Create "Secure zones", groups and topics that need user to login using QES

[ilmartyrk]

Basically we could create join links that are sent out that require user to identify themselves using QES (Smart-ID, ID-card etc.) So if user is only logged-in using e-mail based channels they cannot access this content.

1. User creates a group/topics
2. Then invites users using e-mail
3. If e-mail is already connected to PID and user logs in he/she can access content
4. If user has not PID connection then after logging in they basically have a pending request to get access to content that then gets confirmed by the admin. (this step might be skipped, but can possibly add extra layer of security)
5. Each link is single use so if user has verified and has access to content the link cannot be used by anyone

[loorm]

Triage 34. Can see the need. Can understand the idea. Designated under consideration. Needs a user story, dev time estimate, user need estimate.

[loorm]

@tiblu Please have a look, we would appreciate your input on this.

[tiblu]

@loorm @ilmartyrk

Sounds like a good idea.

A few questions on the matter:

• Do you need to login using QES ONLY when joining the group/topics OR every time you access that group/topic? Or in other words - do we filter User content based on authentication method strength?
  • I can have an account with e-mail and PID connected to it. I can log in to this account with e-mail and QES if I wish to do so. IF I log in with weaker authentication method - that is e-mail - can I see the content that requires QES AFTER I have already joined group/topic?
• Are we targeting personalized invites? That is inviting a User by a PID, if User does not exist, we create it and REQUIRE to log in with that PID. I am thinking if this task would include invite flow where you invite people and check "require QES to log in" from all the people.

I know the comment is long and a bit repeating, but I hope I get the questions through.

We might want to have a call on this, might be faster.

[KatiVellak]

From legal perspective, much appreciated development.

[ilmartyrk]

@tiblu @loorm @anettlinno @kevincrepin
QES content will only be visible with QES login, this means that we store the current authorization method in session info.
In our UX/UI redesign we already have some initial designs for it to happen, I guess it makes sense to allow inviting users by PID, but this needs some further thinking.

[loorm]

For this to start being useful, COS would need to add other QES solutions besides Estonian ones. There are many implemented solutions by now, in Europe and beyond. If our QES login is Estonian only, I'm doubtfiul if such a major feature is good value for time spent.