Handy signature

from Wikipedia, the free encyclopedia

In Austria, the mobile phone signature is a technology for legally valid electronic signatures with the mobile phone ( mobile signature / mobile ID). The mobile phone signature is equivalent to the qualified electronic signature and is treated as the equivalent of a handwritten signature in the context of Austrian e-government for the citizen card . A-Trust , a company that works as a cooperation between Austrian chambers and banks, was entrusted with the technical support of the mobile phone signature .

Functionality and security

As an implementation of the citizen card concept, the mobile phone signature is a qualified electronic signature within the meaning of EU Directive 1999/93 / EC , and thus both a valid official ID and legally equivalent to a signature within the meaning of § 886 ABGB . The function enables, for example, password-protected access to public administration facilities. It is also possible to sign PDF files , electronic documents using the Adobe system , which are now the general standard.

When you log in to a web application with a telephone number and a password, A-Trust sends you a transaction number  (TAN) as an SMS , with which you confirm your identity. The TAN is a one-time code that is valid for five minutes. With this TAN you confirm the login.

The advantage of this signing method over a chip card (such as the health insurance e-card ) as a citizen card is that there is no need for a chip card reader or installation of special software on the computer.

However, the main disadvantage of mobile signing in general compared to a chip card is likely to be in everyday life. While official ID cards are usually kept safe, the cell phone is an everyday object that is used in a wide variety of life situations. More precisely, it is not the cell phone that is activated as a device, but the cell phone number that is stored with the SMS service provider. This is also passed on generally. The password is therefore of particular importance. Anyone who has access to the registered mobile phone (more precisely: its SIM card with registered telephone number) and at the same time the signature password can conclude legally valid contracts on behalf of the owner. The possession of the mobile phone is one of the basic authentication criteria in the system as a citizen card ( personal link of the electronic signature in the sense of § 4 Paragraph 2 of the E-Government Act ). Therefore the password - as a second instance of identity link, factor "knowledge" - should never be saved on the mobile phone itself.

If the cell phone is lost, a notification is sufficient to block the number. A hotline is available at A-Trust for this purpose. Malware on mobile phones is more problematic , so it is important to take your own protective measures on the mobile phone (as known from computers: secure configuration , security updates , firewalls and virus scanners , careful downloading and installations , and the like).

Of the three currently established technologies of mobile signature, the solution with a cryptography module on the SIM card or on a microSD card, as well as a permanently implemented on-board key generation (all of which are based on the ETSI Mobile Signature Services , MSS standard ), and the Austrian SMS-based PIN-TAN solution, the latter is judged to be the most secure. It is based on a separation of the local and the web server verification, so that an attacker would have to intercept both messages. In principle, all procedures are at risk of phishing , in the case of the mobile phone signature where the telephone number is given, but the attacker would still have to read the sent back SMS and also ensure that he enters the TAN faster by hiding the SMS from the recipient .

However, a qualified signature is only created if two different end devices are used in accordance with the regulations, i.e. by requesting the TAN SMS on a normal computer, having it sent to the mobile phone and entering it again manually on the computer. If you use the mobile phone as a transmitting and receiving device, i.e. log in directly with the smartphone's browser - which is basically the more convenient solution for internet-enabled smartphones - there are certain additional points of attack, as with the MSS process.

The central database and encryption create another point of attack, but even then the attacker would have to have at least brought the web interface or the mobile phone under control. That the basic number of the person, the Austria-wide unique identifier of a person to prove the identity link, which is written on the chip card with the SmartCart solutions of the citizen card (encrypted together with name, date of birth and public key of the asymmetric encryption), with the mobile phone Signature is not entered on the SIM card, but is stored with the authenticator, can be seen as an advantage in terms of security in terms of the loss and data security of the mobile phone, but also as a disadvantage because the registration authority with the certification service provider ( Certification Authority) is identical in the sense of the MMS. The SMS service operator therefore has a special responsibility. Therefore the A-Trust operates a high security data center.

Another advantage of the Austrian solution is that the other technologies depend on the hardware as well as the platform (operating system) of the smartphone and place high demands on them because the cryptography module runs on the end device, while the Austrian solution, where the computing load of the Certificate operator, is also suitable for simple cell phones of older generations. In addition, it can be easily ported and roamed between mobile phone providers , because the evaluation via the central data server only requires the telephone number of the signatory and is not linked to the SIM card or a provider-bound mobile phone.

history

Mobilkom Austria originally introduced the A1 signature technology in 2003 , but this was discontinued on October 16, 2007.

At the end of 2009 a citizen card was started again on the mobile phone with the mobile phone signature of A-Trust. This was developed as part of the EU program STORK (Secure Identity acrOss BoRders LINKed) .

In 2012 only around 60,000 mobile phone signatures were activated, that is less than 1% of citizens, and around a third of all citizen cards in various forms. As with the citizen card as a whole, registration was judged to be quite time-consuming and largely unknown to the population, or there are reservations about security. Attempts to propagate them via the mobile network operators have so far been relatively unsuccessful.

At the beginning of 2014 there were already 300,000 registered people, with around 20,000 new registrations per month. The mobile phone signature is currently the most common form of citizen card: there are around 150,000 SmartCards activated for the function. According to a study in mid-2014, 18% of the online population now have a card reader-compatible citizen card and 21% have a mobile phone signature. According to this study, the future of the citizen card is also seen in the mobile phone signature (69% of the respondents), since the mobile phone is now part of everyday life in a broad segment of the population, and especially among socially weaker groups, for whom installing a card reader at home is an additional barrier is used intensively.

