German implementer here. We have to use some kind of attestation mechanism per the eIDAS implementing acts. That doesn't work without operating system support.
The initial limitation to Google/Android is not great, we know that, and we have support for other OSs on our list (like, e.g., GrapheneOS). It is simply a matter of where we focus our energy at the moment, not that we don't see the issues.
German citizen here. So why is an implementation going forward when you already know it will not serve all citizens? Why are we not refusing to implement this until we know we can make it work on all devices?
Personally I recently switched from an AOSP based android without Google Play to Ubuntu Touch. In the future with better hardware support I will probably switch to postmarketOS.
You have the totally wrong expectations here. Some service that requires citizens to buy and bring their own devices in order to use a service will by definition always be exclusive. Whining about lacking compatibility with some niche sbowflake devices is just inappropriate in this context. The only solutiin is to require an actually convenient fallback for those otherwise excluded from that service.
The limited selection of attestation providers can be criticized for many other reasons, though.
If you were averse to carrots (without any health restrictions on eating them), would every government institution in Germany be required to serve you carrot-free food?
If not, why should they be forced to accommodate every smartphone brand in existence, even if there's only 3 people in Germany using it? THe list has to end somewhere.
This is an understatement. Better phrasing would be "when it allows two unaccountable foreign companies to lock citizens out of the digital market".
There are plenty of horror stories of tech giants frivolously banning people. We shouldn't be adding state support to that. I don't want to lose access to digital banking because of some deliberately vague "community guidelines" violation, or because I got mass-reported to some "e-safety" provider that both Apple and Google outsource to.
Sibling comments see this as a good solution, just not a perfect one. I see it as making a bad problem worse.
because then it will never get done. There are still people using old Nokia phones, for those there will never be a solution.
The usual 80/20 rule applies here as well.
And if you really are a German citizen, you know how slow the wheels of government already turn in Germany, I assume next week you would be the one complaining that "Germany is so far behind" and that "other countries are so much faster at implementing stuff" :)
Do we have stats how many germans use something else than Google Android, Samsung Knox or Apple? I recon it should be less than 1% which quite honestly is in fact „all“ citizens.
You should think about how easy it is to permanently lose access to your Google account for very trivial issues and Google doesn't offer any form of recovery. That in addition to the current geopolitical situation should be reason enough not to rely on that for any justification.
And personally as a software developer myself i know that nothing is more permanent than a temporary solution. No one will prioritize or give budget to change it later "because it works"
What? They should freaking think of sanctions, not about "how easy is to lose Google account". Both Google and Apple are American companies. If someone lands on a sanctions list, they close your account without further notice [1].
Let me get this straight: you can be a defender of human rights, aligned with the country you live in, but if you fall in disgrace with the American government, _you can't even do transactions with your own country_.
So this is fundamentally flawed, and violates the fundamental rights of German citizens in Germany.
In light of all of these shortcomings with platform attestation, why go with the eIDAS 2 wallet approach at all? eIDAS 1 already solved this with Mobile-ID (SIM-based, no Google/Apple dependency) and Smart-ID (server-side key management with minimal platform reliance). What does the wallet model give you that justifies this level of dependency on two American corporations’ proprietary backends?
Especially considering that mobile-ID has been around since 2007.
SIM-based solutions are on their way out because phones are starting to lose SIM slots. Certifying eSIM implementations to the same EAL level (as Mobile-ID SIMs are) is way way too difficult. At least for one country doing it alone.
Smart-ID sucks. It's not truly hardware-backed, it's proprietary and has fundamental flaws like not having a direct link between the site being authenticated to and the authenticating device (auth can be proxied, just like if it were just plain TOTP).
I’m sorry to lash out at you but I keep getting disappointed in European countries (more precisely the ever disappointing EU commission) all suffering of the NIH syndrome instead of collaborating and learning from each other
German citizen here. I find this attitude horrible and threatening. You are working on sacrificing yet another part of our digital sovereignty to a US company. There are trillions of better things to do with your life.
Banks are giving out QR Tan. Optical TAN devices which work with credit cards and it has been going pretty well. Why can eiDAS not have something similar. Distribute hardware tokens. Get rid of dependency on any OS.
Banks actually have high fraud rates today because of weak security mechanisms. If attackers steal your money, the bank will reimburse you. If attackers steal your identity, you are really screwed. Security requirements for banking and identity are simply different.
Plenty of EU countries have rolled out SmartCards for this exact purpose, some are now adding NFC functionality. Nothing really stops Germany from continuing like that either.
The issue then becomes the UI/UX. If the legal mandate is not strong enough the solution will not gain enough ground. You can see this if you start comparing those countries with an eID rolled out.
Just a quick question, and sorry if it might have been answered already... why preventing duplication is so important? I know it’s in the spec probably [1], but I can’t figure out the reason.
And a suggestion: add external HSM support at least? (e.g. things like NitroKey/YubiKey)
Preventing credential duplication is a requirement to achieve high level of assurance. One of its purpose is to limit the potential damage that can be done by attacks. If credentials are bound to hardware-bound keys, attackers will always need access to this key store to make any miss-use. If you don't prevent duplication, attackers may extract credentials and miss-use them at a 1000 places simultaneously.
I’ve just had another, completely stupid but not implausible, idea:
> a local internal WSCD, which is a component within the User device, such as a SIM, e-SIM, or embedded Secure Element,
So you could issue SIM-cards / eSIM profiles that only do signatures and nothing else. The app then connects to such eSIM (and you keep your main SIM/eSIM in another slot).
The less stupid variant is, of course, to get mobile operators to issue SIM cards with e-sign capabilities. Estonia has that, for example: https://www.id.ee/en/mobile-id/
You must go back to the drawing board and rely on highly-regulated Telecom standards (that's why they were mandated in the first place!) not monopolistic defacto "best practices" you have no influence over because they're more convenient for you.
This is simply unconstitutional and should be escalated ASAP if you don't want to end it before the appropriate court in Leipzig, Karlsruhe, or maybe Luxembourg.
Why is a trusted device chain needed? It will put more trust in the potential Chinese device maker and American software companies than the user who's id is shown?
Simply because the law was written that way. But also the whole idea of identity verification becomes pretty useless, if there is no chain of trust. You could run a modified client that lets you assume any identity you choose, exactly the opposite of what eIDAS is trying to achieve.
This is necessary because the wallets contain an identity proofing functionality called PID(Person Identification Data). Showing these credentials basically approves you are you. There are high requirements for identity proofing that even pre-date wallets and that makes sense, because the potentially blast radius of identity theft is huge. Historically, these have been secured in smartcards, like eID cards or passports and are not shifting to the smartphone. Verifying the security posture of your device and app is therefore crucial.
Side question. How come it is always the most incompetent people who get put in charge of implementing things like that. Over and over apps and services are developed in Germany and completely fail at what they are supposed to achieve. Where are these people recruited from?
> The initial limitation to Google/Android is not great
It’s also illegal on both accessibility grounds as well as violating the eIDAS spirit of no dependency on specific providers.
By shrugging it off as “not great”, you’re also dooming every citizen to have to comply with whatever whimsical terms of service Google and Apple have.
Have you ever tried to unban your Apple/Google account? So in effect, everyone’s access to eID services will depend on some crappy automation some intern in California setup to detect “abuse” or whatever.
There are technical solutions to avoid this dependency and you’re probably getting paid to find, research and adopt them. So … do your job?
Will eIDAS be the only way to identify yourself in cases where it's needed, or will we be able to user other mechanisms like the german ID card stuff or an entirely separate alternative?
Or to put it another way, is a smartphone required? If not, that would already clear up a lot of issues, I think.
EDIT: Whoops, just saw the answer to another comment asking precisely this. So it's not a requirement. Good. Is there a legal framework that ensures that this remains the case? Otherwise, I fear it will become a de facto requirement over time.
One datapoint: at least in practice, it used to be impossible to delete an entry in the French INPI database (trademarks and company names) without eIDAS. It forced me to unearth an old unmodified Android phone (I run LineageOS on my main phone).
What happens if someone is banned from both companies (even for a very legitimate reason such as hosting illegal content -- they still need to access government services)?
I know it’s not quite the same thing as an OS vendor, but culturally, if you’re having trouble empathizing with the ick in this thread then imagine if the initial implementation was available only for account holders with Facebook, Yahoo! Mail, or MySpace.
> and we have support for other OSs on our list (like, e.g., GrapheneOS)
Excellent. Massive respect to you for doing this. This attestation business is an existential threat to "other" operating systems. I'm glad to see people are putting effort into supporting them.
that‘s not correct. Article 5 eIDAS2 explicitly states, that europeans exercise full control over their data. Therefore EUDI wallet must not be a walled garden.
Especially if the wallet shall be used for authenticating and signing, it must be available to all europeans, even those sanctioned by the US.
If this is your plan, please go back to the drawing board.
It's insane to make yourselves US dependent from the very beginning, at least provide something like a crypto-key that you can get from an official, banks can do it, so can you.
There's a new initiative by some non-google non-apple phone vendors called *UnifiedAttestation* which I hope you will support at some point in the future:
I think it should be possible IMHO, like it is for many banks (still), to get a hardware token and then use whatever hardware/browser. Even a nice EU hardware token which allows banks , govs etc to add their keys/seeds in the enclave would be nicer so I don't have the lug 1000 tokens around, but it's still better than having to trust non sovereign companies for anything without backup; like multiple here said; Google/Apple getting the command from the Dep of War to shut down EU phone attestation, you losing your account etc, or, you know, me simply not wanting to use their stuff.
This is simply unacceptable. You are not making an innocent pragmatic compromise here, you are launching digital infrastructure which initially will tie everyone to Google/Apple and give alternatives a huge disadvantage for an unknown amount of time. Nobody knows when, or even if ever, support for open platforms will arrive.
You should be ashamed of being involved in this monopoly handover to American big tech.
I bet £50 that the alternative (eg GrapheneOS attestation (based on the standard AOSP attestation)) will be delayed, then delayed, then scrapped since almost everyone is using Google Plag integrity anyway.
Yes, I assume malicious intent, sorry, seen this happen enough tines recently.
Fingers crossed for the judiciary - if the implementers ignore the intention of the law, then lawyers will have to help them understand the limits of corner cutting - and block this.
This is on the stupid side of lazy (again). You'll still be sovereign only at the pleasure of Apple and Google if you submit to their platform as a service crap.
I wonder if there will be a big enough market for a very compact smartphone equivalent device that can be used just for credentials? A device that is offline on standby except when you need it. Perhaps the size of a car key.
“Not Great” is the understatement of the century. It fails to protect sovereign identity by handing the default to companies not only under foreign sanctions control but who also lock people from their accounts without recourse.
The device chain is a classic misdirection, it seems everyone here is just following Meta’s lobbying to put this into the OS.
Even the carrier layer would be better than the mobile device layer.
Or, you know, just look at Singapore’s or Swiss National SSO - it functions on an app that layer just fine, no issues
The existence of eIDAS itself is already a big problem. They're going to try to gradually push laws to make it so that you'll need a government issued signature to do anything. That's when they'll have total power over you because they can simply refuse to issue.
Modern computing and communications technologies can be leveraged to build infinitely stable authoritarian regimes. It's even possible for democracies to stumble into it on their own as they attempt to regulate these new technologies. In hindsight, the Internet was built wrong. It has a top-down structure which all of human civilization is beginning to mirror.
I attestation should be abolished altogether. An app should have absolutely no way of knowing what kind of device it’s running on or what changes the user has made to the system. It is up to each individual to ensure the security of their own device. App developers should do no more than offer recommendations. If someone wants to use GrapheneOS, root their device (not recommended), or run the whole thing in an emulator, a homemade compatibility layer under Linux, or a custom port for MS-DOS, that should be possible.
Exactly. It's my own device, I can do whatever I please with it. There shouldn't be an automated way for apps to check if my device has been blessed by the US tech giants or not.
> An app should have absolutely no way of knowing what kind of device it’s running on or what changes the user has made to the system.
and therefore the app cannot give a reasonable guarantee that it is not running in an adversarial environment that actively tries to break the app's integrity. Thus, the app cannot be used as a verified ID with governmental level of trust.
There's a difference between needing to lock down the whole OS and just the secure element. The secure hardware component can sign a challenge and prove possession of a private key without you being able to extract it. Smartcards have done this for decades (most people here will know an implementation under the name Yubikey).
Conveying authentic information across untrusted channels (your phone screen, say) has been a solved problem since asymmetric cryptography was invented back before I was born
If your app needs to be protected from harm, it cannot protect the user from said harm. I hoped software engineering culture was lucky to not have the same precepts that make lockpicking a crime in the real world, that we successfully make it into common knowledge that you can't grant any trust to the client, but it seems "trusted computing" is making some of us unlearn that lesson.
