Suomi.fi e-Identification is a Finnish public service identity system. Using Suomi.fi, users can authenticate to any public administration service, and move seamlessly between the services that use it for authentication. It was introduced in 2015, and it now supports more than 200 million identifications each year. There are currently around 245 public and private sector services relying on Suomi.fi for identification.
Suomi.fi e-Authorizations was introduced in 2016. It can be used to digitally authorise other individuals and organisations to take care of tasks on your behalf, whilst being legally binding. The system enables a wide range of scenarios, including allowing the registration of mandates in complex legal entity forms, including for public administration bodies, clubs and associations, churches, investment funds, deceased estates, bankrupt or liquidated entities and organisations with foreign officials. Mandates can either be granted to the assignee or you can conveniently proactively request a mandate through the service. This reduces the actions required to get a mandate, when the assignor is less familiar with the service and may be reluctant to initiate the process.
Offering a centralised platform for identification and authorisation streamlines the implementation and adoption of new online services. The efficiencies that this has enabled are quite incredible. The number of services connected, and the number of transactions, have shown strong growth since Suomi.fi’s inception.
Why was Suomi.fi created?
The Suomi.fi platform was born out of the National Architecture for Digital Services Programme, which ran from 2014 to 2017. Work and scope of the programme have continued since then and the platform is a core part of Finland’s digital e-government strategy.
Prior to Suomi.fi e-Identification, there were two widely used strong authentication services in the public sector: Tunnistus.fi and VETUMA. VETUMA included the ability to integrate payments-as- a-service. Consolidation and harmonisation of the services into Suomi.fi proved to increase adoption both by online services and by the general public.
Prior to Suomi.fi e-Authorizations, the KATSO platform served Finland for 15 years from 2006 to 2021. To ease the transition to Suomi.fi, mappings were made between KATSO roles and the new Suomi.fi e-Authorization Mandate Themes. In 2020, KATSO had 32 relying organisations and around 170 roles. Comparatively, today Suomi.fi e-Authorizations has over 200 relying organisations and over 400 mandate themes.
Detailed history of the Suomi.fi services, including e-Identification and e-Authorizations can be found at https://dvv.fi/en/suomifi-history.
In 2022, 196.6 million logins were made via the Suomi.fi service to government services or private sector service providers fulfilling a government mandate. This was slightly less than the peak annual 200.5 million login events achieved in 2021 during the COVID-19 pandemic.
How does Suomi.fi e-Identification work?
Suomi.fi e-Identification is closely tied to the Finnish Trust Network (FTN) – a framework which allows application providers to enter into a single contract, with a single integration, to make use of multiple identity providers. Suomi.fi uses Finnish Trust Network actors to provide the strong authentication brokering and authentication for citizen login.
This means that a user accessing a service via Suomi.fi can be authenticated via a number of identity providers (IdP) – including all of the FTN IdPs that are brokered to the service, all using one integration and contract as enabled by the FTN. These are predominantly bank IdPs (see screenshot below for options), giving users choice over which strongly authenticated pre-existing identity they use to access public services with Suomi.fi.
The identity brokering part of the Suomi.fi service is contracted by the Digital and Population Data Services Agency from third-parties, and subject to the public procurement process. This was first done in 2017, again in 2018, and most recently in December 2020. This streamlines the system management significantly and enables cost savings. Like most major government service procurement contracts, the contract is put to tender at regular intervals. Thanks largely to the tightly specified Finnish Trust Network requirements, this part of the service can be defined so precisely that the only criterion for selection is the lowest price. The next procurement round has been announced for Autumn 2023.
How do Suomi.fi e-Authorizations work?
Using the authentication services provided by Suomi.fi e-Identification, Suomi.fi e-Authorizations provides the powerful ability to allow one party to act on another party’s behalf. This removes the need for paper-based power of attorneys or letters of consent!
Suomi.fi e-Authorizations provides very high-level authorisation using the concept of mandate themes. For example, the theme “Representation at the General Meeting” gives another person your rights at shareholder meetings.
