Integration analysis of various eID authentication solutions used in the private sector of Estonia

Abstract

In Estonia, citizens can log in to online services via eID authentication schemes such as Smart-ID, Mobile-ID, and smart cards. The vast majority of these authentications go to banks and e-government services. If any other business in the private sector wished to integrate eID authentication, they would encounter that information about authentication providers is scarce and scattered. No comprehensible resources exist that enumerate and compare various currently available eID schemes. The thesis aims to fill that gap by listing available eID solutions and providing security and integration analysis. The analysis will cover three solutions: Web eID, eeID, and Dokobit. The main findings of the thesis show that the technology to support eID authentication exists and that most businesses choose not to use eID authentication because the benefits of using such a system do not outweigh the costs of integration. Additionally, this thesis discovered significant security vulnerabilities in some eID solutions, previously assumed to be safe and secure. The thesis results serve as a reminder not to assume that a product is secure just because it specializes in security.