Language:
Frau am Laptop

A Simple Explanation of Digital Identities

Published 29.02.2024

More and more services are now being offered online. Digital identities are needed to create trust between the users and providers of these services. But how exactly do they work? Which types are safest? And what do they have to do with European digital identity? Here we explain the concept of digital identity in simple terms.

What Is a Digital Identity?

What precisely constitutes a person’s identity depends on the context and is therefore always a matter of interpretation. However, even those engaged in sociological and philosophical debate can probably agree on one certainty: A person’s identity is unique. And to verify a person beyond all doubt, just a few physical attributes – height, facial image and fingerprints – are enough, along with personal data such as name, date of birth and registered address. We are clearly identifiable on the basis of these features and data. 

“Please present your ID!” is what we are told whenever we register a vehicle, submit an application at a government office, or open a bank account. But all this, and much more, has long been possible online. And where there is no one who can verify our face or take our fingerprints in person, we need digital identities. 

 

The Definition of Digital Identities

The digital identity brings trust into the virtual space. It makes it possible for a natural or legal person to use certain online services. To do this, the digital identity links various electronic features that make this person unique on the Internet, such as their surname, first name, address and date of birth. The person can use these attributes to authenticate themselves on a platform and prove their identity. Secure digital identities therefore form the foundation of a functioning digital economy.  

In fact, we have to verify our identity online even more often than in the “real world”. While we can remain anonymous when buying new jeans in the store by paying with cash, this is difficult in an online store, especially when the “on account” payment method is used. However, since we shop online in much more than just one store, it is hardly surprising that the average European had more than 90 digital identities in 2020. The typical approach has always been for a person to create a separate user account on each online platform whose services they use. New identity attributes are stored and linked, and as such, yet another digital identity has been created. 

Technical Basics of Digital Identity

Nowadays it is becoming increasingly evident that this identity inflation won’t last much longer. In any case, the evolution of digital identity has been underway for a long time. In other words: There are convenient solutions for breaking through data silos. However, not all of them prioritise the user’s well-being.

The Conventional Silo Identity

To understand the evolution, it is first worth taking a look at the isolated digital identity, also known as a “silo identity”, which remains prevalent. For a long time, the number of these held by each user was increasing along with the number of services available online. The concept: Users register for the services by linking personal data such as their name, date of birth and address with a username and password: first with online mail order companies, later with local public transport, various streaming services and then with bike- or car-sharing providers. The result is dozens of identities that are not compatible with each other. They force the holder of the identity to organise dozens of username/password combinations in order to authenticate themselves on the site.

Digital Identities with Single Sign-On

The increasingly popular single sign-on (SSO) approach pursued by global tech giants such as Google and Meta solves the chaos of the username/password paradigm. The basic idea of SSO is as follows: Users can also use the digital identity they have created with one of the large corporations to authenticate themselves on the platforms of smaller providers. In this model, the large corporation acts as an identity provider (IDP), which stands between the user and the service provider, i.e. the smaller platform. Since all relevant data is stored with this corporation, it can confirm the digital identity of the authenticating person to the requesting service provider. This is obviously very convenient. However, the concept undermines the data sovereignty of the individual. This is explained in greater detail below. 

 

Sovereign Digital Identities – the State as Identity Provider

The state acts as a provider of digital identities without any commercial interest. With BundID, the Online Access Act has created a user account through which natural persons and legal entities can apply for administrative services online and receive electronic documents from government agencies. 

Since it is highly relevant for registration, the online ID card is closely linked to BundID. In 2010, Germany introduced the ID card with the eID function. All personal data and biometric features that also define the “analog” identity of a citizen are stored on the chip of the smartcard. Thus, the chip converts the ID card into an online ID that citizens can use to prove their identity electronically to public and private entities. The legal basis for this is provided by Section 18 of the German Act on Identity Cards and Electronic Identification (PAuswG). 

 

Instead of placing their digital identity in the hands of platform operators and the like, Germans can use the eID, ideally always carrying it with them in their wallet. In addition, the EU citizen card and the German electronic residence permit can also be used as an eID.

The process in a nutshell: A person registers with the service provider by identifying themselves using their online ID. To do this, they hold their ID card up to an NFC-enabled smartphone or card reader. They then enter their personal PIN and all the necessary data is automatically sent to the service provider. If the person wants to authenticate themselves again later, the process is as simple as during registration.

