Frequently Asked Questions

The term "CH2A" stands for "CH-LOGIN to AGOV". CH2A is a strategic initiative by BK-DTI. It addresses the replacement of CH-LOGIN by AGOV across the entire Federal Administration.

The so-called "CH2A-Wizard" is a component of the federation communication between AGOV as identity provider and eIAM as the consumer of AGOV identities. The CH2A-Wizard assists users with the simple and secure transition from CH-LOGIN to AGOV-Login, especially if a user wants to replace an existing CH-LOGIN with their AGOV-Login. It detects an AGOV-Login that has the same email address as an existing CH-LOGIN and offers the user the option to replace the CH-LOGIN with their AGOV-Login. The wizard also supports scenarios where the AGOV-Login was registered with a different email address than the CH-LOGIN and allows the user to carry out the replacement. To ensure secure migration, a full CH-LOGIN login is always required. The transition is never carried out based solely on matching email addresses.

AGOV-Login can be used by individuals and business representatives to interact with all administrative levels in Switzerland (municipalities, cantons, Federal Government, and third parties authorized by EMBAG). CH-LOGIN, in contrast, is limited to Federal Administration applications. Unlike CH-LOGIN, AGOV-Login is compatible with e-ID. For applications that require it, AGOV can request and provide a verified AHV number. AGOV-Login eliminates outdated and less secure login methods such as passwords and SMS-mTAN. Through the use of the AGOV Access App for Apple and Android devices and physical security keys (FIDO2), AGOV-Login is fully passwordless and offers better user experience and higher security compared to password-based methods.

AGOV is the official login for Swiss authorities. It enables you to interact with authorities at all administrative levels (municipal, cantonal, federal) using a single login method—without having to manage passwords.

Cantons and municipalities were unable to use the Federal Administration's CH-LOGIN for their eGovernment services because there was no legal basis for doing so. With the Federal Law on the Use of Electronic Means to Carry Out Official Tasks (EMBAG), the Federal Administration has been able to provide ICT services to cantons and municipalities since January 1, 2024. AGOV, as a further development of CH-LOGIN, is the first example of the CH-wide use of an ICT service and can be used across all federal levels, i.e., federal, cantonal, and municipal.

CH2A is a project of CFh-DTI, in collaboration with FOITT. Bruno Frutiger from the Digital Standard Services (DS) department, who is responsible for digital basic and security solutions (DBS), acts as the client. Responsibility for the IAM service lies with business owner Stefan Minder, also from the DBS department and deputy project manager for the project. The CH2A project manager is Philipp Dasen from the DBS department. Edgar Kälin is responsible for the implementation of the DEV/OPS sub-project on behalf of FOITT.

CH2A Communication Subproject

• The communication subproject within CH2A has analysed the target groups and is planning the appropriate communication channels.
  
• We are in close contact with the communication departments of BIT and BK-DTI. The plan is for the IMs of the offices to issue CH2A-related communication instructions to their communication departments in a timely manner.
  
• The topic of communication will require different actions depending on the CH2A phase (AGOV-Allow, AGOV-First, AGOV-Push, AGOV-Force, AGOV-Only). Please note that during the next phase AGOV-First (planned from production release Liskamm on 07.09.2025), users will still be able to create a new CH-LOGIN account. In this phase, we aim to inform users that AGOV is the better choice and encourage them to use AGOV-Login.
  

Customer communication for a business application

• Important announcements, planning information and requests will be sent via the mailing list eIAM-Releases@bit.admin.ch. We will also use this channel to inform when we expect communication measures from specific stakeholder groups, such as business application owners.
  
  • Please send an email to eIAM-Releases@bit.admin.ch if you would like to be added to the mailing list.
• If you receive any questions about CH2A, please refer to our project page with all relevant information on the current AGOV-First phase as well as the FAQ about CH2A.
  
• If you have any questions or concerns, feel free to contact us at any time via eIAM-Releases@bit.admin.ch.

• In addition to the interactions within the eIAM user flow, all necessary information is planned to be published on the information pages of the eIAM service (https://www.eiam.swiss/), the eIAM customer documentation (https://docs.eiam.swiss/) and the eIAM help pages (https://help.eiam.swiss/). These will be continuously improved if necessary.
  
