Quality of Authentication (QoA)

The QoA concept deals with the various QoA classes and their definition and classification. Each authentication method (credentials with or without second factor) corresponds exactly to a defined QoA class.

With the specification of the corresponding QoA class in the SAML/OIDC federation protocol, the following advantages result:

  • A business application does not have to worry about the complex configuration of the various authentication methods.
  • It only has to be decided which QoA class is desired or required for the business application to be integrated. By specifying the corresponding QoA class in the federation protocol, it is automatically ensured that the user is offered all permitted authentication methods that at least correspond to this QoA class.
  • New authentication methods, which are included in the QoA concept, are thus automatically available without having to adapt the application.
  • The introduction of new authentication methods thus becomes transparent for the business application.
IdPs FED-LOGIN/BYOI and QoA (Credentials/Clearance Types)
IdPs FED-LOGIN/BYOI and QoA (Credentials/Clearance Types)

IdP+Credential(s)+Clearance type = Quality digital identity

Both the authentication procedures (credentials) used for a logon and the degree of verification (verification type) of an identity are decisive for the quality of a digital identity. eIAM describes this as Quality of Authentication (QoA).

For QoA40, 50 & 60, the underlying electronic identity is not simply self-registered, but verified (surname, first name, date of birth, ID type and ID number). Verified electronic identities enable the traceability of who was equipped with it and thus, if necessary, the recourse to these persons.

Video Identification
×

An electronic identity is considered to be verified when an official photo ID of the holder of the electronic identity is checked, registered and correctly assigned to the holder.

The CH-LOGIN offers the video identification VIPS for this purpose. The user logs in to MyAccount via CH-LOGIN and performs the video identification. Video identification is a video call in which an external service provider checks the official photo ID and the person. The collected data flows back to the FOITT. From now on, the CH-LOGIN is considered to be cleared, valid for 5 years for all applications of the federal administration. Video identification costs CHF 45 and is paid for online by the end user at the moment of entry into the process (Means of payment: MasterCard, Visa, ApplePay, GooglePay, SamsungPay, Twint, PostFinance Card, PostFinance E-Finance, American Express, PayPal or by voucher code from the Federal Administration).

In certain cases, a specially secured second login factor (hard crypto token) must also be used. eIAM relies on FIDO and Mobile ID, for which the end user must bring one of these themselves. FIDO tokens are available in electronics stores, Mobile ID is pre-installed on most Swiss SIMs and eSIMs. FIDO and Mobile ID are connected to the CH-LOGIN in self-service via MyAccount.

eIAM currently also supports Vasco tokens for verified electronic identities.


Mobile ID
×

The Mobile ID is a certificate stored on the SIM cards (Subscriber Identity Module, incl. eSIM) of the (currently only Swiss) mobile telephony providers (for providers, see https://www.mobileid.ch). It can be used as a credential and is registered in advance by the user in self-service on MyAccount. The target system that requests a credential and accepts the Mobile ID for it sends a dedicated push message to the mobile device that uses the corresponding SIM card. The end user must then enter a password on this mobile device in order to transmit the Mobile ID to the requesting target system.
The use of the Mobile ID as a credential does not automatically lead to a verified electronic identity; video identification must also be carried out for this purpose.

From 2021, eIAM will use the Mobile ID as a second login factor for the FED-LOGIN, in combination with the verification process of the SG-PKI, whereby the Mobile ID can be used as a verified electronic identity. However, this applies exclusively to employees of the Federal Administration.

eIAM will also accept the Mobile ID as a second login factor for the CH-LOGIN, in combination with the video identification service, from 8 August 2022. The Mobile ID in the context of the federal administration is not aimed at the general public. It can only be used within the federal administration by invitation. You will receive the invitation from your contact at the Federal Administration together with a so-called MIO code (Mobile ID Onboarding Code).


FIDO
×

FIDO dongles will be used as second factor in eIAM.

FIDO dongels are data carriers, e.g. in the form of a USB stick, containing cryptographic material. FIDO dongles are procured by the end users themselves in electronics stores. FIDO dongles can be used as credentials and registered in advance by the users in self-service on MyAccount. The target system that requests a credential and accepts FIDO tokens for it verifies the cryptographic material of the token.

The use of FIDO tokens as a credential does not automatically lead to a verified electronic identity; video identification must also be performed.

eIAM supports the following FIDO dongle types for the CH-LOGIN.

  • YubiKey 5 FIPS Series with NFC
  • YubiKey 5 Series
  • YubiKey 5 Series with NFC
  • Security Key by Yubico with NFC
  • Feitian BioPass FIDO2 Authenticator
Generally speaking, Yubico is one of the largest manufacturers of FIDO tokens and all YubiKey 5 Series tokens support FIDO2.

Windows Hello (fingerprint, facial recognition or PIN) can also be used as a passkey (FIDO). Please note that you can only log in with a Windows Hello passkey on the device you used during registration.

In which cases must identities with QoA40, 50 and 60 be used?

  1. Access to ICT resources of the Federal Administration in an enterprise context (internal and external employees and partners). Minimum requirement: QoA40
  2. Access to data with increased protection requirements in the SZ+ and the federal Administration network; minimum requirement according to current zone policy is QoA50, this is only possible with hard crypto tokens such as smartcard, Mobile ID/FIDO with VIPS.
  3. Need of the business process to be able to reliably identify the acting person (recourse capability, minimum requirement: QoA40). This case can also be handled by the target application, for example, by uploading a badge copy to the target application
Which login methods via eIAM support QoA40, 50 & 60 identities?
  • The login method FED-LOGIN supports QoA40 to 60 for the following target groups.
    Infolink/Instruction
    • Internal/external employees who are onboarded by the HR of the Federal Administration or SG-PKI affiliation such as the cantons and equipped with a smartcard (QoA60).
    • Smartcard holders who wish to use their FED-LOG without using their smartcard with a hard crypto token such as the Mobile ID (QoA50).
    • Smartcard holders who want to use their FED-LOG without using their smartcard with a second factor such as mTAN, AuthApp or the Kerberos service (QoA40).

  • The "totally smartcardless" FED-LOGIN login method supports QoA50 for the following target group. Infolink/Instruction
    • External employees of the federal administration who do not have a federal smartcard and will not be equipped with one in the near future (e.g. Mobile VDI users), but need to access federal administration resources that require strong authentication. By performing the FED-LOGIN "Totally Smartcardless" upgrade, these employees can upgrade the quality of their identity by going through a video identification process and simultaneously registering a strong authentication means with the Mobile ID (QoA50).

  • The CH-LOGIN login method supports QoA20 to 50. Infolink/Instructions
    • The CH-LOGIN should be used by all persons who cannot have a FED-LOGIN. This also applies, among others, to the federal employees of the federal operating institutions (3rd circle in the four-circle model).
    • The CH-LOGIN is also used for holders of a FED-LOGIN if they wish to act outside the business context (private individuals, representatives of the economy). Important: FIDO tokens may only be used here with private ICT devices. The use of ICT devices of the Federal Administration is prohibited!
What is a Guest-Login QoA10?
The guest-login is a pseudo login provided by eIAM that is based solely on entering a telephone number that can receive a one-time code (mTAN) as a text or voice message. It is not necessary to create an "account" such as a CH-LOGIN, as the guest login is a "fire-and-forget" solution and thus has the character of an extended captcha rather than a login. Therefore, the target applications must not implement guest login recognition, although the technical identifier is constant per telephone number used. Recognition would occur, for example, if a user could see data entered during a later guest login (with the same telephone number).

Detailed information on the SAML QoA Specification
Detailed information on the OIDC QoA Specification
Detailed information about QoA :