> an adversarial environment that actively tries to break the app's integrity
Can you elaborate on what this means? Who is the adversary? What kind of 'integrity'? This sounds like the kind of vague language DRM uses to try to obscure the fact that it sees the users as the enemy. An XBox is 'compromised' when it obeys its owner, not Microsoft.
I agree, you should be able to run anything you want, root your device, etc., but you also have to accept the consequences of that. If an app can no longer verify its own integrity, certain features are simply impossible to implement securely.
Think of it this way: A physical ID (which is what we're trying to replace here) also has limitations, it looks a certain way, has a certain size, etc. Just because somebody wants a smaller ID or one with a larger font or a passport in a different colour or whatever, doesn't mean that this should be allowed or possible. Some limitations exist for a good reason
Users have the right to modify any app running on their own device. Software security should never depend on the user having no control over their own device. Smartphones are essentially just regular computers, and on them you can use a debugger and do whatever you want. Viewing smartphones as closed systems like game consoles where you need the manufacturer’s permission for everything only leads us into the dystopia that Richard Stallman described as early as 1997 in his short story "The Right to Read"
Comparing being able to run the hardware and software of your choice to "wanting a passport in a different color or whatever" is so completely fucked, and it's beyond insane as a justification for giving two American tech companies with a well established track record for doing evil control over your citizens' ID.
The world has gone absolutely mad, what the fuck am I even witnessing? It is quite literally becoming 1984 in front of my eyes, with people
complying completely voluntarily and openly advocating for it, not even a threat of force to make it happen.
Well, in that case, if they want full control and attestation yadda yadda, I'm fine with them shipping me a device they fully control exclusively for use of this stuff. But if we're talking about my smartphone that I paid for with my money that I worked for, I will do whatever I damn please with it. So I guess that means eIDAS will be inaccessible to me.
True, but its really hard to name a family of commercial devices with security features in hardware, including serious security features, which were not eventually hacked.
Worse still, for new mainstream devices that are believed to be safe the state sponsored actors will likely operate unpublished exploits, and will exploit the misplaced faith people and judiciary will put in device attestation. I dont think the very likeable people who worked on Pegasus found themselves respectable jobs - they are likely still selling that sophisticated crap to all authoritarian regimes.
Exactly this. And whats more, the idea of device attestation makes people trust those devices, and the history of rooting consoles and phones proves that nothing holds, even tech backed by billions in commercial interest.
The whole point in reducing the blast radius is valid - by all means make this optional and allow the user to elect to tie their identity to the device. For everyone else, implement validation of actual transactions, not just user secrets and device secrets.
This is the original sin of modern computing. Almost all anti user features are only made possible because we didn't pass laws against "secure elements" that serve the maker and not the owner when NGSCB got announced.
What if you „lose“ your google / apple account, like this sanctioned judge of the international criminal court? Crazy to imagine that we are still baking in dependency on US providers in european societies, even though there is clear indications we should be doing the opposite?
You wouldn't even have to be a high profile target like a sanctioned judge. Simply getting your account banned by some automated process that marked you as "suspicious" will basically render you excluded from society.
It is absolutely insane to put this amount of power in 2 foreign companies that will be able to destroy your life with zero reason, oversight, or due process.
This is not a hypothetical problem and you don't need to be deliberately targeted. It actually happens to normal people. And if it does you have absolutely zero recourse.
Source: I have a banned Google account (it's over 20 years old at this point). I know the password, but Google doesn't let me log into it. Every few years I try to unsuccessfully recover it.
If you have a Google account and having it banned would be a problem for you here's my advice: migrate. Right now. You never know when one of their bots will deem you a persona non grata.
I am shocked that there isn’t more opposition from the general public to policies like this that erode privacy and freedom. I am a parent and can appreciate the need to control what children do on the internet, but at some point parents need to parent. I fear we’re giving up a lot of freedom and adding unneeded complexity under the guise of keeping children safe.
I think because most people, even tech savvy ones don’t understand how this might effect their lives. It’s too abstract. At least how it’s portrayed here.
Contrast that with chat control.
My government can read my WhatsApp messages? Not good!
The non-technical narrative is very simple: Google, Apple, or the German government can revoke your ID at any time. You cannot purchase or sell anything[1], sign any contracts, have a job, rent an apartment, use public transportation, or receive any kind of government services without an ID. This should sound extremely alarming to everyone regardless of technical knowledge.
[1] Maybe with cash, for now, but cash is clearly not long for this world, and your bank account will be inaccessible already.
But there is nothing abstract here. A private entity, situated in a country that is very hostile and pro-Russia, controls parts of the software stack and implementation here. That's a law written by lobbyists.
Germany is distracted with its version of “the gun debate” aka speed limits.
Like every school shooting, every energy crisis brings opportunity to
saturate the airwaves with shallow noise that gets people overly
upset and they’ll ignore everything else.
Every player on both sides is abusing this mechanic for all eternity.
I think this view is too reductionist, as people can (and usually do) debate more than one topic at a time. The problem is that technological dependence isn't gaining enough precaution when commodity products are being discussed.
What worries me is that it's a real global problem in all of our non-autocratic societies. On a positive note, I can see how this is actually becoming a common understanding and gaining traction, as hyped AI products are seen by some as 3rd-party- or SaaS-killers. It seems like we know how to differentiate between independence and dependence, and evaluate any risks affiliated with such a decision. But it baffles me that this differentiation manages to float as some ironic stream in our Zeitgeist, and just barely manages to be taken seriously.
Imagine we had real democracy where people vote on issues.
Speed limits? Vote once every 7 years or so on it and be done with it. Same for abortion laws, drug laws, gambling laws.
Have a debate, vote, come back to it in 7 years if there is public interest.
Preferably vote locally on issues that can be applied locally (like speed limits/enforcement etc.).
Public debate and assessing politicians and parties would be so much cleaner then if they couldn't use polarizing issues to rally their support and do w/e they please on all other issues.
As far as I can tell, people are getting blitzed. People I know are incredibly deep in their personalized bubble and genuinely aren't even hearing about it. It's genuinely distressing. In general and for the future of democracy.
It feels like this era of hyper-individualism requires too much attention from each individual and favors those that can afford to outsource the work. While that stabilizes the role of society as a system, I feel like this is most worrisome for the less privileged in any low-trust environment.
I'm not. Parents are very much in favour of restrictions on what can be accessed online.
Parents can't control what their children are doing 24/7, and neither should they. But they should expect a society where children are protected from billion dollar corporations stealing their attention and radicalising them, at least until they are old enough to leave mandatory schooling.
There are many "real world" age restrictions that exist, and we have decided those are of benefit to society in general. The "online world" is no different.
If we can't have age restrictions online then they should just be abolished in the real world as well, in the name of preserving "privacy and freedom". The online world doesn't exist in isolation like it did in the 90s and 00s.
This is because the EU is basically designed as a lobbying platform. Note that lobbying by its own citizen is possible and welcome but expensive and require a some coordination, so basically foreign actors and big corporations are dominating.
This is not a secret, the process is actually very transparent but it is "hidden" in all the documents nobody really want to dig into.
Also the EU and all those states are also highly incompetent and pretty much only depends on low quality contractors.
For example there is very little discussion and info about the fact that the EU digital infrastructure just got owned by what seems to be a random hacker group [0].
You write it as if companies provided tons of help to parents and children. Meanwhile, they spend a lot of money to make it as hard as possible.
Second, kids in Germany have generally a lot more freedom and there is less of knee jerk impulse to blame parents for every accident. Expectation is that adults dont harm them without parents having perfect control every sevond.
The age verification sniffing laws will come to the EU and Germany too, so your assessment is, in my opinion, too limited and incomplete. It's not really about parenting, it is about grabbing more and more data from people.
Are you saying there's a threshold percentage somewhere below which you're happy to
A: exclude these people from society or force them to switch to big tech, and
B: accept the consequence where a single other country holds access to everyone's identity information for convenience reasons (because it works for the 99% that are too tech-illiterate to install software that they control instead of the other way around)
My uncle has lost 4 Google accounts. Two to password loss, one to a fire, one to being banned for crimes against currency (having the audacity to live in several countries with different currencies)
The issue isn't the phone, it's that a __government__ is depending on an unregulated private enterprise.
I think the point is rather what percentage of people will continue to need to have a phone that is Apple or Google, due to death by a million decisions like these.
All these requirements for specific hardware and software are ridiculous. Let every citizen use whatever computer they want. It should be up to the user to secure themselves. Authentication should only require a password or a key pair. If the user wants more security, they can set up TOTP or buy a security dongle or something.
It's also ridiculous how it seems we've forgotten computers other than smartphones exist and that not everyone even has a smartphone, let alone with an Apple or Google account.
Last week I was watching a YouTube video, talking about the EU creating payment services independent of VISA and MasterCard. What struck me is that they are all apps, which will require an app store.
Great, I can pay with a digital Euro, Wero or something else, without routing my payments via VISA. I just can't do it without an account with Apple or Google. I'm absolutely baffled by politicians, regulators, banks, merchants and implementors lack of ability to think more than one or two steps out.
Sure, the EU is forcing 3rd. party app store, but no one is using them, so no one is pushing apps to them, especially not governments, banks or payment services, they'll be the last to use them.
The digital Euro seems still in early planning stages. It seems people want to plan a physical card for it, but whether online payments will work without a platform dependent app is unclear for now.
Wero however is currently only planned as an android/ios app period. There are rumors that a card will come but that's only rumors for now.
In your list of groups to be baffled about I would add journalists. You see many articles about Wero mentioning digital sovereignty, but have you seen any that criticize the required banking apps only being available in google's and apple's app stores?
The current policy trend in the EU is definitely not based on the principle of each user evaluating their own risk. On the contrary, service providers like financial institutes and identity providers have the responsibility to keep users safe, and more and more regulation will be made. The natural consequence is restricting which platforms are supported.
> The current policy trend in the EU is definitely not based on the principle of each user evaluating their own risk.
Yes and if you look back this is not new. Just look at the extraordinary restrictions that apply to:
- What houses you can build,
- What vehicle you can drive,
- What food you can grow and sell.
The result is real estate has become unaffordable for younger people, our car industry is being annihilated, and the agriculture sector hold by a string.
The digital realm enjoyed an unusual level freedom until now because the silent and boomer generations in charge in the EU understood nothing about it.
Now that the EU is getting involved in "computers" we are starting to understand why peasants have been protesting in Brussels and calling those people insane for decades.
It should be legally required to provide enough interoperation capabilities for a compatible frontend to be written for an Apple II by whoever would like to do that, as the government can't be expected to write and maintain clients for every platform that's now in existence or that will be created in future.
If only currently popular platforms are to be supported, how could a new platform join them in the future if the use of existing ones is mandated by governments?
It makes no sense. eIDAS 2.0 specs don't require specific hardware [0]. They basically store verifiable credentials [1] and any other cryptographically signed attestations.
This feels like laziness from German implementers, as they don't want to (quoting the spec literally) "implement a mechanism allowing the User to verify the authenticity of the Wallet Unit".
Look at reference implementation. Maintainers resist removing google dependency for no good apparent reason. An if there is persistence without reason - there is a reason.
> We understand your concerns and truly appreciate your suggestions. As previously mentioned, this is not something that is enforced by the reference implementation — these are simply recommendations, not requirements, for any wallet implementer. That said, we recognize that this is a sensitive topic, and we may need to revisit it, even at the level of recommendations.
> The README files for both the iOS and Android Wallets have been updated to mention only OWASP MASVS compliance, without referencing any specific APIs.
I understand their position, but I also get the concern, especially around existing implementations like the Italian app. I think it's mostly that they have different priorities than ensuring that the reference implementation is a perfect guideline for member states.
This looks like a good vector for a European Citizen Initiative around removing all technological dependency on non-EU providers.
Operate European tech infrastructure without a dependency on America challenge (Impossible)
For 99% of smartphone users, you can't get apps onto their phones without Apple and Google signing the app and letting you into their store, and users can't install the app without an Apple/Google account.
Why remove a dependency on Google, when you'll still be 100% dependent on Google?
Anybody working on "Digital ID" has already made peace with the fact that it can be turned off overnight if Trump says so.
Does this mean sanctioned individuals, such as those in the International Criminal Court, would be unable to access eIDAS, among other things? As it requires, from my understanding, installing app(s) from the play store, thus requiring an account there and being able to access it, which isn't happening if you're among those or really, in any group that might get the same treatment in the future.