• Many business applications have published guides on topics such as registration and login. These guides often lead users through eIAM functionality, such as registering a CH-LOGIN. Normally, these guides include step-by-step instructions with screenshots for each process step. All such guides published by business applications will no longer be correct with AGOV-First. This may cause confusion for users. The goal of supporting and guiding users would thus be missed. With AGOV-First, i.e., from 7 September 2025 in the PRODUCTION environment, new users should primarily register an AGOV-Login and no longer CH-LOGIN, even though CH-LOGIN registration remains technically possible. Help documentation provided by business applications should no longer include instructions for eIAM processes. It should consistently refer to the central eIAM help. Relevant details are available in the CH2A FAQ for stakeholders.

AGOV usage, like CH-LOGIN usage, is included in the eIAM pricing model. If target applications require identity verification via AGOV, the end user must pay online, or the administrative unit can provide a voucher code as part of its onboarding processes. Details on ordering vouchers for administrative units can be found at:

AGOV is designed to enable end users to help themselves first. Thanks to a multi-level account recovery mechanism, fewer support cases are expected compared to CH-LOGIN. If users encounter problems that cannot be resolved via self-service, they should contact the application-specific support team, as they did with CH-LOGIN. This team records the case and attempts to resolve it. This process remains unchanged. The application support should remain the single point of contact (SPOC) for the end user. Cases can still be escalated to BIT support where necessary for resolution and communication.

Further information on support processes is available at: AGOV Supportmanual

• AGOV-Allow
  (Rollout since Q1/2024 to PROD)
  • In this phase, AGOV is one of the supported IdPs in the CH-LOGIN BYOI bundle. Users with an AGOV-Login can voluntarily use it as a BYOI (Bring Your Own Identity) and link it to their CH-LOGIN. Users can freely choose to log in to eIAM using either CH-LOGIN or AGOV-Login. Both are possible in parallel. During this phase, AGOV-Login in eIAM is limited to "normal" quality (QoA30). Verified AGOV-Logins are not yet supported.
  
  
• AGOV-First
  (REF 13.05.25 (Lenzspitze), ABN 13.08.25 / PROD 07.09.25 (Liskamm))
  • In this phase, AGOV becomes the preferred identity for new users of integrated eIAM applications in the eGOV domain. However, users can still create a new CH-LOGIN account. They are informed that AGOV is the better choice and are encouraged to use it.
    
  • Users with an existing CH-LOGIN identity may continue using it or voluntarily replace it with an AGOV identity. The upgrade from CH-LOGIN to AGOV-Login is technically supported and all access rights are retained.
    
  • AGOV identities are supported in eIAM up to QoA51 (including verified AHV numbers). The need for verified identities is consistently met through AGOV, ensuring users can benefit from their verified identity across all levels of government.

• AGOV-Push
  (Dates not yet defined)
  • In this phase, CH-LOGIN users are prompted to switch to AGOV. It remains possible to ignore or skip the prompt and continue using CH-LOGIN.
    
  • It will no longer be possible to register new CH-LOGIN accounts.
    
  • The specific time for entering the AGOV push phase can be controlled within a time window to be defined for each application.
  
  
• AGOV-Force
  (Dates not yet defined)
  • In this phase, CH-LOGIN users are forced to upgrade to AGOV-Login.
    
  • CH-LOGIN can no longer be used to log in to eIAM-integrated applications. It can only serve as proof of identity for upgrading to AGOV-Login.
  
  
• AGOV-Only
  (Target from 2028 onward)
  • In this phase, CH-LOGIN users are forced to upgrade to AGOV-Login.
    
  • CH-LOGIN can no longer be used to log in to eIAM-integrated applications. It can only serve as proof of identity for upgrading to AGOV-Login.

AGOV-Login has been available to Federal Administration applications as part of CH-LOGIN (via BYOI – Bring Your Own Identity) since the AGOV-Allow phase, i.e., since the "Dufourspitze" release on 11.02.2024.

The AGOV-Allow phase will end with the start of AGOV-First on 07.09.2025. With AGOV-First, AGOV-Login becomes a standalone login method. Users no longer use AGOV as part of CH-LOGIN but instead choose to replace their CH-LOGIN with AGOV-Login. They are informed about AGOV as the Swiss government login and are encouraged to use it. A wizard assists with the secure transition from CH-LOGIN to AGOV-Login. Details about the rollout can be found in the Release Planning and the Release Notes.

