Tomorrow’s ID cards, driving licences and the like will no longer be confined to a plastic card: In future, users will manage their ID documents themselves in digital form – kept in a so-called “wallet” saved on their smartphone. In EU countries as well as in Switzerland, the procedure for so-called eID (electronic identity) is currently subject to hot debate – or even already undergoing trials in pilot projects to assess its practicality. But how secure actually is the eID?
Taking Germany as an example: In September 2021, the German Parliament created the legal basis for being able to store documents such as identity cards, residence permits or driving licences in electronic form on a smartphone with the German Act on the Introduction of Electronic Proof of Identity on a Mobile Device (Gesetz zur Einführung eines elektronischen Identitätsnachweises mit einem mobilen Endgerät). The practical introduction of so-called Smart eID has been postponed several times in recent years: The most recent target date of December 2021 was missed.
Preliminary failure of ID Wallet
One reason for the latest delays in Smart eID is likely to be the failure of the “ID Wallet” app in September 2021. The digital wallet was originally supposed to store a “basic ID” derived from the ID card along with a digital version of the driving licence – “ID Wallet” would therefore be a kind of “Smart eID light”, which neither included all the planned functions of Smart eID nor fulfilled all the security requirements developed for this by the German Federal Office for Information Security (BSI).
Shortly after the app’s release on 23 September 2021, independent security experts discovered how insecure the “ID Wallet” actually was: Instead of accessing a fixed server of the German Federal Motor Transport Authority (KBA) when checking driving licences, the program could be redirected to any computer on the internet using manipulated QR codes – an ideal scenario for criminals to steal identity data. In view of this vulnerability to so-called “man in the middle” attacks, the German government was forced to remove the “ID Wallet” from app stores after a few days. Since then, the project has officially been in development and testing again; there is no new launch date.
Built-in security? The Smart eID
The preliminary failure of “ID Wallet” shows how many pitfalls there are lurking in e-government. If, as in this case, basic security principles are not observed, it’s not only the individual app that’s affected – the trust of citizens in new types of digital IDs is also at risk of a serious setback. Smart eID has set out to do a lot better here. Past mistakes must not be repeated, especially in terms of security.
For this purpose, the Smart eID procedure relies, among other things, on the so-called Secure Element – a chip integrated into newer smartphones that can be used for the encrypted storage of confidential data. This “hardware trust anchor” is initially supported by the Samsung smartphones S20 and S21 as part of a test phase. In the course of the further development of Smart eID, the BSI intends to continuously expand the list of approved end devices.
From map to smartphone
But how does the identity card get onto a mobile phone? The prerequisite for Smart eID still involves identity in the form of a plastic card – this card must have the eID function activated. The “AusweisApp2” designed for Smart eID is installed on the smartphone. Then users can start the one-time transfer of their personal data in the app: To do this, the ID card is positioned on the NFC interface of the smartphone. The data transfer is confirmed using the personal six-digit PIN that every ID cardholder has received to secure the ID function. For mobile identity on the smartphone, only a new six-digit PIN now has to be assigned – then the transfer is complete, and Smart eID is ready for use.
Although interested parties currently have to be patient, Smart eID is in the starting blocks for 2022. The fact that the German government is taking its time with the introduction is understandable in view of the difficulties with the “ID Wallet”. The security functions – which are far better designed in comparison – already suggest that Smart eID is the more mature product. How it will perform in practice – and in particular whether people will accept the online ID – will only become clear in the years after its introduction.