Since March 2014, the Ministry of Foreign Affairs has been running registration offices at the Austrian embassies in London , Madrid and Germany (Berlin and Munich) as a pilot project in order to offer Austrians abroad access. Austrian, German, English or Spanish phone numbers are permitted. If acceptance is good, it is planned to expand to all Austrian representations abroad.

Since January 1, 2018, referendums can also be signed using a mobile phone signature or citizen card. This applies to both the submission of a declaration of support and the signing of a referendum.

In October 2018, more than 1.05 million users were using the Handy-Signatur.

literature

  • Thomas Zefferer, Peter Teufl: Evaluation of mobile signature solutions on smartphones. Version 1.4, April 24, 2012 ( PDF , egiz.gv.at).

Web links

Individual evidence

  1. Peter Kustor, Federal Chancellery: eID in Austria ( Memento from July 14, 2014 in the Internet Archive ), presentation, January 28, 2014, slide 33 E-communication involves risks: Solution in Austria: Citizen card / mobile phone signature and 35 functions the citizen card (§ 4 Abs. 1 E-GovG) (PDF, bka.gv.at, accessed December 12, 2014).
  2. PDF signature with the Handy-Signatur , buergcard.at, accessed December 3, 2014.
  3. a b How it works with the mobile phone signature , buergcard.at, accessed December 3, 2014.
  4. a b Activation of the mobile phone signature : Sicherheit , buergcard.at.
  5. a b cf. Peter Kustor, Federal Chancellery: eID in Austria ( Memento of 14 July 2014 Internet Archive ), presentation, January 28, 2014 Slide 37 people bond and 38 (§ 6 Abs. 2 E-GovG) Pedigree number (AN) production (PDF, bka.gv.at, accessed December 12, 2014).
  6. Handy-Signatur , tugraz.at - information page with safety instructions for use
  7. Frequently asked questions about the Handy-Signatur : How can I block or revoke my Handy-Signatur? or my cell phone is stolen / lost , buergcard.at
  8. cf. Internet and mobile phone - safely through the digital world , help.gv.at - with numerous links.
  9. a b Lit. Zefferer, Teufl: Evaluation of mobile signature solutions on smartphones. 2012, especially 5.1 Comparison of existing solutions , p. 33 ff, and 5.3.2 Evaluation , p. 39 ff.
  10. a b Offers from mobile network operators and / or the Finnish company Valimo Wireless have been successfully established in Estonia, Finland and Turkey ; cf. Lit. Zefferer, Teufl 2012, Chapter 4 Mobile Signature Solutions in Europe , pp. 23 ff; and → en: Mobile signature .
  11. a b c d Lit. Zefferer, Teufl 2012, 5.4 Conclusions , p. 43.
  12. Lit. Zefferer, Teufl 2012, 5.41 / 42.
  13. cf. this Lit. Zefferer, Teufl: Evaluation of mobile signature solutions on smartphones. 2012, 3.6.2 Mobile Signature Service (MSS): architecture and functionality
  14. Digital signatures become child's play with mobile phones: documents can be electronically signed from anywhere , press release, September 11, 2010, on pressetext.com
  15. A-Trust Handy Signature . a-trust.at. Archived from the original on April 25, 2013. Info: The archive link was inserted automatically and has not yet been checked. Please check the original and archive link according to the instructions and then remove this notice. Retrieved on June 14, 2011. A-Trust website for mobile phone signature, accessed on March 31, 2011 (website no longer available). @1@ 2Template: Webachiv / IABot / www.a-trust.at
  16. Josef Ostermayer: Austria again in first place in the 2010 e-government ranking ( memento from December 16, 2014 in the Internet Archive ) , press release, Federal Chancellery, December 15, 2010, on bka.gv.at; Compare eid-stork.eu
  17. a b Handy signature in the test: Mühsam zum Ziel , futurezone.at, November 3, 2012, accessed December 7, 2014.
  18. a b The citizen card has a chicken and egg problem , Gregor Gruber in futurezone.at, November 3, 2010, accessed December 7, 2014.
  19. Austrians do not trust citizen cards: Study shows skepticism towards e-government and digital identity , futurezone.at, August 3, 2012, accessed December 7, 2014.
  20. A1 wants to push the mobile phone signature. derStandard online, January 27, 2014, accessed December 7, 2014
  21. [1] , March 27, 2014; cited in BRZ press service: Press review March 2014 ( Memento from December 15, 2014 in the Internet Archive ) , p. 54 (PDF, brz.gv.at)
  22. a b eGovernment MONITOR 2014 , study by Initiative D21 and ipima, carried out by TNS Infratest;
    E-Government MONITOR 2014 presented , press release APA OTS0108, September 29, 2014;
    Download of the study via egovernment-monitor.de ( PDF ( Memento from December 11, 2014 in the Internet Archive ), from initiatived21.de; accessed December 9, 2014);
    Extracts and interpretation of the results for Austria:     Austria continues to be top in e-government ( memento from December 11, 2014 in the Internet Archive ) , gemeindebund.at, October 7, 2014; The term “online population” refers to the selection of respondents from the online panel , which generally represents an Internet-savvy segment of the population; Information according to eGovernment MONITOR 2014 , section Study profile: Selection , p. 5.
  23. Handy-Signatur , bmeia.gv.at → Living abroad.
  24. HELP.gv.at: referendum . Retrieved February 12, 2018.
  25. ^ A-Trust: Handy signature statistics. A-Trust, October 13, 2018, accessed October 13, 2018 .