In the first phase, switching to AGOV is voluntary; in the second, it becomes mandatory. The exact timing of these phases is not yet defined (see first FAQ above). An exception applies to users who require verified identities (QoA higher than QoA30). In eIAM's eGOV context, verified identities will be offered exclusively through AGOV starting with AGOV-First. This ensures that users can benefit from their verified identity across all levels of government—not just federal.

During AGOV-First, the eIAM service informs users directly at login runtime about AGOV as the new Swiss government login. For users accessing eIAM-integrated specialized applications with AGOV-Login, a "CH2A-Wizard" has been developed. It guides users through a simple and secure migration from CH-LOGIN to AGOV-Login. In later CH2A phases, communication with users also occurs outside direct eIAM usage. Email is used as a communication channel, ensuring even users who rarely use CH-LOGIN are informed.

If your users have been able to use CH-LOGIN identities to log in to your application, they will automatically be able to use AGOV logins with CH2A.

Administrative units of the Federal Administration do not connect their applications directly to AGOV based on the market model. They always use AGOV via eIAM. This is done according to the process Integration of new applications. With integration into eIAM, you automatically receive AGOV as an identity provider.

Different rules and processes apply to cantons and their municipalities. Details on this connection procedure can be found under the following link: (Closed User Group)

AGOV is available worldwide. However, in countries that heavily filter and regulate internet traffic, unrestricted use may not be guaranteed.

You can register for an AGOV-Login at any time via the website AGOV or log in with your existing AGOV-Login at «AGOV me» to view and, if necessary, update your personal data.

The future official Swiss e-ID is an electronic identity that can be used both as a login factor with AGOV and to verify personal data in AGOV.

The premise of introducing AGOV-First in eIAM is that target applications using CH-LOGIN will continue to function without modification – even when users switch from CH-LOGIN to AGOV-Login. During testing in the eIAM REFERENCE environment, the eIAM team at the Federal Office of Information Technology and Telecommunications (FOITT), together with application owners, found that this premise should not be enforced in all cases in advance.

Therefore, FOITT requested the Federal Chancellery DTI to slightly relax this premise for so-called legacy integrations. The BK DTI accepted this request, as it promotes standardization and helps reduce costs for the federal administration. This means that in rare cases, legacy-integrated applications might have difficulty recognizing a user who switched from CH-LOGIN to AGOV-Login.

eIAM has prepared for such cases:
Based on appropriate feedback, a configuration change in eIAM can be made immediately and without cost for each affected application to restore backward compatibility.

We therefore ask you to test your application in the eIAM reference environment with AGOV.

This decision upholds the premise without introducing global exceptions – only specific to certain legacy integrations.

As part of AGOV-First, applications must be specifically tested for the use case "User switches from CH-LOGIN to AGOV-Login". See the "Testing" section for more information.

It is very important to identify such issues already in the REFERENCE environment. This helps us jointly avoid problems for your business application and its users during the further rollout in the ACCEPTANCE environment (13.08.2025) and in PRODUCTION (07.09.2025).

In principle, eIAM provides the application with a stable identifier in its token, even if users switch from CH-LOGIN to AGOV-Login.

The premise of introducing AGOV-First in eIAM is that target applications using CH-LOGIN will continue to function without modification – even when users switch from CH-LOGIN to AGOV-Login. During testing in the eIAM REFERENCE environment, the eIAM team at the Federal Office of Information Technology and Telecommunications (FOITT), together with application owners, found that this premise should not be enforced in all cases in advance.

Therefore, FOITT requested the Federal Chancellery DTI to slightly relax this premise for so-called legacy integrations. The BK DTI accepted this request, as it promotes standardization and helps reduce costs for the federal administration. This means that in rare cases, legacy-integrated applications might have difficulty recognizing a user who switched from CH-LOGIN to AGOV-Login.

eIAM has prepared for such cases:
Based on appropriate feedback, a configuration change in eIAM can be made immediately and without cost for each affected application to restore backward compatibility.

We therefore ask you to test your application in the eIAM reference environment with AGOV.

This decision upholds the premise without introducing global exceptions – only specific to certain legacy integrations.

As part of AGOV-First, applications must be specifically tested for the use case "User switches from CH-LOGIN to AGOV-Login". See the "Testing" section for more information.

It is very important to identify such issues already in the REFERENCE environment. This helps us jointly avoid problems for your business application and its users during the further rollout in the ACCEPTANCE environment (13.08.2025) and in PRODUCTION (07.09.2025).

