Federal Office for Information Security (BSI)

German eID

In the course of the digitisation of business and governmental processes, secure electronic identification is of crucial importance in order to enable trust in electronic services.
The German eID is designed to provide this trust. The system is based on government-issued chip cards using certified chips and strong cryptographic protocols, i.e.

  1. German identity cards (Personalausweis) issued to German nationals, and
  2. German resident permits (Aufenthaltstitel) issued to non-EU nationals living in Germany.

Der Personalausweis Der Personalausweis

The chip of the German eID card stores the personal data of the holder and serves as security anchor for the protection of this data and the authentication of the holder.
The German eID utilises two authentication factors to perform authentication, “possession” (eID card) and “knowledge” (6-digit PIN). The eID card stores the personal data and the relevant keys to enable authentication. The PIN is required to express consent and to start the authentication process.

Mutual authentication

Looking at the real world, the holder of an ID card usually knows to whom or which institution she or he proves her/his own identity, since the identification takes place at the premises of a company/a government office. The holder shows his or her ID card directly to the relying party.

The German eID transfers these principles into the digital world. The basic principles of electronic identification with the German eID are based on

  • the mutual authentication between the chip of the eID card and the relying party (or service provider), meaning that not only the holder of the eID authenticates via the eID to the relying party, but also the relying party authenticates directly to the chip of the German eID,
  • and the direct communication via a secure end-to-end protected channel between the relying party and the chip of the eID without third parties involved.

Gegenseitige Authentifizierung zwischen Karteninhaber und Diensteanbieter Gegenseitige Authentifizierung

Access to any data is only possible after successful authentication of the relying party and verification of the corresponding access rights.

However, unlike signature-based eID schemes, the relying party receives no permanent proof of identity. From a data protection point of view, this has the advantage that the relying party cannot prove the authentication towards a third party.

Authentication mechanism

The authentication mechanism of the German eID is the General Authentication Procedure. (BSI-TR 03110)

Overview of the German eID

Authentisierungsmechanismus Authentisierungsmechanismus