Hand holds an ID card against an NFC-enabled smartphone.

One hand holds an ID card against an NFC-enabled smartphone.

Silo identities and single sign-ons are still used more frequently than online ID cards. However, more and more people are now using the online ID function for secure digital identification. Besides a number of banks, the pioneering organisations in this area currently include the German employment agency, pension insurance fund  and Federal Government. To obtain a German KulturPass, those born in 2005 are required to identify themselves with their online ID in order to verify their year of birth.

Smart eID: Online ID Card on your Smartphone

The Smart eID is designed to allow the online ID card to be stored directly on the user’s smartphone. It is not yet clear exactly when this will happen, but the Smart eID Act has been in force since September 2021. With this digital ID card, a physical card would no longer be necessary for use of the online ID function.

Excursus: Trust Services and Certificates as Proof of Identity

Electronic certificates and the trust services defined in the EU’s eIDAS Regulation are inextricably linked to the future of digital identities. While personal certificates verify identities in e-mail communication and network access, website certificates show who is providing an online service. In contrast, machine certificates confirm the identity of devices, thereby creating trust in the Internet of Things (IOT) and Industry 4.0.

How informative certificates are, however, depends on the identity check that precedes the request. With qualified EV TLS certificates for websites, for example, this check includes identification with an authorised signatory or their representative.

In turn, trust services such as electronic signatures and seals in accordance with the eIDAS Regulation verify the identities of natural and legal persons on documents. There are also differences here. For example, the qualified electronic signature is so trustworthy – not least due to its comprehensive advance identification – that it has the same legal effect as a handwritten signature.

Summary: Who is Involved with Digital Identities?

The basic explanations of silo identities, SSO, SSI and online ID already say a lot about what is relevant for digital identities. Below is a brief overview:

Who is Involved with Digital Identities?
Isolated Identity / Silo Identity Single Sign-On Online ID Card (eID / Smart eID)
User: Natural persons or legal entities use the digital identity to authenticate themselves for online services. User: Natural persons or legal entities use the digital identity to authenticate themselves for online services. User: Natural persons or legal entities use the digital identity to authenticate (or identify) themselves for online services. They are in possession of the identity.
Service provider: As the operator of the website, it provides users with their digital identities. Therefore, in the silo model, it acts as an identity provider itself. Service provider: As the operator of the website, it provides users with online services. Service provider: As the operator of the website, it provides users with online services. By integrating the online ID card via various identification procedures, it can either provide the electronic proof of identity itself or have an external identification service provider take over the process of authenticating (and, if necessary, identifying) users.
Identity provider: A tech company assumes the role of identity provider by confirming the identity of a user for service providers. Issuing authority: The online ID card is implemented by Bundesdruckerei GmbH. However, the respective registration authority is responsible for issuing it.

Security, Data Protection and Regulation for Digital Identities

Self-determined identity management? Sounds good! But how secure are forms of evidence on a smartphone? Far more secure than user data held by service providers and large platform operators. This is because data protection and data sovereignty play a subordinate role at best here.

Isolated Digital Identities: Every Password Can Be Cracked

If 90 different digital identities meant 90 different passwords, this would actually be good news. Hackers would have more work to do and would perhaps be less keen to steal data. However, it is often the case that the same password is used for online banking as for streaming and mail order sites. And whether this password is strong enough, with the inclusion of special characters etc., is another matter entirely. Password managers can help those who prefer to make things easy for themselves. If hackers crack these tools – as was the case with LastPass in late 2022 – they gain access to all associated accounts. Another problem is that most passwords can be reset without much effort. As a result, each of them is only as secure as the password of your personal email account, as noted in the article “Strengthening Trust” by digital association Bitkom.

Two-Factor Authentication Provides Security

This means that, in the case of silo identity, an individual has only limited control over their data. They are stored by the respective service provider on a server whose location and vulnerability to cyber attacks are usually not well known. Two-factor authentication (2FA) provides additional security. Simply entering the password is no longer sufficient. This means that a second safety factor is required as well. As a new development, this can be a one-off confirmation code sent to a smartphone by text message or phone call. Biometric features such as a fingerprint can also function as a second factor, as can a USB token or – in a doctor’s surgery, for example – a chip card.