In principle, backward compatibility is ensured.

However, certain adjustments to the claims have been made due to changes in the technical integration of AGOV and the other BYOI identity providers (Switch eduID, #edaLogin, GenèveID, ZUGLOGIN, and eZug) as standalone identity providers. All identity providers are now directly integrated and no longer connected indirectly via CH-LOGIN. As a result, CH-LOGIN-specific claims are no longer available, and identity-provider-specific claims now contain the correct value. Please refer to the list below for detailed changes to the affected claims:
AGOV-First backward compatibility of delivered claims

These changes may lead to issues in applications with legacy integrations when a user switches from CH-LOGIN to AGOV login.

We strongly encourage you to plan comprehensive testing of the “AGOV-First” use cases.
Please take the opportunity to identify issues with specific CH2A tests in the REFERENCE and ACCEPTANCE environments before they arise in the PRODUCTION go-live.

Report any backward compatibility issues of your application to eIAM using the feedback form.

You will be contacted by eIAM immediately.

AGOV offers identities from QoA30 to QoA51 (according to eIAM taxonomy). The actual login always takes place at the ‘high’ level. The different QoA results from the different verification of personal data. The QoA scale applies in the eIAM system, while the AGOVaq scale applies to AGOV; the assignment can be viewed internally at the following link: .

Yes, this is entirely possible. AGOV in the eIAM context offers identity verification via video identification. The video identification is triggered when a target application requires it. It can also be triggered in advance via an onboarding process. Administrative units decide, as part of their onboarding process design, whether end users must pay for video identification online themselves or whether they receive a voucher from the administrative unit. Details on ordering vouchers for administrative units can be found at the following link: Ordering vouchers

Important: CH-LOGINs that have already been verified, either via CH-LOGIN video identification (nHEC+) or through the VASCO token issuance process, retain their verification status until the end of the AGOV-Force phase (end-of-life of CH-LOGIN). This remains valid even if they use a non-verified AGOV login. Only from that point onward is a new verification in AGOV required.

With AGOV-First, verified/clarified identities in eIAM at level (QoA40 or higher) are only offered via AGOV. It is no longer possible to have CH-LOGINs verified.

Scenario 1: The user calls up an application with a QoA requirement higher than QoA30. The user logs in with an unverified AGOV-Login. eIAM recognises that the QoA requirement is not met. eIAM informs the user that they need a higher quality AGOV-Login and provides them with a help page where they can find all the information they need to improve their AGOV-Login to the required quality.

Scenario 2: The user calls up an application with a QoA requirement higher than QoA30. The user logs in with a CH-LOGIN that does not meet the required identity quality. CH-LOGIN recognises that the QoA requirement is not met. CH-LOGIN informs the user that they need an AGOV-Login with a higher quality and provides them with a help page where they can find all the information they need on how to register and verify an AGOV-Login with the required quality.

Scenario 3: The user calls up an application with a QoA requirement higher than QoA30. The user attempts to register a CH-LOGIN. CH-LOGIN explains to the user that new, verified identities are only supported with AGOV-Login. CH-LOGIN informs the user that they need an AGOV-Login with increased quality and provides them with a help page where they can find all the information they need on how to register and verify an AGOV-Login with the required quality.

Scenario 4: The department informs the user directly during the onboarding process that they need a verified AGOV-Login to access the application. The department provides the user with the necessary information during the onboarding process. This information includes the URL of the help page and, if necessary, a voucher code for video identification in AGOV at the organisation's expense.

Help page for verification at level QoA50 (verified identity)
Help page for verification at level QoA51 (verified identity including verified AHV number)

As part of eIAM, AGOV offers video identification. Identification is subject to a fee, which must be paid by the user before starting the identification process. In addition to other online payment methods, vouchers that can be obtained from the administrative unit and issued to the user are also accepted. Details on ordering vouchers for administrative units can be found here: Ordering vouchers

AGOV is using LID on a trial basis with several cantons. Once the results have been evaluated, the Federal Chancellery will review the areas of application for LID.

