link

# Personalausweis

# About Personalausweis

Personalausweis is the German national ID card. It can be used for online authentication, as it includes an RFID chip that can be read by:

In all cases, you can use Personalausweis for authentication and identity proofing, but the latter two require an NFC-capable mobile device.

Governikus GK (opens new window) delivers AusweisApp2. The service supplier of the Governikus infrastructure is Bundesdruckerei (BDR) (opens new window).

# Key features

Personalausweis can be used to verify the end-user’s identity and obtain relevant personal details about them.

Key features are:

  • Personal information and a picture of the holder are visible on the card, but also stored in the card’s chip.
  • Optionally, the chip can include additional information, such as the holder’s fingerprints and even an electronic signature (provided by a private company).
  • Online authentication requires a PIN.

It is compulsory for everyone in Germany aged 16 or older to have an ID card or a passport. People under the age of 16 can also request the ID card, but the eID functionality will be switched off in this case. At 16, they can choose to have it switched on free of charge.

click-to-zoom

The following information can be obtained during authentication if the end-user agrees to it:

  • Family name
  • Birth name (if applicable)
  • Given name(s)
  • Doctoral degree (if applicable)
  • Date of birth
  • Place of birth
  • Address
  • Document type
  • Nationality
  • Religious/ artist name (if applicable)
  • Issuing country
  • Residence permit

See also Personalausweis attributes.

# Use cases

Personalausweis can be used for digital onboarding of new users, authentication of recurring users and also as part of the sign flow to be able to sign documents electronically:

Onboarding a new customer:

The end-user wants to sign up for insurance with a company that offers identity proofing through Personalausweis. Provided the end-user already possesses the Personalausweis card, they will be able to sign up remotely without having to enter any personal details manually.

Authenticating a recurring customer:

The end-user wants to log in to their insurance company’s website to review the conditions of their insurance policy. Their identity was already verified when they signed the insurance policy.

Authenticating during signing:

The end-user is asked to sign the insurance policy documents and uses Personalausweis to identify themselves as part of the electronic signing flow.

Technically, you use the same service in these use cases. However, you should consider how you set the ID method up in each user flow, since onboarding a new customer is a one-time occurrence, while authentication is a repetitive action for the customer.

# Authentication

Before the end-user can authenticate using the Personalausweis ID card, they must install AusweisApp2 on their device (computer or a mobile). They must also have the Personalausweis card reader at hand or alternatively an NFC-capable mobile device to read the card.

The authentication flow consists of the following main steps (for both mobile and computer):

  1. The end-user is informed that they must have AusweisApp2 installed on their device. If this is not installed, they are instructed to download the app (see Download AusweisApp2).
  2. The end-user selects the Start AusweisApp2 button on their device.
  3. AusweisApp2 displays the available Personalausweis attributes (you can configure which attributes should be displayed).
  4. The end-user selects the Proceed to PIN entry button.
  5. The end-user can now either use the card in combination with a card reader or an NFC-capable mobile phone.
  6. The end-user is prompted to enter their 6-digit PIN-code on the card-reader or mobile phone.
  7. Once verified, the end-user is redirected to your defined target page.

See below for image sliders of the computer and mobile flows.

# Authenticate with AusweisApp2 on a computer

The end-user has two options reading the Personalausweis card via a computer, either in combination with a USB card reader or with an NFC-capable mobile phone. This example shows the desktop application in combination with a card reader:

Slideshow slide
Slideshow slide
Slideshow slide
Slideshow slide
Slideshow slide
Slideshow slide
Slideshow slide
Slideshow slide
Slideshow slide
Slideshow slide
Slideshow slide
Slideshow slide
Slideshow slide
Slideshow slide
Slideshow slide
Slideshow slide
Slideshow slide
Slideshow slide
Slideshow slide
Slideshow slide
Slideshow slide

# Authenticate with AusweisApp2 on a mobile

This example shows how to identify with Personalausweis on a mobile:

Slideshow slide
Slideshow slide
Slideshow slide
Slideshow slide
Slideshow slide
Slideshow slide
Slideshow slide
Slideshow slide
Slideshow slide
Slideshow slide
Slideshow slide
Slideshow slide
Slideshow slide
Slideshow slide
Slideshow slide
Slideshow slide
Slideshow slide
Slideshow slide

Notes:

  • In the mobile flow, the end-user places the ID card behind the mobile phone (instead of into the Personalausweis card reader).
  • The second information screen ("We tried to launch your AusweisApp2") disappears automatically after a couple of seconds if AusweisApp2 is already installed. If not, this screen stays until the end-user selects the download button.

# Download AusweisApp2

If AusweisApp2 is not installed, the end-user is instructed to download the app.

From a computer, the download button goes to the Ausweisapp2 download page (opens new window).

click-to-zoom

From a mobile device, the end-user is directed to either the Google Play or App Store page.

click-to-zoom

The link at the bottom, "I'm on a computer/mobile device", is displayed in case the system misinterprets the device type. If so, the end-user can follow the link to the correct device screen.

# Signing

With Signicat's electronic signature solution, the end-user can use Personalausweis as part of the signing flow, e.g. to sign the insurance policy documents with Personalausweis.

Data from Personalausweis is classified as high level of assurance (LoA). This means it can be used with Signicat's electronic signature solution for Advanced Electronic Signatures (AES).

# Integrating with the Personalausweis through Signicat

Web integration with Personalausweis is done via the same API as Signicat's other ID methods. See Getting started with authentication for more information. Through the single point of integration, merchants get access to Signicat's wide portfolio of integrated ID methods, as well as other services like identity proofing.

# Personalausweis attributes

You can configure which attributes Personalausweis should return. Here is an example where all attributes are selected (in German):

click-to-zoom

# Response examples

Below are the responses from two test users with all attributes switched on (in English). Since neither of the test users has an academic or an artistic title, those fields are empty.

Attribute name Example 1 Example 2
npa.birth-name Gabler
npa.given-names Erika André
npa.family-names Mustermann Mustermann
npa.date-of-birth Wed Aug 12 00:00:00 CEST 1964 Wed Jun 17 00:00:00 CEST 1981
npa.artistic-name
npa.academic-title
npa.date-of-expiry Mon Apr 05 00:00:00 CEST 2027 Mon Apr 05 00:00:00 CEST 2027
npa.document-type ID AR
npa.document-validity Valid Valid
npa.issuing-state D D
npa.nationality DEU AZE
npa.place-of-birth BERLIN FRANKFURT (ODER)
npa.place-of-residence D:null:51147:KÖLN:HEIDESTRASSE 17 D:null:03222:LÜBBENAU/SPREEWALD:EHM-WELK-STRAßE 33
npa.residence-permit ERWERBSTÄTIGKEIT/BESCHÄFTIGUNG GESTATTET

For a code example that includes a defined scope, see the OIDC response examples page.

# Test information

Signicat's test environment preprod.signicat.com is available 24×7 and may be used during your development and test phase.

After you register with Personalausweis as a service provider, you will receive a client ID which will allow you to access the testing environment.

# Personalausweis test card

To get Personalausweis test cards for your sales team, send an email stating the number of cards needed and a shipping address to the following email address: dif-eid@bsi.bund.de

This is an example test card:

click-to-zoom

# Other sources

Last updated: 20/04/2022 08:54 UTC