I don't think it's a bad idea though. If only for bringing the issue to the public
And while I do think an alternative would be good, the fact is that protecting the private key is the most important part (for example by keeping it on a smartcard with NFD) - hence why the need for a secure device
"but I want to install alternative Android etc etc" yes that's fine - but you know this is a non-secure-(enough) env.
Physical SIM cards are just as secure as the security enclave on the phone. In Norway few years ago banks even used that for secure authentication that worked on dumb phones with local mobile network providers pre-installing the required software on their SIM cards.
But then to save cost including the support cost banks stopped and instead started to require a non-rooted Android/iPhone.
> "but I want to install alternative Android etc etc" yes that's fine - but you know this is a non-secure-(enough) env.
I feel like this is getting to the point of gaslighting. Many of the allowed devices are bargain bin Android phones running out of date software with known vulnerabilities in both the operating system and the hardware which is supposed to be protecting the keys.
Meanwhile you could be using a hardware security module in a bank vault in a nuclear bunker surrounded by armed guards and the excuse would be that this "isn't secure" because it hasn't been approved by Google or Apple.
Governments shouldn't be requiring you to use any specific vendor or set of vendors. They should be publishing standards so that anyone who implements the standard can interact with the system.
No I do not. It is plenty secure compared to a corporate version and nobody should be legally able to deny service over me having control over my own computer.
Needing the entire OS to be secure to protect a key is also a dumb idea in general.
Requiring people to use products from one of two private American companies with a bad track record of locking people out of their accounts is more than “not great”. Some things are better not done if they can’t be done well.
So what can be used as an attestation API? WHAT will make sure that when a phone says "you're paying 10 euro to $coffee_place" that it isn't a bitmap being shown over "you're paying 10.000 euro to $scammer", above the pay button. Note: needs to be a real guarantee that isn't a permission question away from going away.
Either governments can develop (and pay for) THAT technology, or they can use Apple/Google ...
I'm not sure I want my government to develop that technology.
Government software is usually low-quality, expensive procurement crap, often riddled with security holes, and an exercise in checkbox checking. UX and user friction can't be expressed as a verifiable clause in a procurement contract, so they're ignored.
Besides, every time EU governments tried to force smartphone manufacturers to pre-install government apps, the population freaked out over (unwarranted) surveillance concerns. This isn't something you can do without pre-installing apps (you don't want these APIs opened up because then attestation loses all meaning).
Yes but in the real world all smartphones are either Apple or Android. Europe has zero footprint in either software or hardware. It is not creating a requirement to use specific products, it is using the products people already have.
So one may argue that the implementers are only taking the pragmatic approach regarding something that is out of their hands.
It literały has created the dependency on google when thought Android offers the standard/generic AOSP attestation.
Also you weirdly forget all the Chinese phones. There's also some tiny European brand which will have absolutely no way to limit their users dependency on the famously hostile and unconctactable provider.
We're talking about an essential government service, not just another weather app. You have to look at this through the lense of national security, the debate about EU digital sovereignty, and the requirements of the GDPR in light of the US CLOUD Act, as well as prior decisions of EU courts about these issues.
Self Sovereign Identity (aka SSI) is the only way out of those identity sovereignty issues. It shouldn't be acceptable that your identity depends on anything or anyone. It should just be your identity.
A paper or certificate can prove an entity trusts your identity to be <firstname, lastname, etc...> but that shouldn't be your identity.
You just are. Not your google Id, not your Apple Id either of course.
You are conflating the philosophical notion of identity with functional identification in the real world. There is no cryptographic escape hatch from the social contract.
>You just are/I just am
Is not an acceptable thing to say to a bar tender when being served an alcoholic drink when you're 22. You hand them government issued ID.
I'm not quite sure if the German implementation is possible without mobile devices (couldn't find anything on that at first glance). the Austrian implementation on the other hand does not require a mobile device, if you want to do it on a pc you just need a fido2 token
As strange as it is, but Austria is quite far ahead in terms of eIDAS since we've had Handysignatur for more than a decade. I wouldn't be surprised, if the Germans are planning to support hardware tokens, but haven't had the time yet.
Yeah, quite ahead in terms of making anonymous phone numbers illegal and requiring the government to know your phone number.
And if you don't want to use a smartphone, ID Austria does not work with regular FIDO security keys, you need special ones. Same for the old SmartCard system which didn't work without government-mandated malware.
It seems to imply that the already existing way of authenticating via eID, which is the auth chip present on our ID cards, will still work, if I read it correctly? I understand OP's link to refer to a new, alternative system, that can be used without the ID card.
But take this with a grain of salt, I'm not very well informed about the whole topic.
ISO7816 (smartcard) has existed for nearly 4 decades as the standard secure identity card, widely used by the banking industry among others. Very unintrusive and not hostile beyond needing to carry a little chip. If governments want a national ID, they could just give everyone one of those.
Already exists as biometric passport or ID card in several countries. The problem is things like authenticating online to submit your tax form. App-as-2FA is kind of the standard for example to log in to your online bank portal, though for government services the threat model and privacy implications are different.
If you have a FIDO device on your (physical) keyring or a keyboard with a smart card reader or some kind of NFC transceiver connected to your PC, the problem is technically solved - just not practically.
Note that phones also have NFC readers. Instead of requiring everyone to have a locked-down phone, they could offer day you use said phone to read the chip or use any other (USB) reader you like. I believe there's a German government app that already does this, Ausweisapp2 iirc. As someone with a different nationality who lives in Germany, I don't know more than that
This is exactly how we implemented eIDAS in Spain. The government-issued national ID (DNIe) is an ISO 7816-compliant smart card. Latest versions are also ISO 14443-compliant for contactless reading. To use it, you just need a simple smart card reader or an NFC-enabled phone. https://www.dnielectronico.es/PortalDNIe/PRF1_Cons02.action?...
Belgium has had exactly this for decades. But now they want to get on the hype train for smartphone based ID, because card reader support is still shit in browsers in 2026.
Adding to this: anyone older than 12 years old is required by law to have their government issued ID on them at all times when in public. If your ID is suddenly your smartphone, you're essentially required to have that on you 24/7. Dystopian spyware.
That sounds like a very smart move at the time where Europe realize the US isn't such a gray partner and it's trying to reduce it's critical dependencies on foreign nations tech and infra. Good job.
I'm actually very surprised to see this from the germans who have this reputation of great engineering culture
Nor in the physical world either. Crumbling planes, trains and automobile infrastructure. Collapsed bridges, airports that don't function properly etc.
I wouldn't, as China being the largest single market for motor vehicles and the cutthroat competition there is what caused all this.
Everyone is trying to cut costs so as to be able to compete there and Europeans are paying the cost of financing this.
Personally I'm going to wait until the average car age in China crosses the 10-year mark to get a new vehicle. Until that happens there will be no incentive to think about longevity.
AFAICT, there is no mention of an Apple or Google account being required in general - the documentation just lists "signals" that are used to securely authenticate a person - such as Google's/Apple's security ecosystems.
I am not sure what this means in practice.
Can anybody with deeper understanding explain the actual implications and possible outcomes?
(Note: BMI is the German Federal Ministry for the Interior)
Google is becoming a bit draconic. They did not allow me to create new email account, saying I already have too many accounts. But they also don't allow me to delete existing accounts, saying there is no authentication method available to access/delete those old accounts.
You can get that, even if you have a phone with the app on it. MitID is perfectly okay with that. At login time you will be prompted for your token code, but there is an option to switch to the app ("Skift til MitID app" in the bottom of the box).
The MitID design is strange, but in this regard it is well done.
Somewhat. To fill out my taxes online, I could sign up with either the AGOV app (needs Google Android) or a USB security key. I happened to have a yubikey, but I needed to mess with the firefox about:config (security.webauth.u2f=true IIRC). It did work in the end though.
There was a time window 2 years ago where it appeared that I need an actual phone number to do my taxes, but even that was replaced with something more universal.
In context of eIDAS, your phone starts to be used for much more sensitive matters than typing comments or even logging in to your bank. The repercussions from having a secretly patched bootloader can involve another person assuming your identity, including for large B2B transactions.
Requiring citizens to have (buy) some device to simply prove they are who they are seems hostile and dystopian to me. Some say it’s the future; I’m not convinced.
However, if you were to allow me to use my pocket computer (and nothing else) to prove I am who I say I am, you would want to trust that I am not pretending to be somebody else after extracting private keys from their phone or whatnot. I.e., you would want to require some sort of trusted computing.
Currently, that seems to only be provided by closed ecosystem phones.
Even still, I think it’s a mistake to be rolling out eIDAS as a mobile app first. The specification allows for this to be a dedicated hardware key (maybe even something YubiKey-like, and the EU already requires all phone manufacturers to have USB-C), so why not start with that.
As someone living in Germany, the alternative would be snail mail, which is used to send a pre-authentication code, username and then another code. This is pretty common with insurance providers, German traditional banks, etc. However, the annoying part is that if you ever forget or lose the code, then you would have to request a new one via mail that would arrive like 2 weeks after.
The alternative is a secure physical device and that's also the correct way to go if you insist on having online ID checks and take digital sovereignty seriously instead of making it a joke lip service like these implementers do.
You're linking to a bugtracker. I doubt they're inviting people to spam it with duplicate entries — valid as I think the concern is. But maybe it says somewhere that you can leave feedback here and I just haven't seen it?
EU depending so much on Goo/App feels suspicious for direct lobbying, as someone noted. If I were Ursula, I would draw a red line: no US digital dependence. But the rounding error of the rounding error of these trillion dollar companies is enough to expunge the nonexistent EU infra.
Europe needs a private European identity provider. Until this happens, Europe will remain a technological vassal state of the US.
These are expensive products, you need depth of expertise and experience to create a system that could compete with the likes of gmail and Microsoft and ... so it's not a wonder that this hasn't happened yet. But pretending like this can be a public service is foolish (too high stakes ~~if~~ when it gets hacked), and pretending like existing providers that offer identity and email are sufficient is equally foolish. Google and ms and apple etc all offer the basics for free, and this is necessary for mass adoption. It will be an expensive project. But necessary, if the eu wants strategic autonomy.
---
Oh and requiring a us based account is not even the most egregious part of this proposal, ffs
Works for me in Germany. I wonder if it's some overzealous bot protection that's cutting off humans again, in this case from what looks like a government website, but without further testing that's hard to say. You could check if it works from another network, or if other people on your network range have the same issue (like if you're in 13.37.0.0/16 then maybe someone else at the ISP is also in that range and could check if it got blocked outright)
Possibly I‘m not smart enough to understand, but from what I see is that the implementers intend to leverage existing security architecture of Android/Google and iOS/Apple, respectively- arguably to drive adoption. The document doesn’t state anywhere that Apple / Google account is a requirement to use German eIDAS. From what I can tell, one may (continue to) use its government issued ID card with electronic signature for authentication.
Please prove me wrong, I genuinely want to understand the implication of the linked document.
Knowing the German, how much of a fiasco will this be? Many Germans despise having to go online with specific services due to "Datenschutz". Now you are telling them that they need an external (American) service in order to use this?
What I don't understand is: ELSTER (taxes) already uses electronic signatures, don't these signature already fulfil the requirements of eIDAS? Why do we even need Google/Apple?
EU digital identity law to make inter-EU signatures (And authentication) work.
As an example, an EU citizen working in Sweden should be able to submit Swedish tax forms whilst living here by using a digital identity from the originating nation.
There are also some standards in place like ETSI standardized extensions to PDF signatures so that you can verify that a signature inside the PDF was actually signed by a specific physical person (the standard is there but it's not fully used throughout the EU yet due to some legacies).
Implementation is a bit of a mess still but things are converging.
Is there a reason this user-hostile mess is preferred over an X.509 certificate (besides big tech lobbying)?
Slovenia hands out certificates for online government services, including document signing, and it seems to be going fine, with the added benefit that Google can't take away my access.
Do you happen to know if German citizens can obtain a certificate to sign PDFs (from the government / for free)?
Several paid providers for X.509 certificates exist but document signing certificates cost around 80 € per year [0]. And if I want duplicate X.509 certificates for my redundant Yubikeys then the cost doubles.
Other providers require an initial deposit and then charge per signature [1], which leads to intransparent pricing. In the interest of open commerce, I strongly believe that securely signing an electronic document should cost the same as my manual signature, i.e. nothing.
A partial solution already exists because I can use my electronic ID card with the AusweisApp to prove my identity when interacting with German authorities. This feature is generally useful because I live outside of the EU, but I especially appreciate that I can have my OpenPGP key signed by Governikus (a government provider) to prove the key belongs to my name [2].
Technically, I should be able to use my certified PGP key to sign documents, but in practice most non techies don't know how to validate my signature. For the average user opening my signed PDF in Adobe Reader, I would need an X.509 certificate from a trusted Certificate Authority for users to see the green check mark.
