• Introduction
• Terms and concepts
• Feedback
• Threats and attacks
• User mistakes
• Risk: Login by mistake
• Harassment and coercion attacks
• Attack: User annoyance
• Attack: Denial of service attack against RP
• Data leaks
• Attack: User data mining
• Phishing attacks
• Attack: Phishing with fully automated website
• Attack: Social engineering over phone
• Security measures for RPs
• Effectiveness of proposed security measures
• Requiredness and applicability
• Mitigation of threats
• Defence: implement ID-card authentication securely
• Explicitly trust and reject CA certificates
• Use OCSP to check for the validity of certificate
• Only accept certificates with trusted issuance policy
• Only accept certificates with trusted key usage
• Defence: use distinguishing and well-known serviceName and displayText
• Defence: ask users to select correct verification code with Smart-ID app
• Defence: display information about last authentication to users
• Defence: display generic error messages
• Defence: show history of operations on the website
• Defence: show details of transactions in the displayText with Smart-ID
• Defence: ask for multiple or non-public user identifiers
• Defence: keep track of trusted and unknown browsers
• Description
• Algorithm
• Ask national identity number when connecting from unknown browser
• Alert user with Smart-ID when connecting from an unknown browser
• Defence: keep track of suspicious and malicious IP-addresses
• Alert user with Smart-ID when connecting from suspicious IP-address
• Verify human users with connections from suspicious IP-addresses
• Block connections from malicious IP-addresses.
• Defence: carefully monitor website usage
• Defence: respond swiftly and decisively to security incidents
• Personal data processing