On Thursday, the Home Office announced the successful start of state scanning and introduced a new way of accessing the data boxes. It's a call. mobile keyformally "mobile electronic media" (abbreviated as MEP), which was announced last year and about which I wrote here in the Lupa in November of last year.
Let's remember at least briefly what was stated last year in November: allow people to log in to data boxes more safely, but still very simply. Even simpler than today's "name and password". It is more secure, in the sense that, unlike "name and password", two-factor authentication should be used for registration and general "guarantee" level (within the meaning of the eIDAS Regulation).
The new mobile device actually provides two-factor authentication: one factor, the "something I have" type, is the mobile application itself on a particular mobile device (which is "paired" with the appropriate ISDS account). The second factor is "something I know," whether in the form of a PIN, password (alphanumeric) or the so-called image password (a sequence of images correctly selected). Or this second factor can be "something that I am" in the form of a fingerprint or facial scan. Of course, only if your phone supports this.
How does it work?
The actual operation of the new mobile key, once activated, is really very simple and eliminates the typing of your username and password: when you want to log in to your inbox, choose the newly added " added:
After doing this you will see a unique QR code, as shown below:
You should already have your phone and a new application ("Mobile Key") running, including your login to this app. Then let it take the QR code out of the screen, as shown in the following figure.
After a few seconds, it should be done: you must already be in the appropriate data box, properly logged in.
Where (and when) authentication occurs?
The truth is that no username or password was entered anywhere in the above procedure. No other authentication data. Also, in which account you are logging into your data boxes.
The trick is that your authentication (and your account selection) must have occurred before you put your mobile with the new app and start scanning the QR code. You had to run this application first and log in (and thus authenticate it) – because then the application will offer you the possibility to scan the QR code. In addition, your app had to be set up once ("paired" with your account to which you want to enter your mobile key).
So let's start with what's repeated and more often: how to sign up for your mobile app (already configured and "paired"). To do this, you have the following main options:
You have to choose one of these options and use it – in the sense that whenever you run the application, you are offered (and only) this chosen application logon option, not the others. However, after entering the application, you can choose a different option to configure it, which will be offered to you until the next change.
However, if your mobile phone (and your operating system) supports biometrics, specifically fingerprint or facial scanning, you can enable these biometric authentication methods – and they will be offered to you along with the "primary" login method you selected. Therefore, if you have a PIN login, you can still log in to the application by entering the correct PIN or removing the fingerprint (correct).
The following three images show how the appropriate screen appears when you select one of the three main mobile connection options that support fingerprint capture (enabled).
Either for one of two factor-based authentication factors: "what I know" or "what I am". As mentioned above, another authentication factor is "something I have" – which is the appropriately defined and "paired" mobile application instance running on a particular device (which is not necessarily a cell phone, but can also be compressed, etc.).
How do I set up a mobile app?
Of course, you need to download the mobile app described here for your device. As a "mobile key" (from the Home Office), it is available for free for Android (version 4.4) and for iOS (version 10.0).
Then you have to configure it: first you have to choose one of the "main" application logins (PIN, password, image password), see above. You should then decide to enable (or disallow) biometric authentication if your device supports it.
The next step is to "pair" the application with a specific account in your data boxes: First, you need to sign in to that account in the way it's currently available to you (probably just by the name and password, see below). Then you go to the settings and here in the "Login Options". Here, in the list of logon options, you will find a new entry related to the application just described, respectively. with a cell phone key:
To actually use your mobile key, you must first add it to your account (in the sense of "pairing"). You do this by allowing your app to carry the QR code that your data box will display for you, see the following figure:
Your application will then ask if you want to connect it (or the device on which it is running) to the appropriate data mailbox account. And it will also give you a four-digit code that you should check with what the other party tells you (data boxes).
When you approve the last step of the previous image, do not worry if the application will be terminated without a word. As if it had fallen (dropped) – while the user waits in vain for a hot word confirming a successful pairing with his account. And when he starts the application again and logs in, he just wants to read some QR code. Here the user has to assume that the connection to the account was successful – and that the QR code that the application is so eager to use is no longer the unique "pairing" code, but the repeated "login" code. Because the application expects you to be already signed in to your account.