I assume this should be "intra-EU"? I'm not very familiar with eidas so I'm not sure, but afaik it's about signatures within the EU, not between different EUs (as there is only one in this world). (I hate this inter/intra wording, always have to translate it in my head to understand whether it's like internet (between networks) or like intranet (within a network). Would recommend using "within-" instead of intra whenever it's not already a well-established word, like intranet)
Theres a dispute? Well it was going to end up in court no matter how you signed it anyway.
This has all the hallmarks of a design by committee project by people whose salary is paid regardless of demonstrating market fit, productivity, usage, plain sensibleness...
So what was the point of putting a crypto chip into every ID if you are gonna try and reinvent the entire trusted environment in the fucking smartphone?
My Shift6mq is listed has not having NFC support in postmarketOS, so I can't actually test it, but I assume the USB card reader option will work once it's supported.
Well, since it happened also for my gov (France) 10 years ago, we can see this pattern happening in the whole EU.
There is a mixure of incompetence and big tech aggressive lobbying on gov 'standards' all over EU... making anything internet hard locked on big tech ultra-massively complex software, protocols and file formats.
In my country, it is the web: classic web support interop was actually killed 10 years ago. Now, only web apps requiring one of the gigantic and ultra complex web engines from the WHATNG cartel are working. No more "small' web engines (including their SDK) does work, and it did close the door for good to anything 'not big tech' (here the WHATNG cartel), what a bummer, oopsie!
In means in my country, to interact with the gov agencies and dependencies, you are now FORCED BY LAW to use only WHATNG cartel web engines. Wow, corruption (there is big public money there)? brain washing grade lobbying (what seems to be the case)? incompetence (always expected on complex matters)?
To add insult to injury, in my country, the ONLY person who have the power to fix that is the prime minister (then also the president). Oooof!
Of course, very simple classic web sites do work on 'smart phones' (apple did threaten to remove its browser... we know why: to force a technical hard dependency on them since they have a significant amount of the "market").
We all know their weak spot: a simple and stable in time, "good enough" to do the job, set of existing protocols/file formats (to protect the SDKs, I would include the computer languages, for instance excluding c++ and similar for plain and simple C and assembly to protect against the obviously ultra-complex SDK components): it will reduce dramatically the complexity and size of any current and future, local, implementations.
What's seems to be happening when I look at that: some people all over EU countries are trying to fight their way out of big tech because of gov officials probably being brain washed by lobbying (do not exclude the possibility of "corruption" and there is always some level) of incompetence which is expected).
Since it is happening in France and Germany, core of the EU...
App attestation does not require an Apple account nor a google account. For Android, it does limit the ROMs to Google certified ones and requires GMS to be installed if Play Integrity is used. An alternative option, would be to use the Hardware Attestation API directly, GrapheneOS would be thanking you.
I've spent a good amount of time implementing exactly this type of system for a backup service.
his document specifies a way to cryptographically attest the integrity of a HTTP request hitting a server.
The attestation proves the request came from a device and attest the legitimacy of the bootloader, OS and app.
Google and Apple are in a privileged position to be able to bypass the app attestation though, so depending on the threat model, it's not bulletproof.
edit: Play Integrity could the worst offender here, as it can be leveraged to force a user to have installed the app through the Play Store. Indirectly, requiring a Google account.
There's no such thing as "legitimacy of the bootloader, OS" that can be verified by someone who isn't the device's user. The bootloader that booted the phone I type this on is patched by me, which makes it more "legitimate" than any other bootloader that could be placed there.
The reason (or, depending on your inclinations, the excuse) for trusted computing to exist is not to guarantee that I didn’t patch the bootloader of the phone on which I type my comment; it’s to guarantee I didn’t patch the bootloader of the phone on which your grandma logs in to her bank without her knowledge.
You can bicker about the words all day long. Legitimacy, or perhaps better: authenticity, in this context, would be a bootloader or OS that doesn't allow tampering with the execution of an app.
Sorry but this is nonsense - most users, even the Linux toting power users - don't have the time, ability or knowledge to verify the contents of their OS in a way that would catch issues prevented by attestation.
The problem with modified phones containing malware is very real and unless you want a full on Apple "you're not allowed to touch the OS" model you need some kind of audited OS verification that you as a user or a security sensitive software can depend on.
> App attestation does not require an Apple account nor a google account. For Android, it does limit the ROMs to Google certified ones and requires GMS to be installed.
To me, there is no difference between your sentences. You require the blessing of an American company to be able use eIDAS. Google has the power to disable eIDAS at a national scale by making the attestation services treat all devices as not certified.
There should be NO reliance whatsoever on a private company not under the control (direct or indirect) of the government let alone a foreign private company.
Edit: I just noticed your username and the fact that your account is very new. Are you astroturfing?
I made an account because I'm qualified to talk about this topic :-) I've spent a considerable time testing every corner case of UX, and DX of an app attested service.
App attestation can fail on simulators, Graphene OS, dev builds, I've seen it all. There is one check you can do to see if an app was side loaded, so indirectly, can require Google account.
Title is still misleading though, as it explicitly mentions accounts.
I agree, there is still a reliance on the tech giants that produce the phones, who are the o'es embedding the cryptographic keys, to make this end to end attestation work.
But in pure technical & UX terms, you don't need to be logged in.
German implementer here. We have to use some kind of attestation mechanism per the eIDAS implementing acts. That doesn't work without operating system support.
The initial limitation to Google/Android is not great, we know that, and we have support for other OSs on our list (like, e.g., GrapheneOS). It is simply a matter of where we focus our energy at the moment, not that we don't see the issues.
German citizen here. So why is an implementation going forward when you already know it will not serve all citizens? Why are we not refusing to implement this until we know we can make it work on all devices?
Personally I recently switched from an AOSP based android without Google Play to Ubuntu Touch. In the future with better hardware support I will probably switch to postmarketOS.
You have the totally wrong expectations here. Some service that requires citizens to buy and bring their own devices in order to use a service will by definition always be exclusive. Whining about lacking compatibility with some niche sbowflake devices is just inappropriate in this context. The only solutiin is to require an actually convenient fallback for those otherwise excluded from that service.
The limited selection of attestation providers can be criticized for many other reasons, though.
also German here, we have to get rid of the 100% perfection at launch expectation its crippling this country
5 replies →
Do all German hospitals serve vegan food?
If you were averse to carrots (without any health restrictions on eating them), would every government institution in Germany be required to serve you carrot-free food?
If not, why should they be forced to accommodate every smartphone brand in existence, even if there's only 3 people in Germany using it? THe list has to end somewhere.
8 replies →
> Why are we not refusing to implement this until we know we can make it work on all devices?
Simply put: this will never happen. Way too many devices implementations to make this a reality.
1 reply →
> it will not serve all citizens
This is an understatement. Better phrasing would be "when it allows two unaccountable foreign companies to lock citizens out of the digital market".
There are plenty of horror stories of tech giants frivolously banning people. We shouldn't be adding state support to that. I don't want to lose access to digital banking because of some deliberately vague "community guidelines" violation, or because I got mass-reported to some "e-safety" provider that both Apple and Google outsource to.
Sibling comments see this as a good solution, just not a perfect one. I see it as making a bad problem worse.
because then it will never get done. There are still people using old Nokia phones, for those there will never be a solution.
The usual 80/20 rule applies here as well.
And if you really are a German citizen, you know how slow the wheels of government already turn in Germany, I assume next week you would be the one complaining that "Germany is so far behind" and that "other countries are so much faster at implementing stuff" :)
4 replies →
Do we have stats how many germans use something else than Google Android, Samsung Knox or Apple? I recon it should be less than 1% which quite honestly is in fact „all“ citizens.
8 replies →
You should think about how easy it is to permanently lose access to your Google account for very trivial issues and Google doesn't offer any form of recovery. That in addition to the current geopolitical situation should be reason enough not to rely on that for any justification.
And personally as a software developer myself i know that nothing is more permanent than a temporary solution. No one will prioritize or give budget to change it later "because it works"
What? They should freaking think of sanctions, not about "how easy is to lose Google account". Both Google and Apple are American companies. If someone lands on a sanctions list, they close your account without further notice [1].
Let me get this straight: you can be a defender of human rights, aligned with the country you live in, but if you fall in disgrace with the American government, _you can't even do transactions with your own country_.
So this is fundamentally flawed, and violates the fundamental rights of German citizens in Germany.
[1] https://www.lbc.co.uk/article/british-icc-chief-prosecutor-l...
2 replies →
Can't you just make a new google account then?
2 replies →
In light of all of these shortcomings with platform attestation, why go with the eIDAS 2 wallet approach at all? eIDAS 1 already solved this with Mobile-ID (SIM-based, no Google/Apple dependency) and Smart-ID (server-side key management with minimal platform reliance). What does the wallet model give you that justifies this level of dependency on two American corporations’ proprietary backends?
Especially considering that mobile-ID has been around since 2007.
SIM-based solutions are on their way out because phones are starting to lose SIM slots. Certifying eSIM implementations to the same EAL level (as Mobile-ID SIMs are) is way way too difficult. At least for one country doing it alone.
Smart-ID sucks. It's not truly hardware-backed, it's proprietary and has fundamental flaws like not having a direct link between the site being authenticated to and the authenticating device (auth can be proxied, just like if it were just plain TOTP).
2 replies →
I’m sorry to lash out at you but I keep getting disappointed in European countries (more precisely the ever disappointing EU commission) all suffering of the NIH syndrome instead of collaborating and learning from each other
3 replies →
Isn't the eIDAS 2 wallet approach a legal requirement of eIDAS 2 (which is an EU regulation, i.e. the law).
2 replies →
German citizen here. I find this attitude horrible and threatening. You are working on sacrificing yet another part of our digital sovereignty to a US company. There are trillions of better things to do with your life.
European Citizen here, and indeed lots of people in IT turn a blind eye onto the collateral damage their work may create.
I know someone who happily codes "verifiable credentials" in Elixir, disregarding all externalities.
Tbh, I feel this is stupid.
Banks are giving out QR Tan. Optical TAN devices which work with credit cards and it has been going pretty well. Why can eiDAS not have something similar. Distribute hardware tokens. Get rid of dependency on any OS.
The German ID card (Personalausweis) supports certificates and communication via NFC. I really don’t understand what’s all this about?
Banks actually have high fraud rates today because of weak security mechanisms. If attackers steal your money, the bank will reimburse you. If attackers steal your identity, you are really screwed. Security requirements for banking and identity are simply different.
3 replies →
Plenty of EU countries have rolled out SmartCards for this exact purpose, some are now adding NFC functionality. Nothing really stops Germany from continuing like that either.
The issue then becomes the UI/UX. If the legal mandate is not strong enough the solution will not gain enough ground. You can see this if you start comparing those countries with an eID rolled out.
I'm pretty sure electronic IDs are a good starting point for exactly this. Hopefully they get wider use inside the EU.
Just a quick question, and sorry if it might have been answered already... why preventing duplication is so important? I know it’s in the spec probably [1], but I can’t figure out the reason.
And a suggestion: add external HSM support at least? (e.g. things like NitroKey/YubiKey)
[1]: https://eudi.dev/latest/architecture-and-reference-framework... I suppose?
Preventing credential duplication is a requirement to achieve high level of assurance. One of its purpose is to limit the potential damage that can be done by attacks. If credentials are bound to hardware-bound keys, attackers will always need access to this key store to make any miss-use. If you don't prevent duplication, attackers may extract credentials and miss-use them at a 1000 places simultaneously.
1 reply →
I’ve just had another, completely stupid but not implausible, idea:
> a local internal WSCD, which is a component within the User device, such as a SIM, e-SIM, or embedded Secure Element,
So you could issue SIM-cards / eSIM profiles that only do signatures and nothing else. The app then connects to such eSIM (and you keep your main SIM/eSIM in another slot).
The less stupid variant is, of course, to get mobile operators to issue SIM cards with e-sign capabilities. Estonia has that, for example: https://www.id.ee/en/mobile-id/
1 reply →
You must go back to the drawing board and rely on highly-regulated Telecom standards (that's why they were mandated in the first place!) not monopolistic defacto "best practices" you have no influence over because they're more convenient for you.
This is simply unconstitutional and should be escalated ASAP if you don't want to end it before the appropriate court in Leipzig, Karlsruhe, or maybe Luxembourg.
> The initial limitation to Google/Android is not great, we know that, and we have support for other OSs on our list (like, e.g., GrapheneOS).
GrapheneOS uses standard Android APIs for hardware attestation (as opposed to Google-specific ones), so why don't you just use those from the get-go?
