Online identification is easy
In the past, proving your identity meant long ways, limited opening hours, and often a lot of correspondence – today it can be done quickly and electronically. Identify yourself online, for example to attend to administrative matters or to open a bank account. The best thing about it: The chip on your ID card always checks the identity of the site requesting your data before transmitting any information.
Proof of identity: Prove your identity online, for example to open a bank account online. Login: Use your online ID card as an alternative to various usernames and passwords on the Internet, for example in online shops.Age verification: Verify your age online, especially to prove your legal age, for example at an online video store.Web form function: Use the online identification function to fill in web forms and applications from home. The verification of your data enables you to file applications with your citizen centre (Bürgeramt) digitally and with legal effect.Anonymous login: The anonymous login (pseudonym feature) allows you to register with a service provider using your ID card and to be recognized in the future without the service provider learning your personal data (for example in an Internet forum). You can use a unique pseudonym for each service, so that if you register with two services via anonymous login, they are unable to understand that the same person is registered with them.
Security and Privacy
Your data is secure! Only someone in possession of your ID card and with knowledge of your PIN is able to allow information to be transmitted. Your personal data is thus protected against abuse on the Internet.
Who is allowed to read out data? A service provider requires authorization (authorization certificate) from the Federal Office of Administration to request your data. This authorization is checked by your ID card each time any data is requested, so you always know to whom you are transmitting your data.
Which data will be read out? Before each data transmission, the data to be transmitted is shown. You can then accept the transmission or cancel the process.
When will data be read out? Your data will only be transmitted after you have confirmed your acceptance by entering your PIN.
Are third parties able to read data? The transmission is always encrypted, so third parties are unable to read any data.
2 Factor Authentication
Principle of Possession and Knowledge
The two-factor authentication serves to prove the identity of a user by means of the combination of two different and in particular independent components (factors).
The principle of possession and knowledge is used for German National ID cards, electronic residence permits and eID cards. Just the online ID with an activated online ID function is not sufficient for an authentication. For this purpose, the second factor knowledge of the assigned six-digit PIN is required.
Mutual Authentication Detection
Providers and Users Mutually Assure Each Other their Identity
Most authentication procedures determine only the identity of the user. The online identification function is based on the principle of mutual authentication: The user's identity is confirmed by both the use of the ID card and the PIN entry to transfer / release the requested data. The service provider is also obliged to identify itself. This is done by means of an authorization certificate which is to be obtained from the "Vergabestelle für Berechtigungszertifikate" at the Federal Office of Administration prior to offering said services. Only service providers granted such authorization certificates are allowed to offer services based on the online identification function.
Encypted Data Exchange via eID Server
The eID server consists of hardware and software components run by the service provider to integrate the eID function into its IT systems. The eID server fulfils the following tasks:
- It ensures the secure communication with the client software and the ID card's chip and transmits the data retrieved to the relevant service.
- It verifies the authenticity and validity of the ID card, examines whether it has been blocked by the ID card holder and transmits the results of the eID function to the other systems of the service provider.
- It regularly receives new authorization certificates from the authorization certificates provider and updated revocation lists.
As a service provider you can develop your own eID server as long as the hardware and software modules comply with the requirements of the relevant Technical Guidelines of the Federal Office for Information Security. This is necessary to execute cryptographic protocols with the new ID card's chip and regularly receive the required authorization certificates and revocation lists.
For more information visit www.personalausweisportal.de.
There are various technical guidelines and protection profiles for the different electronic ID documents. These refer to both the documents and the readers, ranging from application via issue through to readout.
A list of all of the technical guidelines, sorted according to the TR-number is provided on the website of the Federal Office for Information Security.