In addition to other online payment methods, vouchers that can be obtained from the administrative unit and issued to the user are also accepted. Details on ordering vouchers for administrative units can be found here: Ordering vouchers

No. It is not possible for a user to revert an already verified AGOV-Login (QoA50/QoA51) back to ‘not verified’ (QoA30) in self-service. E.g. for testing purposes. If data such as first name, last name or date of birth is changed during a verified AGOV-Login, this automatically triggers a new identity check so that the new data can be accepted. The changed data will only be accepted if the identity check with the new, changed data was successful. If you are testing test cases with verified and unverified identities, the test case must be set up so that two different identities are used. One identity with a verified AGOV-Login and one identity with an unverified AGOV-Login with the same user profile in the application.

CH-LOGINs that have already been verified via CH-LOGIN video identification (nHEC+) or the VASCO token delivery process retain their verification status until the end of the AGOV-Force phase (end of life of CH-LOGIN). This applies even if users use an unverified AGOV-Login. Only at this point will re-verification in AGOV be necessary.

If a CH-LOGIN user with a VASCO token switches to AGOV-Login, their CH-LOGIN and therefore their VASCO token will no longer be required for CH-LOGIN. eIAM automatically notifies the organisation responsible for managing VASCO tokens that this VASCO token is no longer used in the context of eIAM CH-LOGIN. If the VASCO token was used exclusively in the CH-LOGIN context, no further recurring charges will be made for this VASCO token. If the VASCO token is used in other contexts (e.g. Admin-VDI) in addition to CH-LOGIN, this token will continue to be billed for this application purpose.

The loss or defect of the VASCO token does not mean that the user must switch from CH-LOGIN to AGOV-Login. The user reports the problem with their VASCO token as before via their support organisation. The VASCO token is then replaced outside CH-LOGIN and eIAM. The new VASCO token can be used by the user without the user having to change anything in eIAM (CH-LOGIN).

AGOV-First is a major release in eIAM and brings with it a host of new features. Details can be found both in the Release Notes and here in the Customer Portal. We therefore recommend that you conduct intensive testing of AGOV-First with your specialist applications during the extended phase on the REFERENCE between rollout with Release Lenzspitze on 13 May 2025 and further staging with Release Liskamm on ACCEPTANCE on 13 August 2025. This is to ensure that your specialist applications function properly with the introduction of AGOV-First with all login options and also when switching users from CH-LOGIN to AGOV-Login.

Yes, AGOV-First also includes the complete conversion and standardisation of the login selection, as well as additional functionalities such as just-in-time provisioning in the Federal Trust Broker (BTB). Applications that do not use AGOV-Login directly are also affected by these changes. It is therefore important that you also test the logins for these applications. E.g. with professional community identities (FEDRO, FOEN, FOCBS or FOC).

We recommend that you carry out the following specific tests at an early stage so that any problems can be identified and rectified. This will ensure that the rollout of AGOV-First in ACCEPTANCE and PRODUCTION can take place without any restrictions for the end users of your specialist applications.

Important: When testing from the federal network, do not forget to disable Autologon via the cookie page

1. Test case: Log in to your application via all identity providers currently used by the specialist application with the appropriate test user for regression testing.
   
   • CH-LOGIN
     
   • FED-LOGIN
     
   • BYOI identity providers (e.g. #edaLogin, Switch edu-ID, ZUGLOGIN, eZug, Genèv eID)
     
   • Identity provider sector (e.g. V-Login, HIN, PTI, etc.)
     
   • Specialist community login (FEDRO, FOEN, FOCBS or FOC)
     
   • Expected behaviour: The user is still recognised in the application as the user known from the past (before the release was introduced) (ID, roles, data, documents remain unchanged).
   
   
2. Test case: Existing user of the specialist application continues to use it with CH-LOGIN
   
   • User has already used the specialist application in the past with a CH-LOGIN identity
     
   • User accesses the specialist application.
     
   • User uses the login function of the specialist application (if interactive).
     
   • Select CH-LOGIN.
     
   • Login with CH-LOGIN.
     
   • Expected behaviour: The user is still recognised in the application as the user known from the past (before the release was introduced) (ID, roles, data, documents remain unchanged).
   
   
3. Test case: Existing user of the specialist application uses their AGOV-Login for the first time in eIAM – identical email address
   
   • The user has already used the specialist application in the past with a CH-LOGIN identity.
     
   • The user calls up the specialist application.
     
   • The user uses the login function of the specialist application (if interactive).
     
   • User selects AGOV.
     
   • User authenticates in AGOV with an AGOV-Login with the same email address as their CH-LOGIN. Or user registers a new AGOV-Login in AGOV with the same email address as their CH-LOGIN.
     