Why is a trusted device chain needed? It will put more trust in the potential Chinese device maker and American software companies than the user who's id is shown?
Simply because the law was written that way. But also the whole idea of identity verification becomes pretty useless, if there is no chain of trust. You could run a modified client that lets you assume any identity you choose, exactly the opposite of what eIDAS is trying to achieve.
5 replies →
This is necessary because the wallets contain an identity proofing functionality called PID(Person Identification Data). Showing these credentials basically approves you are you. There are high requirements for identity proofing that even pre-date wallets and that makes sense, because the potentially blast radius of identity theft is huge. Historically, these have been secured in smartcards, like eID cards or passports and are not shifting to the smartphone. Verifying the security posture of your device and app is therefore crucial.
2 replies →
Side question. How come it is always the most incompetent people who get put in charge of implementing things like that. Over and over apps and services are developed in Germany and completely fail at what they are supposed to achieve. Where are these people recruited from?
[dead]
> The initial limitation to Google/Android is not great
It’s also illegal on both accessibility grounds as well as violating the eIDAS spirit of no dependency on specific providers.
By shrugging it off as “not great”, you’re also dooming every citizen to have to comply with whatever whimsical terms of service Google and Apple have.
Have you ever tried to unban your Apple/Google account? So in effect, everyone’s access to eID services will depend on some crappy automation some intern in California setup to detect “abuse” or whatever.
There are technical solutions to avoid this dependency and you’re probably getting paid to find, research and adopt them. So … do your job?
Will eIDAS be the only way to identify yourself in cases where it's needed, or will we be able to user other mechanisms like the german ID card stuff or an entirely separate alternative?
Or to put it another way, is a smartphone required? If not, that would already clear up a lot of issues, I think.
EDIT: Whoops, just saw the answer to another comment asking precisely this. So it's not a requirement. Good. Is there a legal framework that ensures that this remains the case? Otherwise, I fear it will become a de facto requirement over time.
One datapoint: at least in practice, it used to be impossible to delete an entry in the French INPI database (trademarks and company names) without eIDAS. It forced me to unearth an old unmodified Android phone (I run LineageOS on my main phone).
If you read French:
* https://www.plus.transformation.gouv.fr/experiences/4531155_...
* https://linuxfr.org/users/jch-2/journaux/l-identite-numeriqu...
1 reply →
Also if you are legally required to be able to use some backup mechanism, it can become the de facto requirement
Why not do it right from the beginning?
https://grapheneos.org/articles/attestation-compatibility-gu...
They don't really want to.
Thank you for chiming in.
> We have to use some kind of attestation mechanism per the eIDAS implementing acts.
What does this attestation need to prove? Is this only about ensuring that private keys are managed by a secure enclave or a TPM?
> we have support for other OSs on our list (like, e.g., GrapheneOS)
I appreciate that, even though I am really not enthusiastic of eIDAS. But time will tell. Thank you.
They won't implement alternatives later, they'll be no point if "most of out customers is using either of the major providers".
Concerning secure enclave - what other device except iphones and Pixels have it actually safe?
1 reply →
I don't get it. Are mechanisms in our ID cards not strong enough so that we have to rely on the security of the operating system?
What happens if someone is banned from both companies (even for a very legitimate reason such as hosting illegal content -- they still need to access government services)?
> The initial limitation to Google/Android [...] is simply a matter of where we focus our energy at the moment
Nice... so the rush is to delegate power to the large American platform?
I know it’s not quite the same thing as an OS vendor, but culturally, if you’re having trouble empathizing with the ick in this thread then imagine if the initial implementation was available only for account holders with Facebook, Yahoo! Mail, or MySpace.
> and we have support for other OSs on our list (like, e.g., GrapheneOS)
Excellent. Massive respect to you for doing this. This attestation business is an existential threat to "other" operating systems. I'm glad to see people are putting effort into supporting them.
that‘s not correct. Article 5 eIDAS2 explicitly states, that europeans exercise full control over their data. Therefore EUDI wallet must not be a walled garden. Especially if the wallet shall be used for authenticating and signing, it must be available to all europeans, even those sanctioned by the US.
If this is your plan, please go back to the drawing board.
It's insane to make yourselves US dependent from the very beginning, at least provide something like a crypto-key that you can get from an official, banks can do it, so can you.
Humiliating disregard for sovereignty.
There's a new initiative by some non-google non-apple phone vendors called *UnifiedAttestation* which I hope you will support at some point in the future:
https://www.heise.de/en/news/Paying-without-Google-New-conso...
Have you considered Unified Attestation [1] which is an alternative to Google's?
[1] https://uattest.net/
Shouldn't the energy instead be focused on creating a standardized eIDAS driver API that OS vendors are required to implement?
> That doesn't work without operating system support
Do you realize where this path is going?
Certain European governments would have greatly benefited from KYC/attestation in the late 1930s had it existed.
Yup. But apparently the EU is refusing to take lessons from history.
1 reply →
Another German citizen here. I think what you're doing is illegal and will be blocked by German courts.
It's funny because this is also the exact German response for when your neighbour has an unsanctioned BBQ.
I think it should be possible IMHO, like it is for many banks (still), to get a hardware token and then use whatever hardware/browser. Even a nice EU hardware token which allows banks , govs etc to add their keys/seeds in the enclave would be nicer so I don't have the lug 1000 tokens around, but it's still better than having to trust non sovereign companies for anything without backup; like multiple here said; Google/Apple getting the command from the Dep of War to shut down EU phone attestation, you losing your account etc, or, you know, me simply not wanting to use their stuff.
The hardware tokens ate being phased out by banks and replaced with SMS OTP codes + passwords.
Cost saving measures.
Its funny to see that I can access the bank account through FaceID but to actually make a payment I need to use an SMS code.
This is simply unacceptable. You are not making an innocent pragmatic compromise here, you are launching digital infrastructure which initially will tie everyone to Google/Apple and give alternatives a huge disadvantage for an unknown amount of time. Nobody knows when, or even if ever, support for open platforms will arrive.
You should be ashamed of being involved in this monopoly handover to American big tech.
I bet £50 that the alternative (eg GrapheneOS attestation (based on the standard AOSP attestation)) will be delayed, then delayed, then scrapped since almost everyone is using Google Plag integrity anyway.
Yes, I assume malicious intent, sorry, seen this happen enough tines recently.
Fingers crossed for the judiciary - if the implementers ignore the intention of the law, then lawyers will have to help them understand the limits of corner cutting - and block this.
This is on the stupid side of lazy (again). You'll still be sovereign only at the pleasure of Apple and Google if you submit to their platform as a service crap.
Why not just use U2F or certificates on crypto-tokens?
Note that for eIDAS 1, a Czechia e-identity provider uses U2F tokens.
Perhaps look at the Spanish Cl@ve, it works with Linux. It's just a simple digital certificate that allows you to identify yourself.
You can even run it on OpenBSD or TempleOS if you want to.
Google has banned many accounts of genuine users.
What is your fallback for such an important vital service?
To play the devil’s advocate here: MEETS_STRONG_INTEGRITY on Android doesn’t require a Google account AFAIK. But it might change, of course.
Edit: but as pointed out elsewhere in the thread, Play Integrity is not the only way to do hardware attestation on Android. GrapheneOS devs have a guide: https://grapheneos.org/articles/attestation-compatibility-gu...
So avoiding proprietary Google stuff altogether is possible and we should encourage it.
What if I don’t have a smartphone?
No one is required to use EUDI: https://ec.europa.eu/digital-building-blocks/sites/spaces/EU...
Companies and providers (like banks) have to support it, but use is voluntary.
Check out the spec and legal framework, it actually makes sense and is open to different implementations, though you might need to certify it.
2 replies →
I wonder if there will be a big enough market for a very compact smartphone equivalent device that can be used just for credentials? A device that is offline on standby except when you need it. Perhaps the size of a car key.
3 replies →
You're screwed. This has been the way for a while now. You cannot exist in society without a smart phone and it's only going to get worse.
4 replies →
> We have to use some kind of attestation mechanism per the eIDAS implementing acts.
Translates to:
"We have to make sure citized accessing the public service have not control over the device per the eIDAS implementing acts"
> We have to use some kind of attestation mechanism per the eIDAS implementing acts.
Sounds like these "eIDAS implementing acts" are the problem, and were influenced by ulterior motives.
“Not Great” is the understatement of the century. It fails to protect sovereign identity by handing the default to companies not only under foreign sanctions control but who also lock people from their accounts without recourse.
The device chain is a classic misdirection, it seems everyone here is just following Meta’s lobbying to put this into the OS.
Even the carrier layer would be better than the mobile device layer.
Or, you know, just look at Singapore’s or Swiss National SSO - it functions on an app that layer just fine, no issues
See https://github.com/eu-digital-identity-wallet/eudi-app-andro...
so I have to buy a Yubikey hardware thingie to keep my Google account just to use eIDAS??
For those that do not know, that is the only way to get the Google account back is to use a hardware 2FA in the first place....
AND yubikeys are $60 per yubikey...and generally you want 2 including a backup
[dead]
[dead]
Sich bei staatlichen Dienstleistungen auf Google oder Apple zu verlassen, kommt schon fast einem Verrat gleich. Trump hasst uns.
This is about mass surveillance and control.
https://en.wikipedia.org/wiki/Edward_Snowden#Revelations
The existence of eIDAS itself is already a big problem. They're going to try to gradually push laws to make it so that you'll need a government issued signature to do anything. That's when they'll have total power over you because they can simply refuse to issue.
Modern computing and communications technologies can be leveraged to build infinitely stable authoritarian regimes. It's even possible for democracies to stumble into it on their own as they attempt to regulate these new technologies. In hindsight, the Internet was built wrong. It has a top-down structure which all of human civilization is beginning to mirror.
I attestation should be abolished altogether. An app should have absolutely no way of knowing what kind of device it’s running on or what changes the user has made to the system. It is up to each individual to ensure the security of their own device. App developers should do no more than offer recommendations. If someone wants to use GrapheneOS, root their device (not recommended), or run the whole thing in an emulator, a homemade compatibility layer under Linux, or a custom port for MS-DOS, that should be possible.
Exactly. It's my own device, I can do whatever I please with it. There shouldn't be an automated way for apps to check if my device has been blessed by the US tech giants or not.
> An app should have absolutely no way of knowing what kind of device it’s running on or what changes the user has made to the system.
and therefore the app cannot give a reasonable guarantee that it is not running in an adversarial environment that actively tries to break the app's integrity. Thus, the app cannot be used as a verified ID with governmental level of trust.
There's a difference between needing to lock down the whole OS and just the secure element. The secure hardware component can sign a challenge and prove possession of a private key without you being able to extract it. Smartcards have done this for decades (most people here will know an implementation under the name Yubikey).
Conveying authentic information across untrusted channels (your phone screen, say) has been a solved problem since asymmetric cryptography was invented back before I was born
If your app needs to be protected from harm, it cannot protect the user from said harm. I hoped software engineering culture was lucky to not have the same precepts that make lockpicking a crime in the real world, that we successfully make it into common knowledge that you can't grant any trust to the client, but it seems "trusted computing" is making some of us unlearn that lesson.
> an adversarial environment that actively tries to break the app's integrity
Can you elaborate on what this means? Who is the adversary? What kind of 'integrity'? This sounds like the kind of vague language DRM uses to try to obscure the fact that it sees the users as the enemy. An XBox is 'compromised' when it obeys its owner, not Microsoft.
I agree, you should be able to run anything you want, root your device, etc., but you also have to accept the consequences of that. If an app can no longer verify its own integrity, certain features are simply impossible to implement securely.
Think of it this way: A physical ID (which is what we're trying to replace here) also has limitations, it looks a certain way, has a certain size, etc. Just because somebody wants a smaller ID or one with a larger font or a passport in a different colour or whatever, doesn't mean that this should be allowed or possible. Some limitations exist for a good reason
Users have the right to modify any app running on their own device. Software security should never depend on the user having no control over their own device. Smartphones are essentially just regular computers, and on them you can use a debugger and do whatever you want. Viewing smartphones as closed systems like game consoles where you need the manufacturer’s permission for everything only leads us into the dystopia that Richard Stallman described as early as 1997 in his short story "The Right to Read"
5 replies →
Comparing being able to run the hardware and software of your choice to "wanting a passport in a different color or whatever" is so completely fucked, and it's beyond insane as a justification for giving two American tech companies with a well established track record for doing evil control over your citizens' ID.
The world has gone absolutely mad, what the fuck am I even witnessing? It is quite literally becoming 1984 in front of my eyes, with people complying completely voluntarily and openly advocating for it, not even a threat of force to make it happen.
