Authentication and digital signatures with mobile phone (Mobile-ID)

Published on: 12/10/2009

Image removed.The Mobile-ID (Mobiil-ID) service is a collection of organizational and technical measures to create strong, seamless digital identity for internet users.

The usual authentication methods, like passwords, pin calculators or one time password lists do not meet the demand for bank level strong authentication, digital signatures, ease of use and low cost.

To use the Mobile-ID, the user must acquire the special SIM card available by mobile operators. For stronger security, the user needs to activate the service on a website with his Estonian ID card.

After that, the Mobile-ID is ready to be used on any compatible website for authentication and digital signature.

Policy Context

The Mobile-ID is compliant to Directive 1999/93/EC and subsequent Estonian Digital Signature Law.

Description of target users and groups

The target group is all active internet users.

Description of the way to implement the initiative

Image removed.

The service is implemented according to Public Key Infrastructure (PKI).

There is a local Certification Authority (CA) that issues the certificates and also acts as Trusted Party (TSP) for validation of authentication requests and digital signatures.

The Mobile Operator (MO) acts as the Registration Authority (RA) for the service.

All the Service providers (SP) that want to use the service connect to TSP.

There is a contract between MO and CA to purchase the certificates. There is also a SLA contract between MO and TSP where MO adheres to pass the authentication requests through its mobile network. TSP also may charge the SP-s depending on the amount of usage.

MO charges the end users fixed fee per month, currently it is set to  0.7 EUR and is independent of the usage.

Technology solution

Image removed.Image removed.

The users must get a special (U)SIM card from the Mobile Operator. The application on this card must comply with the Baltic WPKI Forum standard (

In the course of registration by the Mobile Operator, the request is sent to CA to generate the certificates (standard X.509).

There is a central SOAP application called DigiDocService that all the Service Providers must implement (

The authentication request is sent to the user's mobile phone using standard OTA platform that is implemented by Mobile Operator. The bearer is an SMS.

Image removed.Image removed.Image removed.
Technology choice: Mainly (or only) open standards

Main results, benefits and impacts

The main impact is for the users, as the login (authentication) process is more convinient and compatible between websites.

The benefit for service providers is that the authentication process is highly secure and low cost.

Return on investment

Return on investment: Not applicable / Not available

Track record of sharing

Due to the fact that implementing this service covers a lot of stakeholders (Service Providers, Certification Authorities, Mobile Operators, Government, etc) it is relatively hard to replicate, but everybody is welcome to follow this example.

Lessons learnt

1. The biggest problem of this kind of eID issuing is the user registration process, that is deemed secure enough by Service providers and Government. Actually there are no standards and no best practices available in this area. Current service activation on webpage with Citizen ID card is deemed too hard and restrictive for mass market.

2. Involve all stakeholders fully in the project implementation. Due to the large number of participants, there were big communication problems between the parties.

3. As Mobile-ID agreement can be connected only with a private person (personal agreement, PIN and PUK codes) then it was challenging to develop a schema on how to issue mobile-ID for corporate mobile users.

4. The SIM application development partner is crucial for the success of the project

5. Network tuning in order to guarantee SMS traffic prioritization and speed is more difficult than it seemed.


Scope: National