channels, the contact details of which are listed on the Smart-ID website. PIN codes may only be entered if the user has initiated the login themselves and can clearly see in the Smart-ID application which service they are accessing.
For more information about the new Smart-ID+, visit the Smart-ID website.
Smart-ID self-service portal: https://portal.smart-id.com.
