# Personalausweis

Personalausweis (nPA) is the German national ID card. nPA supports electronic identity verification. It can be used for online authentication, as it includes an RFID chip that can be read by:

In all cases, you can use nPA for authentication and identity verification, but the latter two require an NFC-capable mobile device.

Governikus GK (opens new window) delivers AusweisApp2. The service supplier of the Governikus infrastructure is Bundesdruckerei (BDR) (opens new window).

# Key features

nPA can be used to verify the end-user’s identity and obtain relevant personal details about them.

Key features are:

  • Personal information and a picture of the holder are visible on the card, but also stored in the card’s chip.
  • Optionally, the chip can include additional information, such as the holder’s fingerprints and even an electronic signature (provided by a private company).
  • Online authentication requires a PIN.

It is compulsory for everyone in Germany aged 16 or older to have an ID card or a passport. People under the age of 16 can also request the ID card, but the eID functionality will be switched off in this case. At 16, they can choose to have it switched on free of charge.

click-to-zoom

The following information can be obtained during authentication if the end-user agrees to it:

  • Family name
  • Birth name (if applicable)
  • Given name(s)
  • Doctoral degree (if applicable)
  • Date of birth
  • Place of birth
  • Address
  • Document type
  • Nationality
  • Religious/ artist name (if applicable)
  • Issuing country
  • Residence permit

# Authentication

# Onboarding use case

The end-user wants to sign up for insurance with a company that offers identity verification through nPA. Provided the user already possesses the nPA card, the user will be able to sign up remotely without having to enter any personal details manually.

When a user has registered personal details with a service provider, the user can use nPA to revisit and log into their website.

# Login use case

The end-user wants to log in to their insurance company’s website to review the conditions of their insurance policy. Their identity was already verified when they signed the insurance policy.

# Example authentication with the desktop app (AusweisApp2)

In AusweisApp2, which the user should have installed on their computer, the user will be able to see which data the service provider wants to obtain from nPA. After selecting Identify now, the user is prompted to enter their identity card in the reader and enter their PIN on the device. After this, their identity will be verified.

You have two options reading nPA via desktop, either in combination with a card reader or with an NFC-capable mobile phone. This example shows the desktop application in combination with a mobile phone:

Slideshow slide
Slideshow slide
Slideshow slide
Slideshow slide
Slideshow slide
Slideshow slide
Slideshow slide
Slideshow slide
Slideshow slide
Slideshow slide
Slideshow slide
Slideshow slide

The image-slider above shows the desktop AusweisApp2 using the mobile AusweisApp2 as a card reader (optional) instead of the USB card reader.

# Signing

Data from nPA is classified as high level of assurance (LoA). This means it can be used in Signicat Sign for Advanced Electronic Signatures (AES).

# Integrating with Personalausweis through Signicat

Web integration with nPA is done via the same API as Signicat's other ID methods. See Getting started with authentication for more information. Through the single point of integration, merchants get access to Signicat's wide portfolio of integrated ID methods, as well as other services like identity verification.

This rest of this section describes how to integrate an nPA enabled mobile app with Signicat's system using AusweisApp2 SDK (opens new window).

# Implementation overview

In short, Signicat recommends the following:

  • Integrate the AusweisApp2 SDK into your existing mobile app to add nPA functionality.
  • Connect your nPA enabled app with Signicat: Set up a server to connect to Signicat's system.

# Integration options

There are two integration options. The main difference between these two is how the background service is run:

  • Use AusweisApp2 (opens new window) app publicly available in Google Play store (external variant): The background service is started by the external app, and the apps (merchant nPA app and AusweisApp2) communicate using IPC. AIDLs are provided to support that.
  • Integrate AusweisApp2 SDK (opens new window): SDK provides the background service. The merchant app starts it via the SDK.

Important

Signicat highly recommends the integrated SDK variant. The external variant means the user must install at least two apps. This will impact the user experience.

For details about binding to the background service, see AusweisApp2 SDK documentation (opens new window).

# NFC notes

Using the mobile app to read the nPA card, requires an NFC capable mobile device. For more information about supported mobile operating systems, see the Requirements (opens new window) page of AusweisApp2.

