TUPAS is a strong digital authentication method created by the
Federation of Finnish Financial Services. TUPAS identification is a ''de facto'' standard for digital identification in Finland. It is used by all major
Finnish banks including
Aktia,
Osuuspankki
OP Financial Group is one of the largest financial companies in Finland. It consists of 180 cooperative banks and their central organization. "OP" stands for "osuuspankki" in Finnish, literally meaning "cooperative bank". The financial group has ...
,
Nordea
Nordea Bank Abp, commonly referred to as Nordea, is a Nordic financial services group operating in northern Europe with headquarters in Helsinki, Finland. The name is a blend of the words "Nordic" and "idea". The Nordic countries are considered ...
,
Danske Bank
Danske Bank A/S (, ) is a Danish multinational banking and financial services corporation. Headquartered in Copenhagen, it is the largest bank in Denmark and a major retail bank in the northern European region with over 5 million retail custome ...
and
S-Pankki
S-Bank Plc (, ) is a Finnish retail bank and wealth manager. It is owned by SOK Corporation and the regional co-operatives in the S-Group (), a Finnish retailing cooperative organisation.
S-Bank is the first so-called "supermarket bank" in Fi ...
(formerly Tapiola). Furthermore, TUPAS is used also by Finnish government to log into
Kansaneläkelaitos
Kela, abbr. from , (Fpa), (SII), is a Finland, Finnish government agency in charge of settling benefits under national Social security in Finland, social security programs. Kela was founded in 1937 to handle retirement pay. In the 1980s and 199 ...
and Finnish Tax Administration sit
vero.fi
The phasing out of TUPAS began in 2016. The final deadline to shut down the identification services was in September 2019, but all banks continued providing service past this date. TrafiCom has issued a warning that monetary penalties will be collected from services that have not shut down by end of November 2019, and ultimately warned that services using TUPAS for strong authentication would be shut down.
TUPAS was based on the Finnish law on strong electronic identification and digital signatures. The law requires strong identification methods to include at least two of the three following identification methods.
* Password or other similar that one knows,
* Chipcard or other similar that one possesses, or
* Fingerprint or other similar that is unique to the person.
Commonly the identification is done using a password and a list of single-use passcodes or a passcode device.
TUPAS was operated by the Finnish banks, and required service providers to negotiate contracts and perform integrations with each separate bank they deal with. As no real competition existed, TUPAS authentication was expensive to service providers. The eIDAS regulations provided the government with the opportunity to open up eID services to market competition. To that end, the Finnish authorities established the Finnish Trust Network (FTN), a framework that allows strong authentication service brokers to resell eID solutions in Finland using a single standardised service contract.
These eID brokers act as intermediaries between the identity providers (banks and telecom operators) and online service providers, which enables them to operate as 'one-stop-shop' resellers of eIDs, as well as giving them the capacity to manage contracts and technical integrations. This new competitive environment has removed the main obstacles to developing strong identification services by:
* Capping transaction costs between the bank and eID broker
* Eliminating administrative hurdles, with a single contract serving all Finnish banks
* Streamlining integration, with only one standard technical interface required
Traficom has recommended organizations to use an eID broker instead of directly connecting with eID providers.
References
External links
* http://www.fkl.fi/en/themes/e-services/tupas/Pages/default.aspx
Computer access control
Banking technology
Communications in Finland
{{computer-security-stub