Silo Identities: Lack of Control

Regardless of whether 2FA is used or not: There is another problem with silo identities: In many cases, the identity attributes stored in the account are not the only data that make up a user’s identity. Many definitions also consider behavioural data that the respective service provider automatically generates to be part of a digital identity – search histories, purchases, locations or access times, for example. “IT services use these digital identities to advertise and/or sell them to other companies”, writes Norbert Pohlmann, the Chair of the German IT Security Association (among other things), on his website. “They mainly do this when using the ‘paying with personal data’ business model.”

Single Sign-Ons: Dependence over Self-Determination

This business model is inextricably linked to global tech giants. And their single sign-ons also force users into a strong dependency relationship. “If the provider were to decide, for whatever reason, to delete my account, then this means I would be unable to access all services for which single single-on is used”, explains Helge Michael, IDunion Project Manager at NEosfer, as an example during an interview with the Bundesdruckerei Group.

“If the provider were to decide, for whatever reason, to delete my account, then this means I would be unable to access all services for which single single-on is used.”

Helge Michael, IDunion Project Manager

However, it is not possible to transfer the data to another account on a pro forma basis either. Other disadvantages listed by Michael include the vulnerability of central group servers to hackers, plus data correlation, which gives the SSO provider an insight into what users are doing under their digital identities on other platforms. According to Michael, “If a user logs into a dating website during working hours, then the provider instantly knows the identity of the person in question.” In the SSO model, users relinquish control over their data and do not know what happens to it. The only thing certain is that the tech giants will exploit this data commercially.

According to some legal experts, therefore, single sign-ons are also problematic in terms of data protection law . With SSO, the websites do not always obtain explicit consent that would allow platform operators and service providers to exchange data such as user behaviour.

Maximum Security through (Smart) eID

Those who use sovereign digital identities do not need to worry about data security or control either. With BundID, for example, all data is managed in compliance with GDPR/taxonomy/term/415. Moreover, users are free to log in with their online ID, which is only found in their wallet or on their smartphone, instead of with a password. This provides them with complete security on the go. The German ID card is considered to be one of the most forgery-proof identity documents in the world. And this is also true in the virtual world. The German Federal Ministry of the Interior summarises the central security mechanisms of the online ID card on its ID card portal as follows:

A special form of two-factor authentication: In order to use the sovereign digital identity, a person must be in possession of an ID card and know their personal, self-chosen PIN. And while cyber criminals can access the mailbox when resetting a password by email, resetting a personal PIN requires an – admittedly quite customary – trip to a government office.

Full control during data transmission: Users can only transmit their data to a service provider after they have held their ID card up to a smartphone or card reader and entered the PIN. The user retains control of the reading process – even if the physical document has been lost.

Mutual authentication: When using the eID, a person is authenticated to a website. The operator then authenticates the person, i.e., establishes their genuine identity using the online ID. However, the service provider itself also identifies itself to the eID. Only once its authenticity has been verified can the data transfer take place – with end-to-end-encryption.

The eIDAS Regulation and its Requirements for Digital Identities

Just how secure the online ID card is also becomes clear when you look at the European Union’s eIDAS regulation. This set of rules for “Electronic Identification, Authentication and Trust Services” created the framework conditions for cross-border electronic identification in Europe in 2014. With regard to the digital single market, its purpose is to allow every citizen in every Member State to prove their identity completely digitally for administrative processes or when opening a bank account.

A woman holds a tablet and sits at the table.

A woman holds a tablet and sits at the table.

Since 2018, Member States have been able to voluntarily notify the European Commission of the eID systems of other EU countries. The lowest level of trust is called “low”, the medium level “substantial” and the highest level “high”. Notification is followed by mandatory recognition of the eID. Germany’s online ID function satisfies a high level of trust. This means that the online ID card, the eRP or the EU citizen card can be used in any area where a Member State provides for electronic identification at the “high” level or below. 

The voluntary notification system and the fact that many EU Member States still have not introduced their own eID were decisive factors in the revision of the eIDAS amendment. eIDAS 2.0 now obliges Member States to provide their residents with a digital identity that can be used automatically across borders thanks to harmonised standards. More on this later as well.