# Guideline for connecting your nPA enabled app with Signicat

Prerequisites:

  • Set up connections with Signicat, enabling OIDC and nPA communications, e.g. a certificate. For more information, see Getting started with authentication.
  • Ensure that your nPA enabled app communicates directly with your server only. Redirect the client app to the Signicat server when necessary.
  • Let the Android background service provided by the AusweisApp2 SDK communicate with the Governikus EID server via the various commands of the SDK.

The integration flow between the merchant mobile app, Signicat and AusweisApp2 SDK is as follows:

  1. The merchant app sends an nPA login request to the merchant server.
  2. The merchant server accepts the request and redirects the merchant app to the Signicat server.
  3. The Signicat server queries the Governikus server for the TcToken. It also passes a callbackUrl to Governikus to be used later.
  4. Signicat receives the TcToken from Governikus and sends back a TcTokenUrl and some additional data like CancelUrl and merchant name to the merchant app.
  5. Once the app receives the TcTokenUrl, it can read the card data via NFC by using AusweisApp2 SDK via the RUN_AUTH command.
  6. After RUN_AUTH has been initiated, lots of messages are going back and forth. For more information about this, see the AusweisApp2 SDK documentation (opens new window).
  7. The end-user accepts access rights, i.e. which user data the merchant is allowed to read from the card. Default attributes are configured upfront for each merchant (see Personalausweis attributes below).
  8. The user holds the card against the mobile device, enters a PIN and the data is passed from the card via a secure channel to the Governikus server. The merchant app cannot get hold of any data at this point.
  9. The Governikus server notifies the Signicat server about “data available”. The Signicat server receives “data available” and confirms that it received it.
  10. The Governikus server responds to the merchant app with a “result available” message and a statusUrl where the information can be fetched later. From this point, the AusweisApp2 SDK has served its purpose but you need to do a few more things.
  11. When the merchant app requests the data via “statusUrl”, Signicat receives the request and passes it on to the merchant server.
  12. An OIDC flow is initiated via the merchant server and Signicat.
  13. The merchant server responds “Login ok” to the merchant app, optionally also providing some of the data that was initially read from the card.

This figure illustrates the integration flow:

click-to-zoom

# Personalausweis attributes

You can configure which attributes nPA should return. Here is an example where all attributes are selected (in German):

click-to-zoom

# Response examples

Below are the responses from two test users with all attributes switched on (in English). Since neither of the test users has an academic or an artistic title, those fields are empty.

Attribute name Example 1 Example 2*
npa.birth-name Gabler
npa.given-names Erika André
npa.family-names Mustermann Mustermann
npa.date-of-birth Wed Aug 12 00:00:00 CEST 1964 Wed Jun 17 00:00:00 CEST 1981
npa.artistic-name
npa.academic-title
npa.date-of-expiry Mon Apr 05 00:00:00 CEST 2027 Mon Apr 05 00:00:00 CEST 2027
npa.document-type ID AR
npa.document-validity Valid Valid
npa.issuing-state D D
npa.nationality DEU AZE
npa.place-of-birth BERLIN FRANKFURT (ODER)
npa.place-of-residence D:null:51147:KÖLN:HEIDESTRASSE 17 D:null:03222:LÜBBENAU/SPREEWALD:EHM-WELK-STRAßE 33
npa.residence-permit ERWERBSTÄTIGKEIT/BESCHÄFTIGUNG GESTATTET

# Test information

Signicat's test environment preprod.signicat.com is available 24×7, and may be used during your development and test phase.

After you register with the nPA as a service provider, you will receive a client ID which will allow you to access the testing environment.

# Personalausweis test card

To get Personalausweis test cards for your sales team, send an email stating the number of cards needed and a shipping address to the following email address: dif-eid@bsi.bund.de

This is an example test card:

click-to-zoom

# Other sources

List of service providers that can be accessed with nPA (opens new window)

List of compatible card readers (opens new window)

List of mobile phones that can read the nPA chip (opens new window)

Last updated: 3/17/2021, 8:19:29 AM