Online-Ausweis
nationalFull Name: Online-Ausweis (eID)
Country: DE
Definition
The Online-Ausweis (literally "online ID card") is the electronic identity (eID) function embedded in every German Personalausweis (national identity card) and electronic residence permit issued since November 2010. It enables citizens to authenticate their identity online using the contactless NFC chip in their ID card, combined with a personal 6-digit PIN. With over 15 years of operational experience and infrastructure maturity, the Online-Ausweis system provides the technological and institutional foundation for Germany's EUDI Wallet implementation through the AusweisApp, which is being extended to become the country's designated EUDI Wallet for eIDAS 2.0 compliance.
Technical Architecture: PACE and EAC Protocols
The Online-Ausweis function uses sophisticated cryptographic protocols developed by the German Federal Office for Information Security (BSI). The PACE (Password Authenticated Connection Establishment) protocol establishes a secure channel between the eID card chip and the reader device (smartphone or dedicated reader). The user's PIN serves as the shared secret for PACE, preventing unauthorized NFC access to the card's data.
Extended Access Control (EAC) implements a two-layer authorization system. Terminal Authentication verifies that the requesting service provider holds a valid terminal certificate issued by the Bundesdruckerei (the German government printing office) or an authorized certificate authority. This ensures that only legitimately registered service providers can access eID data, and the certificate specifies exactly which data fields the service provider is authorized to read.
Chip Authentication proves that the eID card is genuine and has not been cloned. The card performs a Diffie-Hellman key agreement using its chip-specific private key (which is stored in tamper-proof hardware and cannot be extracted). This provides hardware-level assurance that the physical card is present -- a capability that directly maps to the key attestation requirements of EUDI Wallets.
The eID server infrastructure, operated by authorized identity providers, mediates the authentication process between the service provider and the card. It validates the terminal certificate chain, coordinates the PACE and EAC protocols, and returns only the authorized data fields to the service provider. This server-mediated model provides centralized logging and compliance monitoring.
Privacy-Preserving Design
The Online-Ausweis system was designed with strong privacy protections that anticipated many EUDI Wallet requirements by over a decade. The terminal certificate model implements least privilege for data access -- each service provider's certificate explicitly lists which data fields it can access. A bank performing KYC might have access to name, address, and date of birth, while an age verification service only has access to an age-over confirmation.
The system supports pseudonymous authentication through restricted identification. Each combination of service provider and eID card generates a unique, sector-specific pseudonym. The service provider receives a consistent identifier for the same user across sessions but cannot link the user's identity across different service providers. This is an early implementation of the unlinkability property that eIDAS 2.0 requires for EUDI Wallets.
Age verification is particularly privacy-preserving: the service provider can request only a yes/no answer to "is the user over 18?" without learning the actual date of birth, name, or any other identity data. This selective disclosure capability maps directly to the selective disclosure features of SD-JWT and mDoc credentials in the EUDI Wallet ecosystem.
From Online-Ausweis to EUDI Wallet
Germany's EUDI Wallet strategy builds on the existing AusweisApp and Online-Ausweis infrastructure rather than starting from scratch. The AusweisApp2 already provides the NFC card reading, PACE/EAC protocol implementation, and secure communication capabilities needed for wallet activation and LoA High identity proofing.
The upgrade to EUDI Wallet compliance requires adding support for standardized credential formats (SD-JWT and mDoc), implementing the OpenID4VCI and OpenID4VP protocols for cross-border interoperability, and transitioning from the current server-mediated model to a more decentralized credential-based architecture where the wallet stores and presents credentials independently.
One of the key challenges for Germany's transition is adoption. Despite the Online-Ausweis being available since 2010, actual usage has been relatively low compared to Poland's mObywatel or Belgium's itsme. This is partly because the original system required a separate card reader device (before smartphone NFC became available) and partly due to limited service provider adoption. The EUDI Wallet transition, combined with mandatory acceptance requirements, is expected to significantly boost adoption by making the eID function genuinely useful for everyday interactions.
Germany's 15+ years of operational experience with eID infrastructure, security protocols, and privacy-preserving design provide invaluable institutional knowledge that benefits the entire EU EUDI Wallet program. The BSI's technical recommendations and security certifications for the German eID system have directly influenced the EUDI Wallet Architecture Reference Framework's security requirements.