Near Field Communication (NFC) products Online Store
Worldwide Shipping (free DE shipping)
New identification card with RFID / NFC chip
The new electronic ID card (nPA) has already been in circulation since November 1, 2010. Although many citizens have now had the new ID card for several years, not everyone is yet aware of the exact changes or they are viewed with a certain amount of skepticism. In this article, we take a closer look at the new features of the electronic ID card, including security aspects. Probably the most striking change is that the new ID card now comes in a practical check card format. Less noticeable, however, is that the new ID card also includes a RFID chip with the option of electronic proof of identity (eID). Since 2017, new ID cards have now been issued directly with an operational eID function. So by now at the latest, you should know what is behind the eID function of the new ID card.
Functions of the new ID card
Basically, the RFID chip in the ID card stores personal data that can be read with special card readers. So the first interesting question is what data is actually on the RFID chip.
Data on the RFID chip
- Family name and first names
- Date and place of birth
- Home address
- Photograph
- Serial number
- Two fingerprints (optional)
The second exciting question is who can actually read this data and for what purpose. With the RFID chip in the new ID card, a distinction is made between sovereign and non-sovereign functions. The sovereign function is understood to be the classic purpose of an ID card, namely to be able to identify oneself at border or police checks, for example. Only police enforcement authorities, customs authorities, state tax investigation offices, and passport, ID card and registration authorities are authorized to read the data on the RFID chip with a special reader. The eID function, which allows citizens to identify themselves to third parties on the Internet using their ID card, falls under the non-sovereign function.
Electronic proof of identity (eID function)
The new ID card is intended to provide citizens with a secure way to uniquely authenticate themselves on the Internet to public authorities, online stores or online service providers.
- Identity verification: Citizens can use their new ID card to clearly prove their identity on the Internet as well, enabling them to open a bank account online, for example.
- Age verification: The eID function can be used to tell an Internet service provider whether a customer is of the required age, for example, to rent a movie from an online video store from the age of 18.
- Form function: With the new ID card, applications to the Bürgeramt can also be submitted online, as the data entered can be verified with the eID function.
- Login: As an alternative to a variety of user names and passwords, users can also simply use the eID function to log in to online stores, for example.
- Anonymous login: With the eID function, users can log in to various service providers under a pseudonym. In this way, no personal data is transmitted and users' surfing behavior is less easily tracked.
What is needed to use the eID function?
The new draft law is mainly because the eID function has so far only been used by a very small proportion of the German population. However, it is questionable whether the new draft law will actually encourage use, because there is often criticism that it is simply too cumbersome to use the eID function. It stands to reason that an ID card with activated online function is required. Those who have activated the function when applying for their ID card will be able to choose a 6-digit PIN themselves when they pick it up. Once the new law goes into effect, the online function will be enabled by default. In addition, however, secure software will also be required for the authentication processes on the Internet. For this purpose, the Federal Office for Information Security (BSI) has developed the so-called AusweisApp. Last but not least, a card reader is required that is compatible with the new ID card.
How does authentication work on the Internet?
Electronic proof of identity is based on mutual authentication, so that both provider and user are on the safe side.
- Authentication of the provider: The Federal Office of Administration determines the authenticity of a provider and issues him an authorization certificate. Such a certificate entitles a provider to request data from a user in the first place.
- Authentication of the user: ** The authorization certificate is sent to the user. The user then places his ID card on the card reader and the ID card app reads the required data from the RFID chip of the ID card. The user is shown which data is being transmitted to the provider. Only after the user enters a PIN does the ID card app establish a secure connection to an eID server and the data is transmitted in encrypted form. The authenticity of the PIN is determined by the Password Authenticated Connection Establishment (PACE) security protocol.
How secure is the new ID card?
As practical as the eID function sounds – many are also asking about the security of the new ID card. For example, can criminals use the data on the RFID chip in our ID cards to impersonate someone else on the Internet? This would mean that criminals could open a bank account on the Internet in our name or place an order in an online store. To use the ID card app and thus also the eID function, a card reader is required, as described above. Basic readers without a keypad in particular pose a security risk** because the PIN entry on the PC can be intercepted via a relay attack. It is therefore much safer to invest in a certified reader with its own keyboard. In reality, however, the basic reader is often preferred, because at around 50 € it is significantly cheaper than a certified one at up to 150 €. The prices also show that citizens have little incentive to use the eID function if they first have to invest around 150 euros in a certified reader.
Another security risk is that the ID card app is now also available as a mobile version. Theoretically, people with criminal intentions could install this app on their cell phone and then try to access the RFID chip in the new ID card with their smartphone as they pass by. However, in order to actually use the eID function on our behalf, a criminal would still have to guess our self-chosen 6-digit PIN. Without this PIN, there is no access. It is therefore advisable not to choose PINs that are too simple, such as 123456 or your own date of birth.
Protect new ID card from being read
If you want to be on the safe side, you can also store your ID card in an NFC protective cover with a NFC-shielding aluminum layer. With such a protective cover, the chip in the ID card is no longer able to communicate with a criminal's smartphone, even if the PIN may be known. NFC protective covers are not only useful for the new ID card, but also for all other cards with an RFID or NFC chip. For example, an NFC protective cover can also be used to protect NFC credit cards from unauthorized reading. In the video we demonstrate that the same effect can in principle also be achieved with ordinary aluminum foil.