 

Security Plus: Identification with Digital Identities

The identification provisions of the eIDAS Regulation highlight another advantage of the online ID card. In contrast to isolated identities and single sign-ons, a sovereign digital identity not only allows people to authenticate, but also identify themselves. In this process, people need to clearly identify themselves. In the “real” world, they must present a valid identity document. Based on a passport photo and biometric data, the service provider checks whether a person really is who they say they are. Online, identification can basically be described as “registration plus”. During normal registration, a person only specifies who they are. During identification, they provide direct proof of this claim. And like photo ID cards (such as ID cards and passports) in the analog world, the online ID card is the only legally watertight means of identification in the virtual world.

The Background of Electronic Identification in Germany

Electronic identification is mandatory if users wish to make use of a particularly sensitive service – a service for which flawless identity verification is essential, even in the analog space. This includes applying for digital administrative services or opening a bank account, for which the German Anti-Money Laundering Act (GwG) requires a thorough identity check. According to the German Telecommunications Act (TKG), anyone wishing to conclude a new mobile phone plan also needs to clearly identify themselves using a valid official (identity) document.

Currently, there are a handful of identification procedures that service providers can integrate for identifying users online. The two procedures based on the online ID card are not only the most convenient from the user’s and the service provider’s points of view, but also the most secure. They are the only two identification procedures that fully comply with the requirements of the GwG, the TKG and the eIDAS Regulation. eGovernment, which is gradually picking up speed in Germany, will also benefit from the online ID card, regardless of whether it is stored on the chip of an ID card or directly on a smartphone.

The German Online Access Act (OZG) explicitly provides for the use of the eID. This means that a person can also use it to register for the BundID – the user account for public administration services – and authenticate it later on if desired. And this can be done at the highest level of trust. In contrast, the other option – identification with the ELSTER certificate – “only” meets the requirements for a “substantial” level of trust.

Identification with the Online ID Card for other Identity Credentials

As a notified means of identification according to eIDAS, the online ID card is also used to apply for trust services defined in the regulation, which in turn serve as digital proof of identity on documents. For example, qualified electronic signatures are used by natural persons to prove their identity, while qualified electronic seals are linked to legal entities. Healthcare professionals can use the eID to identify themselves for electronic health professional cards (eHBA) and practice ID cards (SMC-B).

Current Context for Digital Identities:

Acceptance of Digital Identities

The online ID card undoubtedly has potential for electronic identification and authentication. A survey conducted by Bundesdruckerei GmbH in 2020 also suggests that people in Germany would be quite happy with a sovereign identity solution. When asked who should issue digital identities, 49 per cent named the state. Eight per cent would prefer to receive their digital identity directly from the European Union. Private providers from Europe accounted for just one per cent of the votes. US companies ranked in the per mille range.

Admittedly, nearly one third of respondents (29 per cent) stated that they did not intend to obtain a digital identity from any of the providers mentioned. Nevertheless, the state ID seems to enjoy a certain level of acceptance. eGovernment MONITOR 2023 confirms this, with 53 per cent of the study’s respondents supporting the idea of a uniform identification option. One in two people would like an online ID card for this purpose. As many as 85 per cent of its users are in favour of it.

Using the Online ID Card

The problem is that the use of the online ID card lags far behind its acceptance and awareness. In eGovernment MONITOR 2023, 62 per cent of respondents said they were – more or less – familiar with the term. However, only 14 per cent said they have already used the online ID function at least once. This is an increase of four per cent compared to the previous year, but it is still not enough. Only 30 per cent have activated their personal PIN, which is what makes the digital identity usable in the first place. Among users, Generation Z stands out with 28 per cent, and the baby boomer age groups rank at just 10 per cent, while the number of users in Generation X has grown by 6 percentage points to 14 per cent.

So what is stopping people from using the online ID card? It certainly does not seem to be due to excessive complexity. Only 17 per cent of eGovernment MONITOR respondents consider the concept to be “too complicated”. Only 21 per cent responded with “I don’t see any benefit/advantage to it”. Meanwhile, 38 per cent of participants indicated that they were hesitant due to a lack of knowledge about the possible applications. This contingent was the largest in the study. Apart from lack of awareness, the use of the online ID card is also likely to suffer from the fact that there are still no specific use cases in the private sector.

