How does SkIDentity work?
An authentication process via SkIDentity comprises the following five steps:
(1) In the first step, the User creates a user account on the first visit of some Online Service or accesses a protected resource therein. Since an authentication and, if necessary, identification of the User must take place for this purpose, the User is, in the next step, redirected to the SkIDentity Service.
(2) In this step, the User is redirected to the SkIDentity Service at which a corresponding authentication request is initiated.
(3) The SkIDentity Service provides the User, if necessary, with a choice of the permissible identity documents or alternative authentication tokens and performs the authentication. The technical details in this step are dependent on the selected authentication means.
(4) After the User has been authenticated by the SkIDentity Service and a pseudonym and/or identity attributes of the User have been determined, the SkIDentity Service returns the result of the authentication procedure in a secure manner to the respective Online Service.
(5) After the Online Service has verified the integrity and authenticity of the message that has been retained by the SkIDentity Service, the Online Service grants access to the requested resource or creates a corresponding account for the User.
What is a „Cloud Identity“?
A "Cloud Identity" is a cryptographically secured electronic identity, which has been derived from an electronic identity document (eID). Such a "Cloud Identity" can, for example, be created by means of an electronic identification procedure with the new German eID (Personalausweis) (1), transmitted to any smartphone at the user's request (2) and can be used afterwards for pseudonymous authentication or mobile identification (3).
How secure is SkIDentity?
There are guidelines and international standards and regulations for the security and trustworthiness of electronic identities. For example, in the eIDAS regulation on electronic identification and trust services for electronic transactions in the Single European Market, the designated assurance levels are "low", "substantial" and "high". While procedures based on username and password correspond to the level "low", and national identity cards, such as the German electronic ID card (Personalausweis), usually meet the security level "high", the security of a "Cloud Identity" derived from an ID document and stored on a mobile phone fulfils, with appropriate security measures implemented, the requirements of the assurance level "substantial". The security of the SkIDentity Service was verified by independent auditors and confirmed by the Federal Office for Information Security (Bundesamt für Sicherheit in der Informationstechnik, BSI) in the certification process BSI-IGZ-0250-2016 according to ISO 27001 based on IT-Baseline Protection.
Where is my data stored?
With the SkIDentity Service, cryptographically protected "cloud identities" can be derived from electronic ID documents, stored on the system of the user and, if desired, transferred to any smartphone. It is important that the personal data of the users is not stored in the central SkIDentity infrastructure, but exclusively in encrypted form on the decentral system of the User.