   • User is guided through the upgrade process by the CH2A wizard.
     
   • It is determined that a CH-LOGIN exists that was registered with the same email address as the AGOV-Login.
     
   • The user is prompted to upgrade from CH-LOGIN to AGOV-Login. To do this, they are prompted to log in with their CH-LOGIN password (and second factor, if applicable).
     
   • If the CH-LOGIN credentials are entered correctly, the upgrade to AGOV-Login is performed.
     
   • Expected behaviour: The user is still recognised in the application as the user known from the past (before the release was introduced) (ID, roles, data, documents remain unchanged).
   
   
4. Test case: Existing user of the specialist application uses their AGOV-Login for the first time in eIAM - Different email address
   
   • The user has already used the specialist application in the past with a CH-LOGIN identity.
     
   • The user calls up the specialist application.
     
   • The user uses the login function of the specialist application (if interactive).
     
   • User selects AGOV.
     
   • User authenticates in AGOV with an AGOV-Login with a different email address than their CH-LOGIN. Or user registers a new AGOV-Login in AGOV with a different email address than their CH-LOGIN. The AGOV-Login has not yet been used in eIAM.
     
   • The user is guided through the upgrade process by the CH2A wizard.
     
   • It is determined that no CH-LOGIN exists that was registered with the same email address as the AGOV-Login. The user is asked whether they have a CH-LOGIN that is registered with a different email address.
     
   • The user confirms that they have a CH-LOGIN.
     
   • The user is prompted to enter their email address, password (and second factor, if necessary).
     
   • If the CH-LOGIN credentials are entered correctly, the upgrade to AGOV-Login is performed.
     
   • Expected behaviour: The user is still recognised in the application as the user known from the past (before the release was introduced) (ID, roles, data, documents remain unchanged).
   
   
5. Test case: New user of the specialist application uses their AGOV-Login for the first time in eIAM
   
   • The user has never used the specialist application or eIAM in the past (not even with CH-LOGIN).
     
   • The user calls up the specialist application.
     
   • The user uses the login function of the specialist application (if interactive).
     
   • The user selects AGOV.
     
   • The user authenticates themselves in AGOV with an AGOV-Login. Or the user registers a new AGOV-Login in AGOV.
     
   • The user is guided through the upgrade process by the CH2A wizard.
     
   • It is determined that no CH-LOGIN exists that was registered with the same email address as the AGOV-Login. The user is asked whether they have a CH-LOGIN that is registered with a different email address.
     
   • The user confirms that they do not have any CH-LOGIN.
     
   • A new account is created for the user in eIAM.
     
   • Expected behaviour: The onboarding of the new user in the line application (and in eIAM, if access management is in eIAM) works as specified by you for the line application.

Yes. Test cases "Test Case 3" and "Test Case 4" must be tested particularly carefully with your application. Through testing and feedback from application owners, we have identified that a few applications use incorrect technical identifiers for mapping the user's identity between eIAM and the application. As a result, these applications may fail to correctly recognize a user after switching from CH-LOGIN to AGOV-Login. How this recognition works differs per application. The authorization roles from eIAM are not the decisive factor in this case. Although the user remains the same within eIAM with identical permissions, they are no longer recognized as the same user in the application.

In such cases, for example, the user may no longer see data they had entered using CH-LOGIN after switching to AGOV-Login, or they may no longer see documents they had uploaded with their CH-LOGIN.

Report any irregularities or errors you observe during your tests via the feedback form.

You will be contacted by the eIAM team without delay.

An AGOV access app on a mobile device allows up to 10 different AGOV-Logins to be registered. If you need more than 10 AGOV-Logins, for example to test different use cases in your application with many different identities, we recommend the use of security keys (FIDO2). Depending on the hardware, a single security key can be used for several hundred AGOV-Logins. It is also possible to register multiple security keys for a single AGOV-Login. This is useful, for example, if several people need to perform tests with the same AGOV-Logins.

AGOV provides a single productive environment for all environments of applications from the Confederation, cantons, and municipalities. This means that an AGOV-Login is registered in the productive AGOV environment and managed by its owner, regardless of whether this AGOV-Login is used in the PRODUCTION, ACCEPTANCE, or REFERENCE environment of eIAM.

This depends on the quality of authentication (QoA) required for the test case.

