Personalausweis (nPA) is the German national ID card. nPA supports electronic identity verification. It can be used for online authentication, as it includes an RFID chip that can be read by:
- a card reader on a desktop computer via the AusweisApp2 desktop application
- the standalone AusweisApp2 mobile app
- integrating the Ausweisapp2 SDK into your existing mobile app.
In all cases, you can use nPA for authentication and identity verification, but the latter two require an NFC-capable mobile device.
- Personal information and a picture of the holder are visible on the card, but also stored in the card’s chip.
- Optionally, the chip can include additional information, such as the holder’s fingerprints and even an electronic signature (provided by a private company).
- Online authentication requires a PIN.
It is compulsory for everyone in Germany aged 16 or older to have an ID card or a passport. People under the age of 16 can also request the ID card, but the eID functionality will be switched off in this case. At 16, they can choose to have it switched on free of charge.
nPA can be used to verify the end-user’s identity and obtain relevant personal details about them. Specifically, the following information can be obtained during authentication if the end-user agrees to it:
- Family name
- Birth name (if applicable)
- Given name(s)
- Doctoral degree (if applicable)
- Date of birth
- Place of birth
- Document type
- Religious/ artist name (if applicable)
- Issuing country
- Residence permit
Use case for onboarding
The end-user wants to sign up for insurance with a company that offers identity verification through nPA. Provided the user already possesses the nPA card, the user will be able to sign up remotely without having to enter any personal details manually.
When a user has registered personal details with a service provider, the user can also use nPA to log in to the service provider’s website.
Use case for logging in
The end-user wants to log in to their insurance company’s website to review the conditions of their insurance policy. Their identity was already verified when they signed the insurance policy.
Use case for digital signing
Data from nPA is classified as high level of assurance (LoA). This means it can be used in Signicat Sign for Advanced Electronic Signatures (AES).
Authentication with the desktop app (AusweisApp2)
In AusweisApp2, which the user should have installed on their computer, the user will be able to see which data the service provider wants to obtain from nPA. After selecting Identify now, the user is prompted to enter their identity card in the reader and enter their PIN on the device. After this, their identity will be verified.
You have two options reading nPA via desktop, either in combination with a card reader or with an NFC-capable mobile phone. This example shows the desktop application in combination with a mobile phone:
The image-slider above shows the desktop AusweisApp2 using the mobile AusweisApp2 as a card reader (optional) instead of the USB card reader.
This option can be very practical for end-users, as it allows them to share the relevant data with the merchant without having to leave the app or use a reader. They will, however, have to use a mobile phone with NFC.
It is recommended to combine Signicat’s MobileID with the nPA card. If combined, the nPA card is only needed during onboarding. On later logons, the MobileID alone suffices.
The demo app in the video below illustrates the identity verification process. Note: In a production scenario, the app would also provide additional services to the user, e.g. banking or insurance.
For test purposes, you may download Signicat nPA Demo app from Google Play.
Integrating with Personalausweis through Signicat
Web integration with nPA is done via the same API as Signicat’s other ID methods. See Get started with authentication for more information. Through the single point of integration, you will get access to Signicat’s wide portfolio of integrated ID methods, not only nPA, but also other services like signing, identity paper verification and lookups.
This rest of this section describes how to integrate an nPA enabled mobile app with Signicat’s system using AusweisApp2 SDK.
In short, Signicat recommends the following:
- Integrate the AusweisApp2 SDK into your existing mobile app to add nPA functionality. See Signicat’s nPA demo app as an example of in-app use of nPA.
- Connect your nPA enabled app with Signicat: Set up a server to connect to Signicat’s system.
There are two integration options. The main difference between these two is how the background service is run:
- Use AusweisApp2 app publicly available in Google Play store (external variant): The background service is started by the external app, and the apps (merchant nPA app and AusweisApp2) communicate using IPC. AIDLs are provided to support that.
- Integrate AusweisApp2 SDK: SDK provides the background service. The merchant app starts it via the SDK.
Note: Signicat highly recommends the integrated SDK variant. The external variant means the user must install at least two apps. This will impact the user experience.
For details about binding to the background service, see AusweisApp2 SDK documentation.
Using the mobile app to read the nPA card, requires an NFC capable mobile device. For more information about supported mobile operating systems, see the Requirements page of AusweisApp2.
- Set up connections with Signicat, enabling OIDC and nPA communications, e.g. a certificate. For more information, see Get started with authentication.
- Ensure that your nPA enabled app communicates directly with your server only. Redirect the client app to the Signicat server when necessary.
- Let the Android background service provided by the AusweisApp2 SDK communicate with the Governikus EID server via the various commands of the SDK.
The integration flow between the merchant mobile app, Signicat and AusweisApp2 SDK is as follows:
- The merchant app sends an nPA login request to the merchant server.
- The merchant server accepts the request and redirects the merchant app to the Signicat server.
- The Signicat server queries the Governikus server for the TcToken. It also passes a callbackUrl to Governikus to be used later.
- Signicat receives the TcToken from Governikus and sends back a TcTokenUrl and some additional data like CancelUrl and merchant name to the merchant app.
- Once the app receives the TcTokenUrl, it can read the card data via NFC by using AusweisApp2 SDK via the RUN_AUTH command.
- After RUN_AUTH has been initiated, lots of messages are going back and forth. For more information about this, see the AusweisApp2 SDK documentation.
- The end-user accepts access rights, i.e. which user data the merchant is allowed to read from the card. Default attributes are configured upfront for each merchant (see Identity verification).
- The user holds the card against the mobile device, enters a PIN and the data is passed from the card via a secure channel to the Governikus server. The merchant app cannot get hold of any data at this point.
- The Governikus server notifies the Signicat server about “data available”. The Signicat server receives “data available” and confirms that it received it.
- The Governikus server responds to the merchant app with a “result available” message and a statusUrl where the information can be fetched later. From this point, the AusweisApp2 SDK has served its purpose but you need to do a few more things.
- When the merchant app requests the data via “statusUrl”, Signicat receives the request and passes it on to the merchant server.
- An OIDC flow is initiated via the merchant server and Signicat.
- The merchant server responds “Login ok” to the merchant app, optionally also providing some of the data that was initially read from the card.
You can configure which attributes nPA should return. Here is an example where all attributes are selected (in German):
Below are the responses from two test users with all attributes switched on (in English). Note: Since neither of them has an academic or an artistic title, those fields are empty.
|Attribute name||Example 1||Example 2|
|npa.date-of-birth||Wed Aug 12 00:00:00 CEST 1964||Wed Jun 17 00:00:00 CEST 1981|
|npa.date-of-expiry||Mon Apr 05 00:00:00 CEST 2027||Mon Apr 05 00:00:00 CEST 2027|
|npa.place-of-residence||D:null:51147:KÖLN:HEIDESTRASSE 17||D:null:03222:LÜBBENAU/SPREEWALD:EHM-WELK-STRAßE 33|
Signicat’s test environment preprod.signicat.com is available 24×7, and may be used during your development and test phase.
After you register with the nPA as a service provider, you will receive a client ID which will allow you to access the testing environment.
Personalausweis test card
To get Personalausweis test cards for your sales team, please send an email stating the number of cards needed and a shipping address to the following email address: firstname.lastname@example.org
This is an example test card:
List of service providers that can be accessed with nPA: https://www.ausweisapp.bund.de/en/online-identification-function/provider-list/
List of compatible card readers: https://www.ausweisapp.bund.de/en/compatible-devices/card-readers/
List of mobile phones that can read the nPA chip: https://www.ausweisapp.bund.de/en/compatible-devices/mobile-phones-and-tablets/