It also works for multiple accounts and multiple devices
Only the data box login described using a mobile phone key also works for multiple accounts: you can pair a mobile phone with an application with multiple accounts with data boxes. The resulting effect is the same as when entering with the new eOP: it also informs the counterpart (ISDS) and confirms who you are (what is your identity). The Mailbox System (ISDS) detects how many different accounts you have access to – and lets you choose which one you want to sign up for.
When you do this, "Multiplicity" also applies the other way around: With a data box account, you can have multiple devices with the appropriate applications (mobile keys) linked to each other, and then log in by any of them. Of course, it is also possible to "disconnect" the mobile keys from the accounts (disable).
In addition, sign in by the move key does not rule out other logon options (for example, using an electronic key). But this can be ruled out with the less secure option (which is used by the vast majority of users), ie just by name and password. As you can see in the following figure, in the lower right corner, after connecting a mobile key, you can only disable the login using the name and the password.
In addition, you can also receive notifications of incoming data messages (which can be sent to you by email or SMS) to your mobile device, as well as a notification if someone has logged in to your account (with a mobile key activated) using only your name and password, see the following figure. You will be required to receive a notification of activation ("pairing") and deactivation of your mobile phone keys, as well as the creation or use of your backups. This is because the settings for the mobile key are (and should be) copied.
It is also interesting to note that mobile key signatures should also work when you sign in directly from a mobile device (in the sense that you want to work with your data box from a mobile phone instead of a normal computer, as we previously thought ). Similarly, a new logon option must be available even if you are using an application with your data mailboxes and not through the ISDS Web interface. But here I can refer to potential guides.
Is it really a "significant" level?
The new way to get into data boxes (moving key) is quite comfortable and fast. And maybe it's safe enough. Ultimately, the PIN of the photo, which should be your main asset, is just another option – and who knows how many people will actually use it.
But I'm not sure if a mobile key actually reaches a "meaningful" level of collateral, as is expected from § 2 (3) of Decree No. 194/2009 Coll. (for details on the use and operation of the data box information system). The problem is that it can be "paired" with an account in which the user logs in using a user name and password, which corresponds only to the "low" level (just because there is no two-factor authentication). And from this "low" level, using a cell key to move to "significant"? In my opinion, this is not possible – the final level of guarantee is decided by the weakest link in the entire factor chain, which includes the connection described above from the mobile key to the account ("pairing").
This problem can be solved by connecting to an account in a data (pairing) box requiring a "stronger" login, with two-factor authentication, respectively. was not possible if the user was only logged in by name and password. But I did not find anything similar in the available documentation. In addition, it would prevent the vast majority of users of data mailboxes from switching to a mobile key, which do not use a different way of registering (than just a name and a password).
Why enter the data boxes?
Finally, I will not forgive a little sigh as in the previous article on the next mobile key: why does this come as a means of getting into data boxes? Let's emphasize: data boxes only. Why is it not a means of signing the National Identification and Authentication Point (NIA) operating similarly to a new electronic citizen or "name, password, and SMS"? Then, using a new mobile key, it would be possible to subscribe to several different e-government services, not just data boxes. In general, everything that requires a level of guarantee that a mobile key offers.
But this may be the core of the poodle: the state would have to implement some other method of "pairing" (with identity in the basic registers), respectively. another verification of a certain application on a given mobile device, with the required level of guarantee and available for those who do not have access to any data box. For data mailboxes, where "just" log in with a username and password from the beginning, the guarantee levels are not much commented – because you'd have to admit that it's just "down" to the name and password dominant. This is fundamentally at odds with the key legal steps you can take with the data box for the most important legal consequences.
Finally, a small excuse: the application of a mobile key prohibits taking screenshots. Apparently, because it works with images (QR codes) and captures them and is afraid that any other (malicious) application will abuse its images. I could not make a screenshot of my cell phone in any way available to me. So in this article, I allowed you to use some of the help images for a new way to log in directly to the data mailbox.