The scope of the authorisation can be further tightened using the ID of the company in question. In this example, Jane Doe can represent someone at the General Meetings for company ID 123456-7 only:
Even non-Finnish individuals and organisations can use the electronic authorisation service, thanks to a Finnish Authenticator app launched in 2020.
The system gives clear information on what mandates have been given or received and how long they are valid for. It’s also easy to change or revoke a mandate.
Limitations of the e-Authorizations service
One limitation is that for mandates requested from or given to individuals, you need to know the social security number of the assignor. Some people may be reluctant to provide this for fear of misuse.
Further, the mandate themes approach gives an all-or-nothing approach to access within the defined theme. For example, the use of Suomi.fi by all Finnish pharmacies. For the theme “Use of pharmacy services”, the assignee of the mandate can carry out a wide range of activities:
- pick up medication from the pharmacy on behalf of the assignor
- request that the assignor’s prescription is renewed by the pharmacy
- request the pharmacy to check the benefit data related to the assignor’s prescriptions and medicines and to give information on them to the assignee
- give their consent for the invalidation of the assignor’s prescription at the pharmacy
- ask for a summary of the assignor’s prescriptions
Rather than only being able to grant authorisation to complete one of these tasks, the mandate themes approach grants authorisation for all tasks in one go. Therefore, in this example, you can’t allow someone to only pick up a specific prescription medicine on your behalf. If you give them this mandate theme, they can pick up any medicine and even get access to a summary of all of your prescriptions.
The scope of some types of mandates can be limited by using a specifier – for example, entry of a property ID may be used to limit the mandate to a certain property, or entering a company ID to limit a mandate to matters related to a certain company (as seen earlier).
For use cases where permission to do something on another’s behalf needs to be limited beyond the standard capabilities of the system, for example access to specific documents or projects, additional access right management systems are required. Ubisecure provides software solutions that allow Suomi.fi to provide federated user authentication and can be integrated with Suomi.fi e-Authorizations for coarse-grain access control. On top of this, fine-grained access control can then be managed within the Ubisecure Identity and Access Management platform. This is available as an on-premises deployment, as a managed software-as-a-service solution or a hybrid cloud/on-premises approach. Get in touch for a demo.
What’s next for Suomi.fi?
Suomi.fi e-Identification and e-Authorizations are the backbone of eGovernment services in Finland. They have built on the success of prior services in a comprehensive, easy-to-use, and well documented shared service. Its success is no doubt also due to the funding model – individual government services and departments can use the platform without charge, and the Ministry of Finance funds the service for the public good.
Suomi.fi e-Authorizations is under constant, active development – including additional reporting, improved usability and finer-grain administrative user rights controls. The public roadmap shows themes such as continued development for stability, reliability, availability and usability, making it easier for foreigners to do business in Finland, and exploring opportunities and coordination with the European identity wallet, looking at the integration of foreign trade registers. Another big focus is on investigating the handling of complex cases around authorisation involved in legal guardianship and lasting power of attorneys.
You can follow the growth and development of Suomi.fi via monthly updates provided by the team at the Digital and Population Services Agency (DVV), which is available (in Finnish) at https://dvv.fi/suomi.fi-infot.
It’s also positive to see third-party, commercial, non-governmental organisations starting to streamline their processes by adopting the central Suomi.fi service. For example, business management software for entrepreneurs that perform tax reporting and declarations on behalf of small-business owners; or shareholder registry and management platforms that allow representatives of shareholders to participate in shareholder meetings.
Conclusion
Suomi.fi e-Identification and e-Authorization are integral cornerstones of the Finnish digital society. Without these critical services, online interaction with all levels of government would come to a standstill. The design, both logical and technical, has proven the test of time – it is a reliable and easy to use service with enormous proven benefits for citizens, businesses, and public officials alike.
About The Author: Keith Uber
Keith is VP Customer Success at Ubisecure.
His specialities include: Identity and Access Management, identity federation, authorisation, access governance, authentication policy and technology, and privacy.
More posts by Keith Uber