4 replies →
Well, in that case, if they want full control and attestation yadda yadda, I'm fine with them shipping me a device they fully control exclusively for use of this stuff. But if we're talking about my smartphone that I paid for with my money that I worked for, I will do whatever I damn please with it. So I guess that means eIDAS will be inaccessible to me.
True, but its really hard to name a family of commercial devices with security features in hardware, including serious security features, which were not eventually hacked.
Worse still, for new mainstream devices that are believed to be safe the state sponsored actors will likely operate unpublished exploits, and will exploit the misplaced faith people and judiciary will put in device attestation. I dont think the very likeable people who worked on Pegasus found themselves respectable jobs - they are likely still selling that sophisticated crap to all authoritarian regimes.
Exactly this. And whats more, the idea of device attestation makes people trust those devices, and the history of rooting consoles and phones proves that nothing holds, even tech backed by billions in commercial interest.
The whole point in reducing the blast radius is valid - by all means make this optional and allow the user to elect to tie their identity to the device. For everyone else, implement validation of actual transactions, not just user secrets and device secrets.
This is the original sin of modern computing. Almost all anti user features are only made possible because we didn't pass laws against "secure elements" that serve the maker and not the owner when NGSCB got announced.
What if you „lose“ your google / apple account, like this sanctioned judge of the international criminal court? Crazy to imagine that we are still baking in dependency on US providers in european societies, even though there is clear indications we should be doing the opposite?
You wouldn't even have to be a high profile target like a sanctioned judge. Simply getting your account banned by some automated process that marked you as "suspicious" will basically render you excluded from society.
It is absolutely insane to put this amount of power in 2 foreign companies that will be able to destroy your life with zero reason, oversight, or due process.
This is not a hypothetical problem and you don't need to be deliberately targeted. It actually happens to normal people. And if it does you have absolutely zero recourse.
Source: I have a banned Google account (it's over 20 years old at this point). I know the password, but Google doesn't let me log into it. Every few years I try to unsuccessfully recover it.
If you have a Google account and having it banned would be a problem for you here's my advice: migrate. Right now. You never know when one of their bots will deem you a persona non grata.
2 replies →
Then you can't take a Waymo any more.
> Crazy to imagine that we are still baking in dependency on US providers in european societies
As long as the capital city is in Washington, this is normal.
Not sure I‘m getting what you are saying - us providers‘ capital city is always in Washington DC, no?
Sorry if I’m misunderstanding something here
1 reply →
[flagged]
This tone is not very suitable for HN. I’m sure you could start a better discussion if you gave it a proper try.
I am shocked that there isn’t more opposition from the general public to policies like this that erode privacy and freedom. I am a parent and can appreciate the need to control what children do on the internet, but at some point parents need to parent. I fear we’re giving up a lot of freedom and adding unneeded complexity under the guise of keeping children safe.
I think because most people, even tech savvy ones don’t understand how this might effect their lives. It’s too abstract. At least how it’s portrayed here.
Contrast that with chat control.
My government can read my WhatsApp messages? Not good!
What’s the non-technical narrative here?
The non-technical narrative is very simple: Google, Apple, or the German government can revoke your ID at any time. You cannot purchase or sell anything[1], sign any contracts, have a job, rent an apartment, use public transportation, or receive any kind of government services without an ID. This should sound extremely alarming to everyone regardless of technical knowledge.
[1] Maybe with cash, for now, but cash is clearly not long for this world, and your bank account will be inaccessible already.
2 replies →
> Write too many color emojis in a row on a YouTube livestream chat
> Get banned from society for life
Well, it affects a tiny percentage of people today, so why would they see it as impacting them?
17 replies →
But there is nothing abstract here. A private entity, situated in a country that is very hostile and pro-Russia, controls parts of the software stack and implementation here. That's a law written by lobbyists.
[dead]
Germany is distracted with its version of “the gun debate” aka speed limits.
Like every school shooting, every energy crisis brings opportunity to saturate the airwaves with shallow noise that gets people overly upset and they’ll ignore everything else.
Every player on both sides is abusing this mechanic for all eternity.
I think this view is too reductionist, as people can (and usually do) debate more than one topic at a time. The problem is that technological dependence isn't gaining enough precaution when commodity products are being discussed.
What worries me is that it's a real global problem in all of our non-autocratic societies. On a positive note, I can see how this is actually becoming a common understanding and gaining traction, as hyped AI products are seen by some as 3rd-party- or SaaS-killers. It seems like we know how to differentiate between independence and dependence, and evaluate any risks affiliated with such a decision. But it baffles me that this differentiation manages to float as some ironic stream in our Zeitgeist, and just barely manages to be taken seriously.
Nobody is seriously discussing speed limits right now ...
2 replies →
Imagine we had real democracy where people vote on issues. Speed limits? Vote once every 7 years or so on it and be done with it. Same for abortion laws, drug laws, gambling laws. Have a debate, vote, come back to it in 7 years if there is public interest. Preferably vote locally on issues that can be applied locally (like speed limits/enforcement etc.).
Public debate and assessing politicians and parties would be so much cleaner then if they couldn't use polarizing issues to rally their support and do w/e they please on all other issues.
4 replies →
> every energy crisis brings opportunity to saturate the airwaves with shallow noise that gets people overly upset and they’ll ignore everything else.
At least their version has an obvious solution: Make electric cars and solar panels and then stop having oil problems.
6 replies →
As far as I can tell, people are getting blitzed. People I know are incredibly deep in their personalized bubble and genuinely aren't even hearing about it. It's genuinely distressing. In general and for the future of democracy.
It feels like this era of hyper-individualism requires too much attention from each individual and favors those that can afford to outsource the work. While that stabilizes the role of society as a system, I feel like this is most worrisome for the less privileged in any low-trust environment.
I'm not. Parents are very much in favour of restrictions on what can be accessed online.
Parents can't control what their children are doing 24/7, and neither should they. But they should expect a society where children are protected from billion dollar corporations stealing their attention and radicalising them, at least until they are old enough to leave mandatory schooling.
There are many "real world" age restrictions that exist, and we have decided those are of benefit to society in general. The "online world" is no different.
If we can't have age restrictions online then they should just be abolished in the real world as well, in the name of preserving "privacy and freedom". The online world doesn't exist in isolation like it did in the 90s and 00s.
This is because the EU is basically designed as a lobbying platform. Note that lobbying by its own citizen is possible and welcome but expensive and require a some coordination, so basically foreign actors and big corporations are dominating. This is not a secret, the process is actually very transparent but it is "hidden" in all the documents nobody really want to dig into.
Also the EU and all those states are also highly incompetent and pretty much only depends on low quality contractors. For example there is very little discussion and info about the fact that the EU digital infrastructure just got owned by what seems to be a random hacker group [0].
- [0] https://cyberalert.com.pl/articles/shinyhunters-eu-europa-br...
Because it requires tech iCal knowledge which 99% of the population don't have.
> at some point parents need to parent
You write it as if companies provided tons of help to parents and children. Meanwhile, they spend a lot of money to make it as hard as possible.
Second, kids in Germany have generally a lot more freedom and there is less of knee jerk impulse to blame parents for every accident. Expectation is that adults dont harm them without parents having perfect control every sevond.
The age verification sniffing laws will come to the EU and Germany too, so your assessment is, in my opinion, too limited and incomplete. It's not really about parenting, it is about grabbing more and more data from people.
What percentage of people have a phone that is not apple or google?
Are you saying there's a threshold percentage somewhere below which you're happy to
A: exclude these people from society or force them to switch to big tech, and
B: accept the consequence where a single other country holds access to everyone's identity information for convenience reasons (because it works for the 99% that are too tech-illiterate to install software that they control instead of the other way around)
My uncle has lost 4 Google accounts. Two to password loss, one to a fire, one to being banned for crimes against currency (having the audacity to live in several countries with different currencies)
The issue isn't the phone, it's that a __government__ is depending on an unregulated private enterprise.
1 reply →
I think the point is rather what percentage of people will continue to need to have a phone that is Apple or Google, due to death by a million decisions like these.
6 replies →
All these requirements for specific hardware and software are ridiculous. Let every citizen use whatever computer they want. It should be up to the user to secure themselves. Authentication should only require a password or a key pair. If the user wants more security, they can set up TOTP or buy a security dongle or something.
It's also ridiculous how it seems we've forgotten computers other than smartphones exist and that not everyone even has a smartphone, let alone with an Apple or Google account.
Last week I was watching a YouTube video, talking about the EU creating payment services independent of VISA and MasterCard. What struck me is that they are all apps, which will require an app store.
Great, I can pay with a digital Euro, Wero or something else, without routing my payments via VISA. I just can't do it without an account with Apple or Google. I'm absolutely baffled by politicians, regulators, banks, merchants and implementors lack of ability to think more than one or two steps out.
Sure, the EU is forcing 3rd. party app store, but no one is using them, so no one is pushing apps to them, especially not governments, banks or payment services, they'll be the last to use them.
The digital Euro seems still in early planning stages. It seems people want to plan a physical card for it, but whether online payments will work without a platform dependent app is unclear for now.
Wero however is currently only planned as an android/ios app period. There are rumors that a card will come but that's only rumors for now.
In your list of groups to be baffled about I would add journalists. You see many articles about Wero mentioning digital sovereignty, but have you seen any that criticize the required banking apps only being available in google's and apple's app stores?
The current policy trend in the EU is definitely not based on the principle of each user evaluating their own risk. On the contrary, service providers like financial institutes and identity providers have the responsibility to keep users safe, and more and more regulation will be made. The natural consequence is restricting which platforms are supported.
"Legislation will continue until morale improves."
The regulations sometimes feel like additional burden of the user, but not for the manufacturers (aside for the attestation logic); consider:
> (MEETS_STRONG_INTEGRITY requires a security patch in the last 12 months)
Think about how this essentially codifies planned obsolescence due to not forcing the manufacturers to maintain the devices for life.
> The current policy trend in the EU is definitely not based on the principle of each user evaluating their own risk.
Yes and if you look back this is not new. Just look at the extraordinary restrictions that apply to:
- What houses you can build,
- What vehicle you can drive,
- What food you can grow and sell.
The result is real estate has become unaffordable for younger people, our car industry is being annihilated, and the agriculture sector hold by a string.
The digital realm enjoyed an unusual level freedom until now because the silent and boomer generations in charge in the EU understood nothing about it.
Now that the EU is getting involved in "computers" we are starting to understand why peasants have been protesting in Brussels and calling those people insane for decades.
7 replies →
> let every citizen use whatever computer they want.
That's just not possible, or should the system be legally required to run on an Apple II?
It should be legally required to provide enough interoperation capabilities for a compatible frontend to be written for an Apple II by whoever would like to do that, as the government can't be expected to write and maintain clients for every platform that's now in existence or that will be created in future.
If only currently popular platforms are to be supported, how could a new platform join them in the future if the use of existing ones is mandated by governments?
2 replies →
No, but it should be open enough to be reasonably independent of specific services and devices.
Simple, provide a simple API, let the community build the clients for the machines they have.
3 replies →
The problem to solve is trust.
The technical solution is a hardware root of trust. This is typically a specially hardened chip in the device. A Trusted Platform Module (TPM).
Your Apple ][ does not have a TPM. It cannot run software that can assess it's identity in a trusted manner.
You can make an argument without pulling it into the ridiculous, you know?
It makes no sense. eIDAS 2.0 specs don't require specific hardware [0]. They basically store verifiable credentials [1] and any other cryptographically signed attestations.
This feels like laziness from German implementers, as they don't want to (quoting the spec literally) "implement a mechanism allowing the User to verify the authenticity of the Wallet Unit".
0: https://eudi.dev/latest/architecture-and-reference-framework...
1: https://eudi.dev/latest/architecture-and-reference-framework...
Look at reference implementation. Maintainers resist removing google dependency for no good apparent reason. An if there is persistence without reason - there is a reason.
https://github.com/eu-digital-identity-wallet/eudi-app-andro...
I don't feel they resist. Quoting them:
> We understand your concerns and truly appreciate your suggestions. As previously mentioned, this is not something that is enforced by the reference implementation — these are simply recommendations, not requirements, for any wallet implementer. That said, we recognize that this is a sensitive topic, and we may need to revisit it, even at the level of recommendations.
> The README files for both the iOS and Android Wallets have been updated to mention only OWASP MASVS compliance, without referencing any specific APIs.
I understand their position, but I also get the concern, especially around existing implementations like the Italian app. I think it's mostly that they have different priorities than ensuring that the reference implementation is a perfect guideline for member states.
This looks like a good vector for a European Citizen Initiative around removing all technological dependency on non-EU providers.
1 reply →
Why would this be? Bureaucracy / inability to change?
