EUDI (European Union Digital Identity) Case Study: Germany’s Approaching Mobile eID Deployment

Germany is soon to expand its digital identity offerings, aligning with Europe’s move towards an interoperable mobile identity system driven through coming changes to regulations on electronic identification and trust services (eIDAS). Germany issued a smart national identity document in 2010, which, since 2017, has had capabilities of Near-Field Communication (NFC) reading via smartphone. This physical credential reached 100% penetration as of late 2020, with 52 million national IDs in circulation. With the foundations of full coverage of electronic identity cards in place, the German identity system is ready for further expansion of digital offerings, which will conform with, and enable, the European Commission’s goal of a single digital identity for use across Europe over a range of use cases.

The upcoming mobile electronic ID (eID) will land in 2023 and enable German citizens to use their smartphone for online identification. Its advantages include:

• User-Centric Design: Easy and secure online business and public transactions.
• Authenticity: Data transmission is correct with certainty; typing and recognition errors are impossible.
• Security: The eID function protects personal identification on the internet; even if lost, access is impossible without knowledge of the pin.
• Speed: Instantaneous ID check.

The deployment will offer privacy and security by design, featuring a decentralized architecture that is not based on a centralized server. It will offer anonymous identification, as from the server perspective, different use cases aren’t visible, and it will remain unknown to the issuer when transactions are made. Additionally, the mobile eID will enable selective disclosure of certain attributes, allowing for exact sharing of required information with no superfluous citizen data.

Security in the deployment is hardware based. The Secure Element (SE) forms a key component of the eID, storing and operating the sensitive identity data. An eID applet, issued by the national ID card manufacturer—in the case of Germany, Bundesdruckerai—forms part of the eID to permit usage of the citizen’s ID on the smartphone, being another key part of the system. Forming the third key element, the Trusted Service Management System (TSMS) enables the provisioning of said eID applet to the device and enforces the life cycle of the applet. In the case of this implementation, the TSMS is supplied by Deutsche Telekom.

Regarding the provisioning of the ID, the user first downloads the eID application, being developed by Governikus. The user initializes the app which asks questions surrounding the device specification; for example, if the device has NFC capability and a secure element. This initialization process is enacted through a trusted service manager Software Development Kit (SDK) and is only needed to be done once. Once initialized, personalization of the user’s identity data is carried out. The eID card’s data will be read by NFC and handed over for processing by the eID server. Data captured is then stored on the applet in the SE. The nature of this process enables duplication of the citizen’s ID on multiple devices, such as smartphone, smartwatch, and tablet. In terms of usage, initialization for the transfer of information is made by the user on their smartphone. This is via the eID service, be that eGovernment or a backend connection which reads data from the secure element. For use via a digital wallet, and not directly through the eID app, the smart eID ecosystem in the app works to migrate, convert, and put together the wallet form factor of the credential.

A challenge currently faced in bringing this implementation to fruition concerns the specification of data storage within the SE. Communication Service Provider (CSP) specification doesn’t currently allow data minimization in the SE in its current version which will need reconciliation to realize the full vision of mobile eID. Close working with industry and standardization bodies, GlobalPlatform, for example, is a necessary step in creating a format where this is possible. Furthermore, future standardization and development is needed for a fast and steady onboarding process for new secure components and smartphones that will arrive in the future to enable the operation of systems, such as the German case.

Additionally, while not a pressing issue in the German example due to very high penetration of applicable devices, the requirement of appropriate smartphones is a limitation of mobile eID adoption in some cases. The citizen will need a smartphone that has NFC technology and a secure element. While trivial in Germany as such devices are commonplace, more developing regions will have lower penetration. This then becomes a factor in consideration of a potential deployment, as well reason to perhaps look to a resolutions by other means for regions where higher end smartphone models see less ownership.