Blog‎ > ‎

Secure PKI based mobile user ID authentication

posted Oct 7, 2014, 8:50 AM by Sami Lehtinen   [ updated Nov 25, 2015, 8:08 AM ]
Finnish Mobile ID authentication process example

What is mobile certificate based digital ID for authentication?

What is mobile id

How to securely login with mobile phone. This is official legally binding authentication. So it's as good as your passport and signature on official agreement.

1. On service you want to login select option to use mobile id / authentication for login.
2. Enter your phone number and security code (password, optional) to proceed.


3. You'll now see the request ID, it also arrives soon on your mobile phone.


4. Now you'll see the authentication request on your phone. Verify that the request ID is correct and continue.


5. Then enter your ID's personal PIN code. (It's not same as SIM PIN hopefully!)


6. Now your browser shows that it has received authentication from your mobile phone. It shows your name and your personal national identification number. As well as what service has requested the identification and where the information will be passed. When you approve this page, the login will be forwarded to the site you're logging into.


This same method can be also used to sign agreements, official documents, tax documents, what ever, requiring signature, date, place, etc. So it's as good as you with your passport, ID document and legal signed documents. No need to print, scan, main, sign, legal agreements, documents, and stuff like that. You can also login to medial, investment, legal, taxation, police, etc services with it.

More technical stuff? See this PDF document @ Mobiilivarmenne.fi

This should be quite secure. Private key is only stored inside secure chip, it's not being shared with anyone, it requires separate PIN to be activated. Chip can't be (at least easily) cloned, etc. Only thing I don't like, is the usage of request ID. So when the mobile shows the request, user doesn't know what is being authenticated in detail. Basically if you do this on compromised PC, it's possible to mislead you to sign things, which true content you haven't ever seen or don't know. But this is very common failure with many signature solutions and there aren't actually many practical solutions out there which cover this issue.