Austria Authentication Methods - RUB-NDS/FutureTrust GitHub Wiki

The Austrian eID system is a voluntary system that is defined technology neutral and that does not mandate a particular issuer of eID credentials. The system is based on three high-level requirements that are (1) the eID means has to be capable of creating qualified electronic signatures, (2) the eID means has to store so-called the identity link (described in Austria Overview, and (3) the eID means has to be capable of storing mandate and representation data for “authentication on behalf” scenarios. The third requirement, however, is meanwhile obsolete, as the authority to authenticate on behalf of another (natural or legal) person is queried on the fly from online authoritative sources (e.g. a mandate register or the company register).

From its introduction in 2005 and based on these high-level requirements a number of Austrian eID means emerged, either issued by the public sector and the private sector. As it is a voluntary system, the most successful eID means for citizens were those where citizens already possessed the credentials and just needed to activate these as eID, like a mobile phone, the health insurance card, or bank cards. For professions like lawyers, notaries, pharmacists, civil engineers, or public servants’ specific profession cards have been issued.

The main eID means and its date of introduction are listed below, sorted by numbers of active credentials. Note that a few important eID credentials meanwhile ceased are listed as well:

• Mobile ID “Handy-Signatur”, which launched in 2009, reached 800 thousand active eIDs (April 2017). It is based on remote qualified electronic signatures, i.e. the signature-creation data are managed as QSCD in a hardware security module (HSM) by a qualified trust service provider on behalf of the signatory. It is a two-factor authentication system with username/password as “knowledge” and the citizen’s mobile phone as “possession” (an app cryptographically linked to the HSM for smartphones, or SMS one-time passwords). The mobile ID is free of charge for citizens.
• Profession cards were issued from 2006 onwards (depending on the profession) and amount to about 80 thousand active eIDs. It is a smartcard QSCD, which often serves as a photo ID. For some professional representatives (lawyers, notaries, civil engineers, officials authorized to represent citizens) specific object identifiers in the qualified signature certificate indicate the holder’s professional capacity.
• The health insurance card is a smartcard QSCD issued to each Austrian citizen and replaced previously paper-based health insurance certificates. From 2005 onwards it can be activated as eID. The number of active eIDs raised to about 80 thousand in 2014, but with the success of the mobile eID “Handy-Signatur” the number decreased to about 40 thousand active eIDs (April 2017). The activation of the health insurance card as eID is free of charge for the citizen.
• Bank cards and credits cards could be activated as eID since 2005. The number of active eIDs increased to about 50 thousand, but since 2010 banks started to cease the service. A reason might be that it was charged an activation fee and an annual fee, whereas the other eIDs that are free of charge for citizens (mobile ID or health insurance card) provide the same functionality.
• Mobile eID “A1 Signatur”: The first mobile ID in Austria was launched in 2005 by the mobile network operator A1. Technically it was similar to the mobile ID “Handy-Signatur” described above. Though these days the service was not as successful and ceased in 2008. The Austrian eID can be used in about 300 public sector and private sector services. The main ones are tax online, social security services, or the electronic health records. Private sector services include Internet banking or electronic delivery. Services of the public sector (e.g., Tax Authority, Citizen Portal) are also managing username/password solutions as fallback mechanisms in case the user does not use a mobile eID or “Bürgerkarte”.