TUPAS is a strong digital authentication method created by the Federation of Finnish Financial Services. TUPAS identification is a de facto standard for digital identification in Finland. It is used by all major Finnish banks including Aktia, Osuuspankki, Nordea, Danske Bank and S-Pankki (formerly Tapiola). Furthermore, TUPAS is used also by Finnish government to log into Kansaneläkelaitos and Finnish Tax Administration site vero.fi.

The phasing out of TUPAS began in 2016. The final deadline to shut down the identification services was in September 2019, but all banks continued providing service past this date. TrafiCom has issued a warning that monetary penalties will be collected from services that have not shut down by end of November 2019, and ultimately warned that services using TUPAS for strong authentication would be shut down.[1]

TUPAS was based on the Finnish law on strong electronic identification and digital signatures. The law requires strong identification methods to include at least two of the three following identification methods.

  • Password or other similar that one knows,
  • Chipcard or other similar that one possesses, or
  • Fingerprint or other similar that is unique to the person.[2]

Commonly the identification is done using a password and a list of single-use passcodes or a passcode device.

TUPAS was operated by the Finnish banks, and required service providers to negotiate contracts and perform integrations with each separate bank they deal with. As no real competition existed, TUPAS authentication was expensive to service providers. The eIDAS regulations provided the government with the opportunity to open up eID services to market competition. To that end, the Finnish authorities established the Finnish Trust Network (FTN), a framework that allows strong authentication service brokers to resell eID solutions in Finland using a single standardised service contract.

These eID brokers act as intermediaries between the identity providers (banks and telecom operators) and online service providers, which enables them to operate as 'one-stop-shop' resellers of eIDs, as well as giving them the capacity to manage contracts and technical integrations. This new competitive environment has removed the main obstacles to developing strong identification services by:

  • Capping transaction costs between the bank and eID broker
  • Eliminating administrative hurdles, with a single contract serving all Finnish banks
  • Streamlining integration, with only one standard technical interface required

[3]

Traficom has recommended organizations to use an eID broker instead of directly connecting with eID providers. [4]

References

edit
  1. ^ "Tunnistuspalvelun tarjoajille kehotus uhkasakon nojalla korjata toimintansa 30.11. mennessä - TUPAS-yhteyskäytäntö edelleen tarjolla vastoin lainsäädäntöä". Traficom (in Finnish). Retrieved 2019-10-17.
  2. ^ Law on strong digital identification and digital signatures. (in Finnish) https://www.finlex.fi/fi/laki/ajantasa/2009/20090617
  3. ^ "7 things you need to know about TUPAS being replaced with…".
  4. ^ "Security and trust".
edit