Skip to content
Tech News
← Back to articles

German implementation of eIDAS will require an Apple/Google account to function

2026-04-04 | original
read original get eIDAS Digital Identity Kit → more articles
Why This Matters

Germany's implementation of the eIDAS regulation will require users to have an Apple or Google account to access certain digital identification services, raising concerns about dependency on major tech platforms and potential privacy implications. This integration underscores the increasing reliance on large tech ecosystems for secure digital identity management, impacting both industry standards and consumer privacy rights.

Key Takeaways

Mobile Device Vulnerability Management Concept¶

The Wallet Unit provides for authentication means which can be bound to multiple identification means, such as the PID, via a public/private key pair, see cryptography.

When issuing the PID, the WB confirms to the PP (via OpenID4VCI Key Attestation) that the keys to which a PID is to be bound are controlled by an authentication means(../05-cryptography.md) that meets certain security requirements with regard to resistance against attackers with a certain attack potential (see ISO/IEC 18045).

Furthermore, in the context of performing electronic identification at assurance level high, such as the PID, it is required that authentication of wallet users is done in accordance with, the requirements for the characteristics and design of electronic identification means at assurance level high, as set out in Implementing Regulation (EU) 2015/1502 (see CIR 2024/2979 Article 5 1. b/g).

Therefore, the authentication means provides two important assurances:

The authentication means protects against duplication and tampering attacks to the key store by attackers with high attack potential. Thus, the PP can be sure that it's issued credentials that are bound to the keys of the authentication mean cannot be duplicated by an attacker with high attack potential and thus the identification means itself cannot be duplicated in their entirety (see CIR 2015/1502 Annex 2.2.1). The authentication means protects against attacks on the user’s authentication mechanism by attackers with high attack potential. Thus, the PP can be sure that it's issued credentials that are bound to the keys of the authentication mean cannot be misused by an attacker with high attack potential, e.g. for single presentations of a credential (see CIR 2015/1502 Annex 2.3.1).

The first assurance can be achieved by creating and processing the relevant keys in an RWSCD implemented as an HSM that has been appropriately evaluated and certified. This assurance can therefore be achieved independently of the user device.

The second assurance concerns the authentication mechanism of the user towards the relying party when presenting the credential. This includes two-factor authentication of the user towards the RWSCA. The security of the user authentication mechanism and the authentication factors depend on the security of the user device. The solution comprises a possession factor secured by the HKS of the mobile device and a knowledge factor entered via the mobile device.

The security of the possession factor depends on the existence of exploitable vulnerabilities in the HKS of the mobile device that allow the key to be extracted or misused.

The security of the knowledge factor, depends on the existence of exploitable vulnerabilities in the wallet instance and/or the operating system of the mobile device.

... continue reading

Explore topics: eidas apple/google account pid cryptography openid4vci
Related:
Marvel Might Have Finally Dealt With One of the Most Hated ‘Spider-Man’ Characters Around
Quantum computers might crack today's encryption far sooner than we thought
You're still signing data structures the wrong way
Pincer movement: fossil pushes origins of chelicerate arthropods back to the Cambrian period
Quantum computers need vastly fewer resources than thought to break vital encryption

© 2026 GoKawiil

About | Editorial Policy | Contact