Mobile-ID technology

Hello!
I want to talk about what Mobile-ID is and how to use this service in my software.

Prehistory

In the last 10 years, many different electronic nyashek appeared in Estonia: ID card, electronic election, e-school (e-kool), digital recipe (digiretsept), electronic ticket for public transport, portals for citizens, hospital patients, portal for meter readings and paying electricity bills, and so on and so forth.

One of these e-cards is Mobile-ID , a user identification tool using a mobile phone. Roughly speaking, having a mobile phone with the correct card, you can easily log in to the Internet Bank, state portals, and, in general, to any website that supports authentication via Mobile-ID. How to do it on your website, I will tell at the end.
')

How the user sees it

First, let's see how Mobile-ID authentication looks from a user’s point of view.

First of all, you need to go to your mobile operator and conclude an appropriate agreement. You will change your regular SIM card to a magic one, on which a special application will run that can process a certain type of SMS. Everything, from this moment on, you are a happy user of Mobile-ID service, which will cost you about $ 1 per month.

Now we go to the desired portal, for example, the largest bank in Estonia www.swedbank.ee , enter the user number and phone number.

Picture 1: Login to the Internet Bank



A “control code” appears on the page - randomly generated 4 digits, and within a couple of seconds a special message with this code comes to the phone.

Picture 2: check the code



I check that the numbers on the screen coincide with the numbers in the message, and confirm my agreement. I enter the pin code of four digits. The beauty of this technology is that it is the only code I need to remember. No passwords for each site, no code cards for online banking!

Picture 3: enter the password



This is where the magic happens on our magic sim card. It sends a signal to the server about your consent, the bank receives a notification, and voila - you are authorized!

Picture 4: we get to the bank

How it works

The scheme of work is shown in the diagram below.
There are three actors in the system:

1. The user who needs to login to the site
2. Site (bank, online store, state portal, etc. - in general, any site)
3. The Certification Center (sertifitseerimiskekus, SK) is a certain organization that is trusted by the government and telephone providers. She has a database of all Mobile-ID users, their phone numbers and personal codes (similar to the Russian TIN).

How the developer sees it

Suppose you are the developer of the site that wants to allow its users to log in via Mobile-ID. Well, for example, you make your online store. What you need to do is contact SK via a web service. Calling a web service is rather dreary, there are a whole bunch of different parameters. If you make your website in Java, you will most likely have to generate a whole bunch of classes for a given WSDL, call the AXIS library and all that. So (why am I writing all this!), In order to make it easier for programmers, we have released a special open-source library in our company that allows you to use Mobile-ID in just two lines.

It looks like this:

MobileIDAuthenticator mid = new MobileIDAuthenticator("https://www.openxades.org:8443/"); MobileIDSession session = mid.startLogin(phoneNumber); showMessage(",    SMS   " + session.challenge + ".  OK   ."); mid.waitForLogin(session); 

That's all. Three lines. Call startLogin , show the user a challenge code and call waitForLogin . If the user agrees, the method will return his data (first name, last name, personal code). If the user refuses or turns off the phone, the corresponding exception will be thrown.

Here you can take a look at the full Swing HelloWorld application using Mobile-ID.

To use the MobileID library in your code, simply enable the following dependency:

  <dependency org="com.codeborne" name="mobileid" rev="0.9.2"/> 

By the way, in Python, using Mobile-ID web services is much simpler: it describes how.

Total

In addition to authorization, Mobile-ID allows you to put a digital signature. For example, sign documents, confirm money transfers in the Internet bank, etc. True, this will have to remember the second pin-code (of 5 digits).

In general, Mobile-ID technology has a great future. Plans are already being made, for example, on how to pay for purchases in the store via Mobile-ID. In this video, the idea is outlined in detail.

But I don’t know in which countries except Estonia there is such a thing. It seems to have heard that there is in Lithuania, but in Russia, apparently, not yet.

So it goes.

I hope it was interesting.