• If the test case allows the use of non-verified identities, an AGOV-Login can be registered in AGOV. Up to 10 Access Apps can be registered on this AGOV-Login on different smartphones. Alternatively, multiple security keys can be registered for the AGOV-Login.
  
• If the test case requires the use of verified identities, only personal, non-transferable, verified identities may be used. Technically, it is still possible to pass on this personal identity to other individuals. However, this is strongly discouraged. The owner of this verified personal identity is responsible and liable for its use.

Yes. With AGOV-First, the so-called Home Realm Discovery (HRD), i.e. the selection of the identity provider with which the user wants to authenticate, will change. Test automations and E2E monitoring that include authentication with eIAM must be adapted.

No. AGOV supports the identity verification methods ‘AGOV access App’ and physical security keys (FIDO2). Neither type of identity verification method is suitable for automated E2E testing or automated monitoring. Please continue to use CH-LOGIN identities. The issue of monitoring and automated E2E testing in eIAM has been addressed.

It is still possible to order CH-LOGIN identities as so-called "Managed Techusers" for such tasks from eIAM. These are CH-LOGIN identities with a password and, if required (QoA >20), with a fixed mTAN. In the REF and ABN operating environments, such "Managed Techusers" are available up to a QoA level of 50.

Yes. If you provide documentation to users on the following topics, it must be adapted:

• Registration of new CH-LOGIN identities
  
• Login using CH-LOGIN identities
  
• Recovery of CH-LOGIN identities (e.g. password reset)
  
• SWich CH-LOGIN to AGOV-Login
  
• Verification/clarification of identities (enhanced QoA)

Business applications should not create step-by-step guides that describe eIAM processes. Experience shows that such guides are not regularly updated and thus become outdated when changes occur in eIAM. Outdated guides defeat their purpose and do not support users. The eIAM service provides central user assistance if support is needed — for example, during registration or login recovery.

Please direct users to the central eIAM help portal for all information regarding eIAM, CH-LOGIN, FED-LOGIN and AGOV:

The rollout of AGOV-First is planned for Sunday, 7 September 2025. By that date, you should also publish the updated documentation for your business application.

With AGOV-First, the selection of login methods has been revised and optimised. As part of this revision, login with FED-LOGIN will become the default option and will therefore be selected automatically from Federal Administration networks. This offers users in Federal Administration networks an optimal user experience when logging into eIAM-integrated applications, as this takes place entirely in the background without any interaction with the end user. For people who want to use login methods other than FED-LOGIN from federal administration networks (e.g. for testing), the eIAM feature ‘Autologon Cookie’ can be used. This allows alternative login methods to be selected. Information about the ‘Autologon’ feature can be found here: Testing without Autologon

With AGOV-First, the selection of login methods has been revised and optimised. As part of this revision, login with FED-LOGIN will become the default option and will therefore be selected automatically from Federal Administration networks. This offers users in Federal Administration networks an optimal user experience when logging into eIAM-integrated applications, as this takes place entirely in the background without any interaction with the end user. For people who want to use login methods other than FED-LOGIN from Federal Administration networks (e.g. for testing), the eIAM feature ‘Autologon Cookie’ can be used. This allows alternative login methods to be selected. Information about the ‘Autologon’ feature can be found here: Testing without Autologon

In the AGOV Allow phase, end users can use the AGOV-Login on a voluntary basis. This applies even if they already have a CH-LOGIN. For the target applications, it is irrelevant whether the user continues to use the CH-LOGIN or their AGOV-Login.

In the AGOV-First phase (see dates above in the roadmap explanations), users can set up their AGOV-Login as a separate login, independent of a CH-LOGIN. They are guided and supported by a wizard during the secure upgrade of their CH-LOGIN to AGOV-Login. If users wish to continue using their CH-LOGIN, they do not need to upgrade to AGOV-Login during this phase. This will only take place in later phases of CH2A.

Technically, the CH2A-Wizard is a helper component between AGOV and eIAM. It monitors all logins made via AGOV and activates whenever it detects that an AGOV-Login is being used that is not yet known in eIAM as a standalone, authenticating identity. The CH2A-Wizard uses its processes to guide users through a simple yet secure upgrade from CH-LOGIN to AGOV-Login, ensuring that the user retains all permissions and data in eIAM and in applications integrated with eIAM.