Application Fields: Online ID Card, Smart eID, eGK and eHBA

Where the Online ID Function is Used

Many different application scenarios are possible. Basically, the online ID card can be used for the following:

  • Identification for sensitive services, such as in the financial sector
  • Login or authentication, in contrast to the insecure username/password combination
  • Pseudonymous or anonymous login – users register with service providers such as a forum operator but do not disclose their personal data
  • Age verification, such as for certain online stores, media libraries, or streaming sites
  • Form function for filling out applications, etc.

It is already possible to use the online ID to apply for parental allowance, German federal student loans (BAföG) and even vehicle registration services in a fully digital process. And, at least indirectly, it gives citizens access to every other administrative service that is to be digitised in accordance with the German Online Access Act (OZG). The key is this very ability of people to identify themselves with the online ID function for the BundID at the highest level of trust and to use it for authentication in connection with that user account. The registration process for the federal government’s KulturPass only works with the state eID.

In addition, German citizens can use their online ID to identify and authenticate themselves for the digital pension overview with the Deutsche Rentenversicherung Bund (German Federal Pension Insurance). Health insurance fund Pronova BKK has also integrated the digital identity to enable insured persons to identify themselves for its web service. In the private sector, for example, ING and comdirect offer new customers the opportunity to identify themselves online when opening securities accounts and current accounts.

The AusweisIDent easy project by Governikus and D-Trust, the trust service provider of the Bundesdruckerei Group, demonstrates that service providers are interested in integrating the sovereign eID. The partners offered companies, public authorities and educational institutions 100 test packages of their AusweisIDent service, which were sold out within three months . This could mean that, in the next survey, more people will be familiar with specific use cases for the online ID card. Particularly the handy Smart eID could lead to an increase in applications and break down usability-related barriers.

Digital Identities for the Healthcare Sector

People can already register for special health insurance web services using their online ID card. Thanks to the Digital Supply and Care Modernisation Act (DVPMG), even more will be possible soon. The reason for this is the health ID, which every insured person will be able to create starting in 2024. This six-digit code will be used to register for various digital applications, including the heart of the telematic infrastructure (TI), the electronic patient file (ePA) and the ePrescription.

The plan is to use an electronic health card (which will soon be available on smartphones) and the corresponding PIN for the identification process. In contrast, the Techniker Krankenkasse health insurance fund also relies on the online ID function. According to TK CEO Jens Baas: “With the online ID function of the ID card, Germany already has a secure procedure for digital identification.” “It is needlessly complicated to make insured persons use a separate process with an insurance card and PIN for healthcare applications. That is why we also offer registration with an ID card.”

eHBA and SMC-B: Identities for Professional Groups and Institutions

Doctors and other healthcare professionals also need access to TI applications such as the electronic patient file (ePA) – provided that the insured persons have authorised them to do so. To this end, they use their electronic health professional card (eHBA), which allows them to identify themselves as members of their profession on the telematics infrastructure and – thanks to QES – process documents such as the electronic doctor’s letter, the e-prescription or the e-medication plan. Doctors prove the identity of their institution with the practice ID card – referred to as SMC-B. The eHBA and SMC-B offer further digital identities in the healthcare sector.

Both ID cards are still available as chip cards – with D-Trust GmbH, this is possible even after electronic identification with the online ID card. As part of TI 2.0 designed by gematik, however, it is planned for professional and institutional ID cards to be available virtually in the medium term. The SM-B institution certificate SM-B from D-Trust – initially intended for health insurance companies, health insurance (dental) associations and other organisations – offers an authentication option which requires no hardware.

What Does the Future of Digital Identities Look Like?

Whether as a card or certificate, the eHBA and practice ID card broaden the perspective on the topic of digital identities. At any rate, a person is defined by more than their name, address or biometric characteristics. Identity also includes job-related attributes such as educational qualifications or what a person does for a living. With their eHBA and SMC-B, doctors and physiotherapists can even explicitly document one of these facets in the TI. However, the scenarios in which electronic records can digitise processes extend far beyond the healthcare sector. The European Commission was also aware of this when it drew up a proposal for reforming the eIDAS Regulation in 2021.

