Austrian ID system

August 16, 2007 at 9:21 pm 5 comments

There are many things to like about Austria’s national identity system. A good overview is the presentation given at Liberty Alliance’s eGovernment Workshop held in Brussels earlier this year.

First, the absence of an external national unique identifier. Every person gets assigned a unique personal identification number (Source-PIN) that is under his/her own control. Each governmental sector is provided its own specific identifier for that person (Sector Specific PIN) which is derived from the Source-PIN using a one-way cryptographic function.

Secondly, their Citizen Card is more of a concept in that it can be issued in a variety of smartcard form factors, for example a Bank Card or Health Card or even a mobile phone.

The Citizen Card contains both limited personal information (first name, last name, date of birth, Source-PIN) as well as the person’s public key information. The card can therefore be used for both authentication and electronic signatures.

Thirdly, their system is based on open standards, specifically SAML (v1.0 Browser Artifact Profile with plans to go to v2.0).

Finally, the system meets the test that Identity 2.0 experts love. These experts argue that the issuer of the identity credential (government) should not know where the person chooses to establish his/her identity. So, if a person goes to a video/DVD rental store and uses the Citizen Card to prove his/her identity, government has no business in knowing or tracking that. The Austrian system passes that test.

Ironically, in my personal opinion, it is also its major weakness. This is one area that I differ from the Identity 2.0 experts.

As a national identification system, I believe there needs to be a way for government to inform places where an identification credential is used in the event of proven identity fraud. It is not enough to stop future use of a fraudulent identity (say by means of a revocation list in the PKI infrastructure) but an ability to proactively unwind transactions based on that fraudulent identity.

There seem to be a few more minor issues but they are comparatively minor. The first is that all the person’s attributes (first name, last name, and date of birth) are available to everyone to whom identity is proven. Notwithstanding the fact that there is a very small amount of personal information on the Card, there are cases where even these attributes are not required and therefore should not be given. For example, to buy alcohol and prove the person is 18+.

Secondly, it is not clear how the person’s attributes stored on the Card can be easily changed or updated, e.g. in case of a change of name or administrative error.

Finally, as with all smartcards used for online authentication, the need for smartcard readers to access the digital certificate. However, it may be that widespread availability of smartcard readers (one for every computer) is not a problem in Austria.

Overall, there are many, many positive things about Austria’s national identity system that other countries can learn from.


Entry filed under: 2FA, authentication, government, identity, ID_cards, igovt, Lib_Alliance, network, personal_info, PKI, privacy, SAML, strategy, Web_2.0.

“The Internet is a lawless wild west” Data security breach notification laws coming?

5 Comments Add your own

  • 1. Identity 2.0 » Blog Archive » Austrian ID system  |  August 17, 2007 at 12:23 am

    […] rest is here: Austrian ID system Identity […]

  • 2. stephen revill  |  August 17, 2007 at 6:05 pm

    I must say that I agree with the Austrians. Government should not know where a person chooses to establish his/her identity. If government should know it needs to prove its case.

    The House of Lords report on the internet and personal security makes that point that the UK government has failed to ensure that there is reliable data on “e-crime”. In Australia AUSCERT has conducted an annual survey on computer crime and security for some years. However in the most recent survey (May 2006) only 5% of computer crimes/computer abuses were classified as being as a result of ID theft. The irony is that AUSCERT has since had its funding pulled for its annual survey, by the Australian Federal Gov’t. This raises the question as to how far the Australian gov’t is genuinely concerned with finding out the facts about computer crime and computer fraud.

    In New Zealand the answer must be “no”. There is no on going survey that has been conducted on the incidence and impact of e-crime in New Zealand (including the incidence and impact of ID theft or fraud.)

    If we are however to rely on anecdotal evidence, then the problems that the banks have experienced with “phishing” would indicate that the individual’s ability to authenticate the web site of the agency or organisation it is dealing with is a rather a more significant issue than ID thefts involving negligence on the part of individuals.

    It seems to me the evidence of ID fraud needs to be brought to the table before there can be any consideration of a privacy trade off involving the use of electronic ID’s in circumstances where the use of physical forms of ID has never left an audit trail. And even then it would be necessary to show that the best persons to manage the risk of ID fraud is the individual rather than the government or private sector agency with whom the individual is dealing.

    Stephen Revill

  • 3. Martin Leyrer  |  August 21, 2007 at 11:33 am

    Although, the theory behind the The Austrian Identification System is quite good, it falls short of expectations in several ways.

    1) Citizen Card is a „Concept“
    This ensures quite a lot of confusion amongst end-users. They are asking for a “citizen card” and if they ask a-trust, the only comercial vendor that alos puts a qulified signature on the card, they get an expensive Siganture-card. If they ask a health-care provider, the get told, that their (mandatory) card is all they nedd (which is not always true).

    2) Open Standards
    It is nice, that the citizen card is based on “open standards”. The problem I see in the real world is, that there is NO out-of-the-box solution that supports these standards. eg., you can’t use a citizen card to log onto a standard ssl webserver.

    3) Smartcard Readers
    These are far from beeing widespread in Austria. A lot of lawyers offices for example still have only one. And do not even start to think about end-users. And that is the case, although they subsidised the reader last year so it nly costed ~ 15 Euros.

    From a tecnicians/programmers point of view, the austrian ID system has a (technicaly) nice design, needs a lot of programming if you want to use it, the handling is more than akward for the end-user and the infrastructure for it (card readers, …) is far from sufficient.

    Many greetings from Austria.

  • 4. Vikram  |  August 21, 2007 at 9:13 pm

    Thanks to Stephen and Martin.

    Your comments really add to the full picture.

  • […] 24, 2007 Following an earlier post on the Austrian ID system, several people got in touch asking me to blog about the New Zealand Government’s approach to […]


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

Trackback this post  |  Subscribe to the comments via RSS Feed

This blog is no longer updated. See the About page for more info. I'm currently active on Twitter.

Follow me on twitter

Error: Twitter did not respond. Please wait a few minutes and refresh this page.


%d bloggers like this: