OpenID for all Estonians. 1.37 million Estonians will soon have OpenIDs, secured using smart cards. I’d like to hear more about how the smart cards help tackle phishing.
Sign in with 
OpenID
OpenID for all Estonians. 1.37 million Estonians will soon have OpenIDs, secured using smart cards. I’d like to hear more about how the smart cards help tackle phishing.
The way I understand smart cards is that they authenticate both the user (me) and the server (OP); so even if scammers have my login credentials they still need a valid card. Bear in mind that I don't know technical backgrounds, so I might be wrong.
If you don't know smart cards - you possibly use at least one - your GSM SIM card. To use it - you need both - the card and the PIN. As authentication is based on RSA keys that reside unreadable inside your smart card and you use your PIN code only locally - it is NEVER sent anywhere - it is not possible to get hold of anything sensitive. There are two methods supported by the given OpenID system: traditional eID cards that require a standard smart card reader - it is possible to use keyloggers to get hold of the PIN code (you still need to get hold of the physical card to use the PIN for anything useful. You can prevent PIN theft by using pinpad reader where host software (like trojans or keyloggers) can not be used as the PIN never leaves the card reader hardware) or you can use WPKI or 'RSA private keys in your GSM SIM card' where your GSM phone acts like a pinpad card reader that is available at every computer, no matter there is no physical card reader attached to the computer. Unless your GSM phone software is compromized you're safe.
Basically you can always lure people into giving up sensitive information but if you have used eID-s even a little bit you make the difference between the 'system user interface' that usually asks your PIN code (the only thing to phish) or there is no way to get hold of it at all (pinpad smart card reader or WPKI with GSM SIM cards) And you need to steal the physical card as well.
Please do send all your questions to me (martin@paljak.pri.ee) if you have any questions about this given service.
There's a similar effort going on in Belgium: http://openeid.be/ (do not know the status however).
About half of the Belgians have an Electronic ID card (= a smartcard) now, by 2009 all Belgians should have one.