The EUDI Wallet as a European Digital Identity

In the form adopted by the Commission, the EU Parliament and the Council of the European Union in the trilogue procedure on 8 November, eIDAS 2.0 contains two groundbreaking regulations for a European digital identity. The first provides for new trust services, such as Qualified Electronic Attestation of Attributes (QEAA). In brief, the principle is as follows: A reliable institution digitally verifies that a natural or legal person fulfils a certain characteristic – or attribute.

As a “state-authorised primary source”, the central vehicle register of the Federal Motor Transport Authority (KBA), for example, could electronically certify that a person is authorised to drive a car. Attributes from other “primary sources”, such as university degrees, could be confirmed by a qualified trust service provider. QEAAs are therefore none other than digitised certificates and authorisations.

This brings the second decisive eIDAS 2.0 Regulation into focus. This is because, ultimately, the QEAA is to be stored securely in the EUDI Wallet (EUDIW). Every EU Member State is required to make this digital wallet available to its citizens by the end of 2026. The EUDIW bundles important evidence, can be used across borders and is based on Personal ID Data (PID), which in Germany will most likely be based on the online ID function. Thanks to the European digital identity, smartphone owners can verify both basic characteristics as well as professional affiliations, authorisations or qualifications to service providers in a matter of seconds.

For example, anyone applying for a job could use the wallet to submit a university or vocational school certificate, and possibly certificates from further training courses as well. Anyone wishing to book a rental car submits a digital driving license certified directly by the German Federal Motor Vehicle Transport Authority (KBA). And anyone who has to log on to the telematics infrastructure to access the ePA probably will not have to insert a chip card into a terminal any time soon. In short: The EUDIW facilitates many online services and enables fully digital processes.

The Ecosystem Surrounding the European Digital Identity

The Ecosystem Surrounding the European Digital Identity
Institution Function
User A natural person or legal entity as the holder of the EUDI Wallet.
PID provider A state provider provides a user with their Personal ID Data (PID). The PID is just the basic identity of that person and may be created in Germany using the online ID function.
State-authorised primary source A state agency or registry that issues a specific form of evidence in the analog world and can store an Electronic Attestation of Attributes (EAA) in the wallet if it is notified in the EU. EAAs from government-authorised primary sources automatically have the effect of the original form of evidence.
Non-state-authorised primary source A reliable source that would issue a specific form of evidence in the analog world but whose EAA has no evidential value at the QEAA level. Non-state-authorised primary sources may be public and private institutions.
Qualified trust service provider Qualified trust services are on the eIDAS Trusted List of the respective EU Member State. QEAAs are issued by the trust service providers listed there.
Verifier / relying party The service provider with whom users can authenticate themselves or to whom they wish to present an attribute.

Citizens Retain Their Data Sovereignty

The EUDI Wallet makes the exchange of identity and attribute data more convenient and trustworthy. All personal data is stored in a protected environment on a smartphone or tablet. Citizens retain control over their data and decide for themselves what information they share and with whom. The principle of data minimisation also guarantees that only absolutely necessary information is shared. In addition, eIDAS certification ensures that the EUDI Wallet meets the highest security standards. In order to be recognised as a means of identification in a Member State, the EUDI Wallet has to be certified to the highest level of trust pursuant to eIDAS. It can essentially be described as a self-determined digital identity. Its ecosystem basically functions like that of a self-sovereign identity (SSI).

In terms of self-determination, the large digital companies listed as “gatekeepers” in the EU’s Digital Markets Act are required to accept the wallet. And according to Patrick von Braunmühl, Head of Public Affairs at Bundesdruckerei GmbH, the wallet has to be able to compete with SSO in order to be accepted: “As unpopular as visits to government agencies are, citizens don’t really have to deal with many of them in a given year.” Strict eGovernment use of the EUDI is not enough. “But if we succeed in making the ID Wallet as usable as a single sign-on, things will look different”, says Braunmühl. “Then the argument of data sovereignty would really carry weight, and people would use the state-authorised solution.”

“It is now important for national identity solutions to be implemented interoperably. The implementation also needs to be considered: It is necessary to set the course here to make it possible for both administrations and private companies to actually accept the eID solutions of the wallet from the very outset. This is the only way we can enable the widespread use of secure, digital identities.”

