Comment: The videoident procedure is insecure – and superfluous

Is Videoident still up-to-date or long outdated? Viewed soberly, it is absurd and downright embarrassing in an international comparison that Videoident was and is used in Germany. You hold your ID card in front of a webcam so that a person (or an algorithm) at the other end of the line can check the security features that are intended for on-site checks – even though the same ID card has a chip for secure digital identification. Because a video can always be manipulated, Videoident is fundamentally unsafe. BSI and privacy advocates have been saying this for years, and the CCC has now demonstrated it.

So it’s not about one or two bugs that could be fixed. Videoident is “broken by design”. It is therefore important that Gematik does not stop at a temporary ban. It should permanently phase out the procedure so that trust in the digital patient file is not further undermined. Other authorities like the Bafin should follow her.

After all, there has long been a much safer and – yes – also more convenient alternative to video identification in the form of the e-ID. The IT association Bitkom insists that the online ID function is “not yet a practicable alternative” because too few people have activated the function, do not have the PIN or do not know how the technology works. And it’s true that the vast majority has never used the online ID function – but that can change quickly.

Just try it!

First, the feature is enabled on all ID cards issued since 2017 (and on many older ones as well). Secondly, since March it has been possible to conveniently order a PIN reset letter on your smartphone. Thirdly, registering or logging in to the network with the E-Perso is no more complicated than with the many other two-factor techniques once you’ve got the hang of it: start AusweisApp2, hold your ID card to your mobile phone, enter your PIN, and that’s it.

The e-ID is more convenient than a video ID because it allows you to identify yourself online in a matter of seconds instead of waving your ID around in front of the camera for minutes. In any case, there is no question that the E-Perso meets the highest security and data protection requirements. It was only recently that all the experts took turns confirming this at a hearing in the Bundestag.

All this does not mean that there is nothing to do: the federal government must advertise the E-Perso sensibly – a few posters in the citizen registration offices are not enough. She finally has to integrate the ID function into smartphones, which she actually wanted to do by the end of 2020. And it needs to make integration cheaper for vendors so there are more use cases in the private sector too.

The old saying that e-perso is too complicated hasn’t been true for a long time. And it must not become a self-fulfilling prophecy. The end of Videoident might be exactly the push that the E-Persono still needs. Then there would finally be a widely used, secure digital identity in Germany too.

(cwo)