11 replies →
Operate European tech infrastructure without a dependency on America challenge (Impossible)
For 99% of smartphone users, you can't get apps onto their phones without Apple and Google signing the app and letting you into their store, and users can't install the app without an Apple/Google account.
Why remove a dependency on Google, when you'll still be 100% dependent on Google?
Anybody working on "Digital ID" has already made peace with the fact that it can be turned off overnight if Trump says so.
9 replies →
5.4 Attestation Rulebooks and Attestation schemes
Does this mean sanctioned individuals, such as those in the International Criminal Court, would be unable to access eIDAS, among other things? As it requires, from my understanding, installing app(s) from the play store, thus requiring an account there and being able to access it, which isn't happening if you're among those or really, in any group that might get the same treatment in the future.
If an account is required, then yes. Good catch.
This may not be unwelcome for authorities considering the recent extrajudicial “unpersoning” of many political enemies in the EU.
It definitely would be unwelcome for EU authorities in cases like the recent US sanctions against ICC officials.
2 replies →
Yes?
I don't think it's a bad idea though. If only for bringing the issue to the public
And while I do think an alternative would be good, the fact is that protecting the private key is the most important part (for example by keeping it on a smartcard with NFD) - hence why the need for a secure device
"but I want to install alternative Android etc etc" yes that's fine - but you know this is a non-secure-(enough) env.
Physical SIM cards are just as secure as the security enclave on the phone. In Norway few years ago banks even used that for secure authentication that worked on dumb phones with local mobile network providers pre-installing the required software on their SIM cards.
But then to save cost including the support cost banks stopped and instead started to require a non-rooted Android/iPhone.
1 reply →
> "but I want to install alternative Android etc etc" yes that's fine - but you know this is a non-secure-(enough) env.
I feel like this is getting to the point of gaslighting. Many of the allowed devices are bargain bin Android phones running out of date software with known vulnerabilities in both the operating system and the hardware which is supposed to be protecting the keys.
Meanwhile you could be using a hardware security module in a bank vault in a nuclear bunker surrounded by armed guards and the excuse would be that this "isn't secure" because it hasn't been approved by Google or Apple.
Governments shouldn't be requiring you to use any specific vendor or set of vendors. They should be publishing standards so that anyone who implements the standard can interact with the system.
2 replies →
> but you know this is a non-secure-(enough) env.
No I do not. It is plenty secure compared to a corporate version and nobody should be legally able to deny service over me having control over my own computer.
Needing the entire OS to be secure to protect a key is also a dumb idea in general.
1 reply →
Requiring people to use products from one of two private American companies with a bad track record of locking people out of their accounts is more than “not great”. Some things are better not done if they can’t be done well.
So what can be used as an attestation API? WHAT will make sure that when a phone says "you're paying 10 euro to $coffee_place" that it isn't a bitmap being shown over "you're paying 10.000 euro to $scammer", above the pay button. Note: needs to be a real guarantee that isn't a permission question away from going away.
Either governments can develop (and pay for) THAT technology, or they can use Apple/Google ...
I'm not sure I want my government to develop that technology.
Government software is usually low-quality, expensive procurement crap, often riddled with security holes, and an exercise in checkbox checking. UX and user friction can't be expressed as a verifiable clause in a procurement contract, so they're ignored.
Besides, every time EU governments tried to force smartphone manufacturers to pre-install government apps, the population freaked out over (unwarranted) surveillance concerns. This isn't something you can do without pre-installing apps (you don't want these APIs opened up because then attestation loses all meaning).
1 reply →
In case of Android - AOSP attestation.
Not necessarily the company that locks out entire family because one of the family member jacked off on the chat with Gemini model.
That seems like a weak argument to require attestation? What would attestation prevent that scenario, specifically?
2 replies →
There are no alternatives.
I mean you could use Huawei and others, but the FUD campaigns against chinese manufacturers was pretty agressive in the EU.
Yes but in the real world all smartphones are either Apple or Android. Europe has zero footprint in either software or hardware. It is not creating a requirement to use specific products, it is using the products people already have.
So one may argue that the implementers are only taking the pragmatic approach regarding something that is out of their hands.
It literały has created the dependency on google when thought Android offers the standard/generic AOSP attestation.
Also you weirdly forget all the Chinese phones. There's also some tiny European brand which will have absolutely no way to limit their users dependency on the famously hostile and unconctactable provider.
1 reply →
We're talking about an essential government service, not just another weather app. You have to look at this through the lense of national security, the debate about EU digital sovereignty, and the requirements of the GDPR in light of the US CLOUD Act, as well as prior decisions of EU courts about these issues.
7 replies →
Maybe that will force the companies to not be allowed to just lock you out of the account.
Ya, sorry, no, maybe is not really a durable position here.
You, your siblings, your parents, etc, etc.
Self Sovereign Identity (aka SSI) is the only way out of those identity sovereignty issues. It shouldn't be acceptable that your identity depends on anything or anyone. It should just be your identity.
A paper or certificate can prove an entity trusts your identity to be <firstname, lastname, etc...> but that shouldn't be your identity.
You just are. Not your google Id, not your Apple Id either of course.
Governments are lame.
You are conflating the philosophical notion of identity with functional identification in the real world. There is no cryptographic escape hatch from the social contract.
>You just are/I just am
Is not an acceptable thing to say to a bar tender when being served an alcoholic drink when you're 22. You hand them government issued ID.
> Governments are lame
In 2019, the EU created an eIDAS compatible European Self-Sovereign Identity Framework (ESSIF).
How is the government lame, here? We've had the infrastructure for 7 years now.
How is that not lame?
I'm not quite sure if the German implementation is possible without mobile devices (couldn't find anything on that at first glance). the Austrian implementation on the other hand does not require a mobile device, if you want to do it on a pc you just need a fido2 token
As strange as it is, but Austria is quite far ahead in terms of eIDAS since we've had Handysignatur for more than a decade. I wouldn't be surprised, if the Germans are planning to support hardware tokens, but haven't had the time yet.
> Austria is quite far ahead
Yeah, quite ahead in terms of making anonymous phone numbers illegal and requiring the government to know your phone number.
And if you don't want to use a smartphone, ID Austria does not work with regular FIDO security keys, you need special ones. Same for the old SmartCard system which didn't work without government-mandated malware.
I'm not sure either. I've looked at this other document: https://bmi.usercontent.opencode.de/eudi-wallet/eidas-2.0-ar...
It seems to imply that the already existing way of authenticating via eID, which is the auth chip present on our ID cards, will still work, if I read it correctly? I understand OP's link to refer to a new, alternative system, that can be used without the ID card.
But take this with a grain of salt, I'm not very well informed about the whole topic.
I havent looked into the details of either, but what would prevent Germans from using the Austrian implementation?
Austria provides their implementation only to people with Austrian citizenship or people working in Austria
ISO7816 (smartcard) has existed for nearly 4 decades as the standard secure identity card, widely used by the banking industry among others. Very unintrusive and not hostile beyond needing to carry a little chip. If governments want a national ID, they could just give everyone one of those.
Already exists as biometric passport or ID card in several countries. The problem is things like authenticating online to submit your tax form. App-as-2FA is kind of the standard for example to log in to your online bank portal, though for government services the threat model and privacy implications are different.
If you have a FIDO device on your (physical) keyring or a keyboard with a smart card reader or some kind of NFC transceiver connected to your PC, the problem is technically solved - just not practically.
Note that phones also have NFC readers. Instead of requiring everyone to have a locked-down phone, they could offer day you use said phone to read the chip or use any other (USB) reader you like. I believe there's a German government app that already does this, Ausweisapp2 iirc. As someone with a different nationality who lives in Germany, I don't know more than that
This is exactly how we implemented eIDAS in Spain. The government-issued national ID (DNIe) is an ISO 7816-compliant smart card. Latest versions are also ISO 14443-compliant for contactless reading. To use it, you just need a simple smart card reader or an NFC-enabled phone. https://www.dnielectronico.es/PortalDNIe/PRF1_Cons02.action?...
[dead]
Belgium has had exactly this for decades. But now they want to get on the hype train for smartphone based ID, because card reader support is still shit in browsers in 2026.
Adding to this: anyone older than 12 years old is required by law to have their government issued ID on them at all times when in public. If your ID is suddenly your smartphone, you're essentially required to have that on you 24/7. Dystopian spyware.
> because card reader support is still shit in browsers in 2026.
Tragedy of the commons, nobody seems to have bothered to work on it. It's not like Chromium or Firefox wouldn't accept contributions.
That sounds like a very smart move at the time where Europe realize the US isn't such a gray partner and it's trying to reduce it's critical dependencies on foreign nations tech and infra. Good job. I'm actually very surprised to see this from the germans who have this reputation of great engineering culture
Not in software. German software is awful. Think german cars, banks, telecoms etc
Nor in the physical world either. Crumbling planes, trains and automobile infrastructure. Collapsed bridges, airports that don't function properly etc.
Ah yes, the fabulous car engineering of Dieselgate.
2 replies →
While I agree, it'd be hard to say that SAP is not good
6 replies →
> from the germans who have this reputation of great engineering culture
This was more than 30 years ago. Now we have a great culture of overregulation.
I think the reputation is fading. I know I’d take a Chinese car over a German one.
I wouldn't, as China being the largest single market for motor vehicles and the cutthroat competition there is what caused all this.
Everyone is trying to cut costs so as to be able to compete there and Europeans are paying the cost of financing this.
Personally I'm going to wait until the average car age in China crosses the 10-year mark to get a new vehicle. Until that happens there will be no incentive to think about longevity.
Mastodon thread on this topic: https://mastodon.social/@pojntfx/116345677794218793
See also this issue from 2025 where the developers responded: https://gitlab.opencode.de/bmi/eudi-wallet/wallet-developmen...
AFAICT, there is no mention of an Apple or Google account being required in general - the documentation just lists "signals" that are used to securely authenticate a person - such as Google's/Apple's security ecosystems. I am not sure what this means in practice. Can anybody with deeper understanding explain the actual implications and possible outcomes?
(Note: BMI is the German Federal Ministry for the Interior)
Hey, Fel from the fedi thread here
Explanation: https://mastodon.social/@pojntfx/116345725515845020
There is in practice no known way around it for now, and even less so one for regular people, to use this on a device without a Google account
The solution is simple : https://www.europarl.europa.eu/petitions/en/artcl/I+want+to+...
Because you'll be stonewalled by devs because they can't really changer decisions made bu higher ups.
Edit: I'd sign it, but don't want manage and diffuse it.
Google is becoming a bit draconic. They did not allow me to create new email account, saying I already have too many accounts. But they also don't allow me to delete existing accounts, saying there is no authentication method available to access/delete those old accounts.
What does the eIDAs do?
Does this lock Germans out of society if they dont buy American tech?
The Danish MitId also only runs on Google and Apple devices. No alternative phone platforms are supported including open source Android.
If you don’t have an iPhone or an android, you can get a physical one time password device.
You can get that, even if you have a phone with the app on it. MitID is perfectly okay with that. At login time you will be prompted for your token code, but there is an option to switch to the app ("Skift til MitID app" in the bottom of the box).
The MitID design is strange, but in this regard it is well done.
You can get that anyway, and you should because 2 is 1 and 1 is none.
Same in Switzerland. The app needed to sign in to fill out my taxes doesn't work on ungoogled Android.
Can you do your taxes on a computer without a phone?
Somewhat. To fill out my taxes online, I could sign up with either the AGOV app (needs Google Android) or a USB security key. I happened to have a yubikey, but I needed to mess with the firefox about:config (security.webauth.u2f=true IIRC). It did work in the end though.
Yes. Without any issues still.
Gladly.
There was a time window 2 years ago where it appeared that I need an actual phone number to do my taxes, but even that was replaced with something more universal.
In context of eIDAS, your phone starts to be used for much more sensitive matters than typing comments or even logging in to your bank. The repercussions from having a secretly patched bootloader can involve another person assuming your identity, including for large B2B transactions.
Requiring citizens to have (buy) some device to simply prove they are who they are seems hostile and dystopian to me. Some say it’s the future; I’m not convinced.
However, if you were to allow me to use my pocket computer (and nothing else) to prove I am who I say I am, you would want to trust that I am not pretending to be somebody else after extracting private keys from their phone or whatnot. I.e., you would want to require some sort of trusted computing.
Currently, that seems to only be provided by closed ecosystem phones.
Even still, I think it’s a mistake to be rolling out eIDAS as a mobile app first. The specification allows for this to be a dedicated hardware key (maybe even something YubiKey-like, and the EU already requires all phone manufacturers to have USB-C), so why not start with that.
> Requiring citizens to have (buy) some device to simply prove they are who they are seems hostile and dystopian to me.