• When the user accesses a web application of the Federal Administration that is integrated with eIAM and requires a login, they do not select "CH-LOGIN" but instead choose "AGOV" to sign in.
  
• The user logs in to AGOV using an existing AGOV-Login or registers a new AGOV-Login.
  
• Following a successful login or registration in AGOV, the user is automatically guided through the upgrade process by the CH2A-Wizard. Several scenarios are possible:
  
  • a) The user has already used their AGOV-Login during the AGOV-First phase with the Federal Administration.
    
    • The CH2A-Wizard detects that this AGOV-Login is already known and that no upgrade from CH-LOGIN to AGOV-Login is necessary. The user is forwarded directly to the application.
  • b) The user is using their AGOV-Login for the first time with the Federal Administration. They registered their AGOV-Login with the same email address as their
    CH-LOGIN.
    
    • The CH2A-Wizard detects via the email address provided by AGOV that a
      CH-LOGIN with the same email address exists.
      
    • The user is prompted to log in one last time with their CH-LOGIN. This ensures that only the legitimate owner of the CH-LOGIN can link it to the AGOV-Login.
      
    • After a successful login with CH-LOGIN, the user’s eIAM account is linked to their AGOV-Login.
      
    • The user is informed that their CH-LOGIN has been deleted, that it can no longer be used, and that they must now use AGOV to log in.
      
    • From now on, the user can log in securely and conveniently using their AGOV-Login. All their permissions have been transferred to their AGOV-Login.
  • c) The user has already used their AGOV-Login in the context of AGOV-Allow within the Federal Administration. The user used the AGOV-Login as a "BYOI" identity with CH-LOGIN.
    
    • In this case, the AGOV-Login is already linked to the user's CH-LOGIN.
      
    • The user is informed that their CH-LOGIN has been deleted, that it can no longer be used, and that they must now use AGOV to log in.
      
    • From now on, the user can log in securely and conveniently using their AGOV-Login. All their permissions have been transferred to their AGOV-Login.
  • d) The user is using their AGOV-Login for the first time with the Federal Administration. They registered their AGOV-Login with a different email address than their
    CH-LOGIN.
    
    • The CH2A-Wizard detects via the email address provided by AGOV that no
      CH-LOGIN with this email address exists.
      
    • The user is asked whether they have a CH-LOGIN registered under a different email address than their AGOV-Login and whether they wish to replace that CH-LOGIN with their AGOV-Login.
      
    • If the user confirms they have a CH-LOGIN, they are prompted to log in with it to prove they are the rightful owner of that CH-LOGIN account.
      
    • After successful login with their CH-LOGIN, the user's eIAM account is linked to their AGOV-Login.
      
    • The user is informed that their CH-LOGIN has been deleted, that it can no longer be used, and that they must now use AGOV to log in.
      
    • From now on, the user can log in securely and conveniently using their AGOV-Login. All their permissions have been transferred to their AGOV-Login.
  • e) The user is using their AGOV-Login for the first time with the Federal Administration. The user does not have a CH-LOGIN.
    
    • The CH2A-Wizard detects via the email address provided by AGOV that no
      CH-LOGIN with this email address exists.
      
    • The user is asked whether they have a CH-LOGIN registered under a different email address than their AGOV-Login and whether they wish to replace that
      CH-LOGIN with their AGOV-Login.
      
    • The user selects that they do not have a CH-LOGIN they wish to link with this AGOV-Login.
      
    • For security reasons, the user must confirm that they really do not want to link a CH-LOGIN with their AGOV-Login. They are informed that a connection to a
      CH-LOGIN will no longer be possible later.
      
    • From now on, the user can log in securely and conveniently using their AGOV-Login. No permissions have been transferred because the user has not yet used any Federal Administration applications with CH-LOGIN.
  
  Note: a detailed step-by-step guide with screenshots of each step will follow.
  

Natural persons act on behalf of legal entities and therefore log in using their AGOV-Login. AGOV itself only knows the natural person and not their assignment to legal entities. This assignment must be mapped in the target application.

For AGOV users, there are various help pages at agov.ch/help, which provide the current AGOV status as well as help articles on topics such as registration, identity verification, AGOV-Login and self-administration of the AGOV account. There are also tips and tricks in the form of AGOV explanatory videos.

In addition to this AGOV-specific help, a help page has been provided for users of the CH2A project, which supports the upgrade from CH-LOGIN to AGOV-Login.