Christian Wilke, Managing Director of the Secure Digital Identity Association on the EU Commission’s proposal for eIDAS 2.0 (2021)

Wallet Prototype Tested

What exactly the EUDI might look like is currently still at the conception stage. The European Blockchain Service Infrastructure (EBSI) is a distributed ledger solution operated jointly by the Member States. However, a group of experts from the EU and the Member States has published a toolbox for the technological infrastructure – the Architecture and Reference Framework (ARF) – independently of this. The technical specifications within which the Wallets of the Member States are to be created are derived from this toolbox. They also apply to a wallet prototype that is currently being developed on behalf of the EU Commission.

The German Federal Ministry of the Interior and Home Affairs (BMI) has already started an architecture and development process for its own prototype of the German EUDI Wallet based on the toolbox. The first step was taken with a consultation process involving associations, companies, academia, the administration and civil society organisations. The entire development process is to be as transparent as possible and can be viewed at any time via the Open CoDE platform.

Four major projects, referred to as Large Scale Pilots (LSPs), are running in parallel across Europe to test various cross-border use cases. More than 250 private companies and authorities in 25 Member States, as well as in Norway, Iceland and Ukraine, are testing the wallet application in cross-border trials in the LSPs.

Digital Identities as an Association Matter 

The European Digital Identity (EUDI) is a milestone for the future of digital identities in Europe. However, due to the different technologies and the large number of interest groups, it is currently impossible to plot a linear path to a dominant ecosystem. The only absolute certainty among experts is with regard to the added value of digital identities for the internal market and trust in the digital space itself. And it is precisely because this added value is so immense that strong initiatives are needed to advance this area. With its “Digital Identities Working Group”, the industry association Bitkom could play an important role in this. The committee – which includes a representative of D-Trust GmbH – seeks not only to raise awareness among companies and politicians, but also to promote the harmonisation of regulations and to keep the debate on digital identities open to all technologies. 

Another body is the Secure Digital Identity Association (VSDI), which also closely monitored the legislative process surrounding the European ID wallet. Like the Bitkom working group, the VSDI advocates for close cooperation between the state and industry when it comes to digital identities. The first of a total of five core messages is of a much more fundamental nature, however. In our increasingly digital world, “everyone has a right to secure digital identities”. Nothing more needs to be said.

 

Frequently Asked Questions about Digital Identity

In order to use an online services – such as online banking, social media, or digital administrative procedures – people need to clearly verify their identity in the digital world. To do this, they need a digital identity, which is created as soon as a user registers or identifies themself online for an application in order to be able to log in again later.

A digital identity can include personal data such as the user name and registration address or biometric data – different services use different methods to verify a person’s identity. For this reason, a physical person in the virtual world usually has multiple digital identities that meet different security requirements.

The EUDI goes back to the revision of the eIDAS Regulation. This obliges Member States to provide natural persons and legal entities with an ID wallet for identifying themselves online across borders for digital administrative services and for private sector services. The core of the wallet is the Personal ID Data (PID), a type of basic identity that will probably be created in Germany using the online ID function. In addition to the PID, however, the electronic wallet is to contain other forms of evidence as well, such as the mobile driving licence and various certificates.

As soon the eIDAS 2.0 Regulation comes into force, Member States will have two and a half years to introduce their EUDI Wallets. It is currently expected that this will be adopted in spring 2024.

In Germany, there are various ways to identify yourself digitally. The only procedures that meet all the requirements of the eIDAS Regulation for secure electronic proof of identity are based on the online ID function or eID function of the ID card, the EU citizen card, or the German electronic residence permit. The specific identification procedures are the eID service and AusweisIDent.

All too often, the three terms identification, authenticating and authentication are used interchangeably with regard to digital identities. Yet there are huge differences between these terms. Identification occurs at the beginning of a digital identity and is used when it is being created. Users unequivocally identify themselves to the service provider, such as by presenting their online ID. Authenticating, on the other hand, refers to the normal login, i.e., the process itself. A person who is already identified proves their identity through knowledge (e.g., via a password), biometric features (e.g., via a fingerprint) or possession of an online ID or proof of identity. Finally, authentication refers to the technical check, which is carried out by the service provider, who verifies whether the person is truly genuine.

Article
Article