Actually, that is not what’s happening. Based on further research, the use of eIDAS is required to be left up to citizen’s decision.
As someone living in Germany, the alternative would be snail mail, which is used to send a pre-authentication code, username and then another code. This is pretty common with insurance providers, German traditional banks, etc. However, the annoying part is that if you ever forget or lose the code, then you would have to request a new one via mail that would arrive like 2 weeks after.
The alternative is a secure physical device and that's also the correct way to go if you insist on having online ID checks and take digital sovereignty seriously instead of making it a joke lip service like these implementers do.
They're taking feedback here: https://gitlab.opencode.de/bmi/eudi-wallet/wallet-developmen...
Source?
You're linking to a bugtracker. I doubt they're inviting people to spam it with duplicate entries — valid as I think the concern is. But maybe it says somewhere that you can leave feedback here and I just haven't seen it?
They are taking feedback there and also have already responded to some of it.
From their README:
> We are interested to receive feedback on all aspects described in the document. To provide feedback, please file an Issue on OpenCoDE.
https://gitlab.opencode.de/bmi/eudi-wallet/wallet-developmen...
There is a 8 months old open ticket, with an official answer, here: https://gitlab.opencode.de/bmi/eudi-wallet/wallet-developmen...
EU depending so much on Goo/App feels suspicious for direct lobbying, as someone noted. If I were Ursula, I would draw a red line: no US digital dependence. But the rounding error of the rounding error of these trillion dollar companies is enough to expunge the nonexistent EU infra.
Europe needs a private European identity provider. Until this happens, Europe will remain a technological vassal state of the US.
These are expensive products, you need depth of expertise and experience to create a system that could compete with the likes of gmail and Microsoft and ... so it's not a wonder that this hasn't happened yet. But pretending like this can be a public service is foolish (too high stakes ~~if~~ when it gets hacked), and pretending like existing providers that offer identity and email are sufficient is equally foolish. Google and ms and apple etc all offer the basics for free, and this is necessary for mass adoption. It will be an expensive project. But necessary, if the eu wants strategic autonomy.
---
Oh and requiring a us based account is not even the most egregious part of this proposal, ffs
Not only that, be we also need a European payment system that's not tied to VISA / MasterCard, etc.
We're currently paying a small tax to the US for each card transaction we have.
Time for a digital Reichstag fire. When will the germans stop repeating history ?
That headline doesn't match the article at all. Can someone elaborate/confirm this really is the case?
It seems that many Android devices won't safisfy the requirements, even when using a device approved by Google:
> MEETS_STRONG_INTEGRITY also includes the requirement that the device has received a security patch _within the last 12 months_
Good luck with that.
Can anyone point me to where in the MDVN page it mentions requiring Apple and Google account? Thanks
Because the attestations will only work on iOS and Google Play integrity attested devices. Meaning Apple and Google accounts required.
A phone is also required then?
This is an assumption, but not confirmed.
1 reply →
Oh but isn't that great. This is just the kind of digital sovereignty these times call for.
Sometimes I wish the Germans had an island of their own somewhere up north near the american continent.
Is the link broken for anyone else? I'm getting ERR_CONNECTION_CLOSED.
Works for me in Germany. I wonder if it's some overzealous bot protection that's cutting off humans again, in this case from what looks like a government website, but without further testing that's hard to say. You could check if it works from another network, or if other people on your network range have the same issue (like if you're in 13.37.0.0/16 then maybe someone else at the ISP is also in that range and could check if it got blocked outright)
Simply eIDAS must works on smart-cards and desktop USB/built-in card reader, not mobile (cr)App.
BUT government do not want sovereignty more than they want snoop on citizens.
How many billions will EU countries spend on this bull shit? Who needs it?
Possibly I‘m not smart enough to understand, but from what I see is that the implementers intend to leverage existing security architecture of Android/Google and iOS/Apple, respectively- arguably to drive adoption. The document doesn’t state anywhere that Apple / Google account is a requirement to use German eIDAS. From what I can tell, one may (continue to) use its government issued ID card with electronic signature for authentication.
Please prove me wrong, I genuinely want to understand the implication of the linked document.
Knowing the German, how much of a fiasco will this be? Many Germans despise having to go online with specific services due to "Datenschutz". Now you are telling them that they need an external (American) service in order to use this?
What I don't understand is: ELSTER (taxes) already uses electronic signatures, don't these signature already fulfil the requirements of eIDAS? Why do we even need Google/Apple?
Germans are likely going to try and hang the public servants for high treason via their constitutional court.
> threats:
> unknown system image (e.g. custom ROM)
Oh no, what a horrible crime, somebody dared to modify operating system on their own device..
So much about digital sovereignty
Corporations + government = fascism.
Fascism is the reality.
And its global.
Global fascism is what is already the case.
lobbyists!
what's eIDAS?
EU digital identity law to make inter-EU signatures (And authentication) work.
As an example, an EU citizen working in Sweden should be able to submit Swedish tax forms whilst living here by using a digital identity from the originating nation.
There are also some standards in place like ETSI standardized extensions to PDF signatures so that you can verify that a signature inside the PDF was actually signed by a specific physical person (the standard is there but it's not fully used throughout the EU yet due to some legacies).
Implementation is a bit of a mess still but things are converging.
Is there a reason this user-hostile mess is preferred over an X.509 certificate (besides big tech lobbying)?
Slovenia hands out certificates for online government services, including document signing, and it seems to be going fine, with the added benefit that Google can't take away my access.
3 replies →
Do you happen to know if German citizens can obtain a certificate to sign PDFs (from the government / for free)?
Several paid providers for X.509 certificates exist but document signing certificates cost around 80 € per year [0]. And if I want duplicate X.509 certificates for my redundant Yubikeys then the cost doubles.
Other providers require an initial deposit and then charge per signature [1], which leads to intransparent pricing. In the interest of open commerce, I strongly believe that securely signing an electronic document should cost the same as my manual signature, i.e. nothing.
A partial solution already exists because I can use my electronic ID card with the AusweisApp to prove my identity when interacting with German authorities. This feature is generally useful because I live outside of the EU, but I especially appreciate that I can have my OpenPGP key signed by Governikus (a government provider) to prove the key belongs to my name [2].
Technically, I should be able to use my certified PGP key to sign documents, but in practice most non techies don't know how to validate my signature. For the average user opening my signed PDF in Adobe Reader, I would need an X.509 certificate from a trusted Certificate Authority for users to see the green check mark.
[0] https://shop.certum.eu/documentsigning-certifcates.html
[1] https://www.entrust.com/products/electronic-digital-signing
[2] https://pgp.governikus.de/wizard/requirements
> inter-EU signatures
I assume this should be "intra-EU"? I'm not very familiar with eidas so I'm not sure, but afaik it's about signatures within the EU, not between different EUs (as there is only one in this world). (I hate this inter/intra wording, always have to translate it in my head to understand whether it's like internet (between networks) or like intranet (within a network). Would recommend using "within-" instead of intra whenever it's not already a well-established word, like intranet)
1 reply →
The gold standard for digital signatures today is
- someone sends you a docusign link
- you sign up with your email
- you sign with your name in a cutesy font
Theres a dispute? Well it was going to end up in court no matter how you signed it anyway. This has all the hallmarks of a design by committee project by people whose salary is paid regardless of demonstrating market fit, productivity, usage, plain sensibleness...
3 replies →
https://en.wikipedia.org/wiki/EIDAS
electronic IDentification, Authentication and trust Services
A mistake.
So what was the point of putting a crypto chip into every ID if you are gonna try and reinvent the entire trusted environment in the fucking smartphone?
ID cards don’t connect to the internet.
These days an ID system that doesn’t work online is next to useless.
It's an NFC card that can be read with any NFC card reader, USB or smartphone based.
https://www.ausweisapp.bund.de/en/open-source I just saw that it's available in alpine.
So I tried installing it on my postmarketOS smartphone and it runs out of the box: https://i.imgur.com/nRIAyrq.png
My Shift6mq is listed has not having NFC support in postmarketOS, so I can't actually test it, but I assume the USB card reader option will work once it's supported.
Well, since it happened also for my gov (France) 10 years ago, we can see this pattern happening in the whole EU.
There is a mixure of incompetence and big tech aggressive lobbying on gov 'standards' all over EU... making anything internet hard locked on big tech ultra-massively complex software, protocols and file formats.
In my country, it is the web: classic web support interop was actually killed 10 years ago. Now, only web apps requiring one of the gigantic and ultra complex web engines from the WHATNG cartel are working. No more "small' web engines (including their SDK) does work, and it did close the door for good to anything 'not big tech' (here the WHATNG cartel), what a bummer, oopsie!
In means in my country, to interact with the gov agencies and dependencies, you are now FORCED BY LAW to use only WHATNG cartel web engines. Wow, corruption (there is big public money there)? brain washing grade lobbying (what seems to be the case)? incompetence (always expected on complex matters)?
To add insult to injury, in my country, the ONLY person who have the power to fix that is the prime minister (then also the president). Oooof!
Of course, very simple classic web sites do work on 'smart phones' (apple did threaten to remove its browser... we know why: to force a technical hard dependency on them since they have a significant amount of the "market").
We all know their weak spot: a simple and stable in time, "good enough" to do the job, set of existing protocols/file formats (to protect the SDKs, I would include the computer languages, for instance excluding c++ and similar for plain and simple C and assembly to protect against the obviously ultra-complex SDK components): it will reduce dramatically the complexity and size of any current and future, local, implementations.
What's seems to be happening when I look at that: some people all over EU countries are trying to fight their way out of big tech because of gov officials probably being brain washed by lobbying (do not exclude the possibility of "corruption" and there is always some level) of incompetence which is expected).
Since it is happening in France and Germany, core of the EU...
Now what?
So much for Europe to decouple from orange-man country ...
It is so clear how lobbyists operate here. I'd call it undermining national sovereignty.
:facepalm:
The title is misleading.
App attestation does not require an Apple account nor a google account. For Android, it does limit the ROMs to Google certified ones and requires GMS to be installed if Play Integrity is used. An alternative option, would be to use the Hardware Attestation API directly, GrapheneOS would be thanking you.
I've spent a good amount of time implementing exactly this type of system for a backup service.
his document specifies a way to cryptographically attest the integrity of a HTTP request hitting a server.
The attestation proves the request came from a device and attest the legitimacy of the bootloader, OS and app.
Google and Apple are in a privileged position to be able to bypass the app attestation though, so depending on the threat model, it's not bulletproof.
edit: Play Integrity could the worst offender here, as it can be leveraged to force a user to have installed the app through the Play Store. Indirectly, requiring a Google account.
There's no such thing as "legitimacy of the bootloader, OS" that can be verified by someone who isn't the device's user. The bootloader that booted the phone I type this on is patched by me, which makes it more "legitimate" than any other bootloader that could be placed there.
The reason (or, depending on your inclinations, the excuse) for trusted computing to exist is not to guarantee that I didn’t patch the bootloader of the phone on which I type my comment; it’s to guarantee I didn’t patch the bootloader of the phone on which your grandma logs in to her bank without her knowledge.
8 replies →
You can bicker about the words all day long. Legitimacy, or perhaps better: authenticity, in this context, would be a bootloader or OS that doesn't allow tampering with the execution of an app.
3 replies →
Sorry but this is nonsense - most users, even the Linux toting power users - don't have the time, ability or knowledge to verify the contents of their OS in a way that would catch issues prevented by attestation.
The problem with modified phones containing malware is very real and unless you want a full on Apple "you're not allowed to touch the OS" model you need some kind of audited OS verification that you as a user or a security sensitive software can depend on.
5 replies →
> App attestation does not require an Apple account nor a google account. For Android, it does limit the ROMs to Google certified ones and requires GMS to be installed.
To me, there is no difference between your sentences. You require the blessing of an American company to be able use eIDAS. Google has the power to disable eIDAS at a national scale by making the attestation services treat all devices as not certified.
There should be NO reliance whatsoever on a private company not under the control (direct or indirect) of the government let alone a foreign private company.
Edit: I just noticed your username and the fact that your account is very new. Are you astroturfing?
I made an account because I'm qualified to talk about this topic :-) I've spent a considerable time testing every corner case of UX, and DX of an app attested service.
App attestation can fail on simulators, Graphene OS, dev builds, I've seen it all. There is one check you can do to see if an app was side loaded, so indirectly, can require Google account.
Title is still misleading though, as it explicitly mentions accounts.
3 replies →
I agree, there is still a reliance on the tech giants that produce the phones, who are the o'es embedding the cryptographic keys, to make this end to end attestation work.
But in pure technical & UX terms, you don't need to be logged in.
4 replies →