Comprehensive Analysis: SK ID Solutions' "Additional Security Measures" for Smart-ID
Document Type: Security Architecture & Operational Critique Target: SK ID Solutions Smart-ID RP-API Documentation (Additional Security Measures)
Executive Summary
SK ID Solutions’ documentation on "Additional Security Measures" for Relying Parties (RPs) represents a systematic abdication of centralized security responsibility. By proposing a series of heuristic, high-friction, and outdated mitigation strategies, the identity provider is attempting to patch the fundamental architectural flaws of out-of-band, decoupled authentication by shifting the fraud-prevention liability entirely onto the Relying Parties.
Instead of implementing robust, protocol-level protections (such as cryptographic channel binding, FIDO2/WebAuthn standards, or central rate-limiting), the documentation advises developers to build bespoke fraud engines. This combined analysis evaluates these measures from both an academic/cryptographic perspective and a practical/operational industry standpoint, revealing severe shortcomings in every proposed control.
Step-by-Step Analysis of Proposed Measures
1. Anonymous Flows and User Identifiers
SK ID proposes asking for non-public identifiers (like usernames or contract numbers) because national identity numbers are public and can be enumerated.
- The Cryptographic/Architectural Flaw: This advice is fundamentally contradictory to the foundational premise of the Baltic e-ID ecosystem, which was built around a unified, public identifier (isikukood). Because SK ID's protocol allows anyone with a public ID to remotely trigger PIN1/PIN2 prompts on a victim's phone (prompt-bombing), their "fix" is to regress to the pre-eID era. They are essentially asking RPs to reinstate localized passwords and secret usernames.
- The Operational & UX Failure: Telling users to memorize and input an arbitrary "non-public identifier" (like a utility contract number) destroys the frictionless Single Sign-On (SSO) experience. Users will inevitably forget these identifiers, leading to soaring password-reset requests, massive UX friction, and significantly increased helpdesk costs for the RP.
2. Keeping Track of Trusted and Unknown Browsers
SK ID recommends tracking browser instances via cookies and altering the displayText (e.g., "Are you using a new computer?") if the browser is unknown.
- The Cryptographic/Architectural Flaw: Security must be cryptographically bound to the session, not reliant on user reading comprehension. Empirical research on the Estonian e-ID ecosystem proves users suffer from severe "prompt fatigue." They do not read the
displayText; they match the 4-digit verification code and blindly enter their PIN. Expecting a user to detect a sophisticated Man-in-the-Middle (MitM) or relay attack by interpreting a tiny text string is a total failure of cryptographic security design. - The Operational & UX Failure: This control is completely ineffective against modern threat actors and a nightmare for GDPR compliance.
- Infostealers: Modern account takeover attacks utilize malware (e.g., Lumma, RedLine) that extracts the entire browser cookie store. If an attacker steals the session, they steal the
trackingIDcookie too, bypassing this control entirely. - Privacy Opt-outs: The document admits this is a "preferences cookie" requiring GDPR consent. If a privacy-conscious user clicks "Decline all cookies," the RP must treat every login as suspicious. The RP will inadvertently spam the user with alerts or step-up authentication (CAPTCHAs), creating severe alert fatigue and training the user to ignore actual security warnings.
- Infostealers: Modern account takeover attacks utilize malware (e.g., Lumma, RedLine) that extracts the entire browser cookie store. If an attacker steals the session, they steal the
3. Keeping Track of Suspicious and Malicious IP Addresses
SK ID suggests using commercial IP reputation services to flag TOR nodes, proxies, or data centers, and applying step-up authentication to suspicious IPs.
- The Cryptographic/Architectural Flaw: Pushing IP-based checks to the RP is a tacit admission that the Smart-ID authentication token lacks intrinsic context of the user's actual environment. Furthermore, this does nothing to prevent local, targeted relay attacks where the adversary is operating within the same country or ISP space as the victim.
- The Operational & UX Failure: Relying on IP blocklists is an obsolete, low-efficacy security control.
- False Negatives: Attackers no longer route attacks through easily blocked datacenter IPs. They utilize massive Residential Proxy networks (botnets of infected IoT devices) that appear as completely legitimate local ISP traffic.
- False Positives: Carrier Grade NAT (CGNAT) on mobile networks and the widespread use of enterprise VPNs mean thousands of legitimate users share IP addresses. Blocking or throttling these IPs punishes legitimate users while adversaries bypass the checks effortlessly.
4. Allowing Users to Verify Operations
SK ID mandates that RPs must allow users to download digitally signed documents created after entering PIN2 to verify their contents.
- The Cryptographic/Architectural Flaw: This is digital forensics, not proactive security. By the time a victim downloads and inspects a signed container to realize they authorized a fraudulent €10,000 bank transfer instead of a login challenge, the attack has succeeded and the funds are gone. The contents of the document must be securely, unambiguously, and fully presented to the user natively within the Smart-ID application before PIN2 is entered.
- The Operational & UX Failure: Less than 1% of standard users proactively audit their account activity or download signed
.asicecontainers just to check what they did. Relying on post-incident user auditing as a primary defense mechanism against phishing is negligent.
5. Monitoring Usage Patterns & Responding to Incidents
SK ID advises RPs to apply log analysis to deduce ongoing attacks and monitor weird behaviors.
- The Cryptographic/Architectural Flaw: SK ID Solutions operates the central infrastructure. They have the absolute best, omniscient vantage point to detect anomaly patterns—such as a single Smart-ID account being hit with authentication requests from 50 different RP services simultaneously. Pushing the responsibility of anomaly detection to individual, isolated local webshops prevents any systemic defense against coordinated brute-forcing.
- The Operational & UX Failure: SK is casually instructing mid-sized RPs to build comprehensive User and Entity Behavior Analytics (UEBA) platforms. Building a behavioral profiling engine that cross-references IPs, browsers, and operation types without generating 90% false positives requires dedicated data science teams, SIEM infrastructure, and massive budgets. This is unrealistic hand-waving.
6. Personal Data Processing (GDPR Impact)
SK ID reminds RPs that tracking IPs and setting cookies requires a lawful basis, DPIAs, and privacy policy updates.
- The Operational & UX Failure: To implement SK's duct-tape security measures, RPs must vastly expand their data collection footprint. Collecting detailed IP logs, device telemetry, and tracking cookies drastically increases the RP's GDPR compliance burden, legal liability, and data storage costs. RPs are being asked to absorb immense regulatory risk to compensate for Smart-ID's architectural vulnerabilities.
Conclusion
Architectural Failure Identified
SK ID Solutions' "Additional Security Measures" document is an attempt to mitigate the inherent vulnerabilities of their out-of-band decoupled authentication system by offloading the work to Relying Parties.
From an academic perspective, the guidelines abandon cryptographic certainty in favor of heuristic guesswork and rely on end-users overcoming prompt fatigue to spot attacks. From an industry operations perspective, the recommendations are outdated, easily bypassed by modern malware/residential proxies, and guaranteed to introduce massive friction, false positives, and GDPR compliance overhead.
Rather than distributing the burden of fraud prevention to developers via easily bypassed controls, the identity provider should be focusing on protocol-level upgrades, centralized anomaly detection, and modern cryptographic channel-binding standards.