26 May 2022

What do you prefer: a username and password or a new solution that is a million times more secure?

The user view of the app is very simple. The back office of the application, however, conceals a breakthrough that gives LeverID its value and reliability.

As Estonians, we are used to living in a digital society, which seems like utopia from an outside perspective. Levercode, a domestic company, is now ready to introduce our Estonian standard to the wider world. Oskar Poola, Chief Technology Officer at Levercode, talks about the new authentication and signing solution LeverID and explains who needs it.

What is the LeverID?

If you are a user of Smart-ID, you know how easy it is to log in to your bank and patient portal or digitally sign important documents without anyone asking for your ID card. This technology is based on public-key cryptography. Public keys are linked to the identities of the users - every Estonian citizen also has their own keys (no, unfortunately not the keys to their home or car). The public key infrastructure or PKI covers everything we as Estonians are very familiar with - digital signatures, authentication and encryption of the information exchange. PKI ensures that the message actually comes from the person it is supposed to come from and also goes to the person it is supposed to go to.

LeverID is an authentication and signing solution based on the latest cryptography. While many similar solutions use the RSA-based (wait a minute, we'll explain this concept in a moment) two-party signature scheme, LeverID uses Edwards elliptic curves. Named after three scientists - it is actually Rivest-Shamir-Adleman in full - RSA is the first cryptographic algorithm to qualify as a digital signature. The RSA scheme dates back to the end of the 1970s, so it should not come as a surprise that smarter solutions are available today.

As mentioned, LeverID uses Edwards elliptic curves instead. While RSA keys are long - more than 3000 bits in Estonia - LeverID gets things done with a shorter but no less secure key. For example, a 256-bit elliptic curve key should be as secure as a 3072-bit RSA key. Shorter keys need less resources - less pointless toiling needed for your hardware and the whole process is faster.

A more secure solution

The core value of LeverID resides in the way we generate keys. When you start using LeverID, only half of your private key will be transmitted to you initially. When you want to sign a document with your digital signature, you will transmit your incomplete private key to us, our security module will receive it and sign it with its private key.

For the user, this means double security. If you are attacked and someone tries to hijack your identity, they’ll be in dire straits going up against LeverID. Even if that malicious hijacker somehow gets a hold of one of your devices and is able to extract the key, that's only half the battle. They would still have to break into our infrastructure after that. Oops, maybe I shouldn't provided a public tutorial this way...

We are actually very security-conscious at Levercode, and our employees are technically very talented. This way, we are well protected against all kinds of attacks.

According to Oskar Poola, LeverID could be Plan B for Estonia.

We are used to our utopian digital society in Estonia, but in the rest of the world this industry is still very much in its infancy. Outside Estonia, there is no Smart-ID to make life easier, and often foreigners cannot even imagine that such possibilities exist. LeverID is a technology that we want to offer to the rest of the world and to introduce this technology at different levels of society. There are similar solutions elsewhere in the world, but this is the most secure yet.

And if one day Smart-ID doesn't work for some reason, it would be nice to have another login option in Estonia as well. LeverID could be Plan B for Estonia, but we are looking for regions with hundreds of millions of users - LeverID can issue 900 million identities. For example, there is strong interest in such solutions in South America.

How to become a LeverID user?

LeverID is currently under review in App Store, awaiting final approval, but customers are already queuing at the door. To start using LeverID, you need to go through a simple identification process that will check that you are who you say you are - you are required to send a photo and a short video of yourself, as well as a photo of your ID card. The last thing we want is to create a digital identity on false grounds.

The images and video you send will be inspected using OCR, or Optical Character Recognition software, and compared to ascertain the person on the document is definitely the same as on the image and video. Once the authentication process is completed, we can issue the certificates and you will become a LeverID user. The user view of our app is very simple. The back office of the application, however, conceals a breakthrough that provides LeverID with its value and reliability.

Logging in with LeverID can be integrated into any website - giving the user the choice of using a username and password or a solution that is many times more secure than anything else on the market today. It's only a matter of time before we all use LeverID instead of annoying passwords.

We also want to work with companies that are currently in the business of, for example, integrating Smart-ID login. Adding LeverID integration plan to your portfolio would give you the opportunity to grow beyond the limits of our jurisdiction – you could sell it even to Australia.

Share this article: