AGOV-First (only in REF)

Please note that the changes within the scope of "AGOV-First" will only be rolled out in the REF environment of eIAM with the release "Lenzspitze" and not in the ABN and PROD environment. In the ABN and PROD environment of eIAM, the rollout of "AGOV-First" will only take place with the next release "Liskamm". This procedure was chosen after consultation with our customers in order to give you, as eIAM customers, sufficient time to familiarise yourself with the changes within the framework of AGOV-First, to test AGOV-First extensively with your specialist applications and to give us feedback at an early stage. Before these changes become effective in production with the "Liskamm" release in September 2025.

Please also refer to the special section ‘Testing’ in the FAQ for CH2A. This contains interesting and important information on testing in the context of CH2A FAQs.

AGOV is Swiss public authorities' login service. It can be used by federal, cantonal and municipal authorities.Thanks to new technology, you no longer need a user name and password with AGOV. This is safer and more convenient for users than using a password. AGOV is a Federal Service and has been available in the first government applications since the start of 2024. AGOV can also be used in eIAM since the beginning of 2024. However, still with restrictions as a "Bring Your Own ID (BYOI)" add-on to a CH-LOGIN account.

The project to replace CH-LOGIN with AGOV (CH2A) addresses the next step with the "AGOV-First" phase to make AGOV the authority login of choice in the Federal Administration as well. In the "AGOV-First" phase, the use of existing CH-LOGIN identities is still possible. The registration of new CH-LOGIN identities is also supported. The only exception is new, verified identities (with increased Quality of Authentication Level - QoA). Verified eGOV identities will only be offered via AGOV. This allows users to benefit from the fact that their fee-based verified identity can be used at all administrative levels.

AGOV as Switzerland's authority login is to be promoted as part of the "AGOV-First" phase. Users should be informed about AGOV and motivated to use AGOV. However, without exerting pressure on users. The secure switch from CH-LOGIN to AGOV should be made as easy as possible for users with an existing CH-LOGIN.

Up-to-date information about AGOV, CH2A and the current AGOV-First phase with the presentation and the use case demonstrations from the customer event on 11 April 2025 can be found on the eIAM Soundingboard

Standardisation of the selection of the login method (Home Realm Discovery)

As part of AGOV-First, the selection of the login method, i.e. the selection of the identity provider (HRD), has been revised and standardised. Previously, two different options were offered in eIAM. On the one hand, the so-called "tile view", which displayed all identity providers in the form of tiles. On the other hand, the so-called "CH-LOGIN First" view, which made it possible to log in directly to CH-LOGIN and use other identity providers as alternatives. In addition, the selection of the login method on small screens (smartphone) differed greatly from that on large screens (laptop/desktop). The different behaviour of eIAM has repeatedly led to confusion among users in the past. In addition, the behaviour is not compatible with the "AGOV-First" approach, in which AGOV is to be brought to the fore as the Swiss authority login for eGOV users. This is also the reason why AGOV is always offered as the primary identity provider in the new Home Realm Discovery for applications that support the eGOV context. An information box informs the user about AGOV as the Swiss authority login and motivates them to use AGOV.

Selecting the login method
Desktop view: Selecting the login method


Mobile view of the login method selection
Mobile view: Selecting the login method

Transparent blocking of unsupported login methods

eIAM supports different login methods and identity providers. These identity providers provide identities of varying quality. Generally up to a level of QoA30. This is sufficient for many Federal Administration applications in the eGOV context. If an application requires a higher quality of authentication, AGOV-First does not simply hide identity providers whose identities do not fulfil the requirement, but continues to display them to the user. However, they will be marked as locked and visible to the user. The user is informed transparently as to why the identity previously used in eIAM cannot be used and how they must proceed in order to use the application they want to access in future. This improves the user experience in eIAM for applications with increased QoA requirements.

Information about the eIAM QoA levels can be found here:

Illustration showing the blocking of unsupported login methods
Blocking of unsupported login methods


Support for users when upgrading from CH-LOGIN to AGOV-Login (Upgrade Wizard)

A wizard has been developed in eIAM to make it as easy as possible for the approximately 2.8 million users with an existing CH-LOGIN to switch securely from CH-LOGIN to AGOV-Login. When a user accesses eIAM for the first time with their AGOV login, the wizard determines whether there is a CH-LOGIN in eIAM that is registered with the same e-mail address as the AGOV login. If a corresponding account is found, the user is informed that there is a corresponding CH-LOGIN with the same e-mail address and he has the option of replacing the CH-LOGIN with his AGOV login. To do this, the user must prove that they are the rightful owner of the CH-LOGIN by logging in with their credentials registered in eIAM (password, if registered second factor). If no CH-LOGIN with the e-mail address reported by AGOV is found when logging in with AGOV-Login in eIAM, the user is asked whether they have a CH-LOGIN registered with a different e-mail address and whether they wish to replace it with their AGOV-Login or whether they do not have a CH-LOGIN at all. If the user wishes to use an existing CH-LOGIN, they must use the e-mail address of their CH-LOGIN, password and, if necessary, the second factor to authenticate themselves as the legitimate owner of the CH-LOGIN.

In both cases, the eIAM identity is linked to the user's AGOV login and their previously used CH-LOGIN is archived. The user is informed that their CH-LOGIN has been deleted and that they must always use AGOV to log in in future. All access authorisations are retained during this process.

If the user confirms that they do not have a CH-LOGIN, a new eIAM identity is created for them.

Support for users when upgrading from CH-LOGIN to AGOV and recoveries

Of course, when users switch from CH-LOGIN to AGOV, we also expect situations in which the user can no longer use their CH-LOGIN login factors (password / second factor). In these cases, too, security must of course be the top priority. The recovery function for password and second factors is offered to the user by the wizard. However, in an optimised form that is as user-friendly as possible. For example, it makes no sense to have the user enter a new password or a new second factor in the recovery only for the change from CH-LOGIN to AGOV if the password and second factor are never needed again afterwards. In the recovery cases, the fallbacks to the defined replacement factors (e-mail account / security questions) are used to authenticate the rightful owner of the CH-LOGIN. However, unnecessary recording of login factors that are no longer required is consistently avoided.

Support for users with verified CH-LOGIN identities when upgrading to AGOV

Users with CH-LOGIN identities that have been verified either via the so-called nHEC+ verification process (with video identification) or via the VASCO token issuance process retain their verification status and thus the QoA of their identity in eIAM even when upgrading their CH-LOGIN to AGOV-Login until the validity of the identity verification expires (5 years after performing the video identification or delivery of the VASCO token). This also applies if they carry out the upgrade with an unverified AGOV login. From the point at which the user uses their eIAM identity with a verified AGOV login, AGOV specifies the identity verification status.

CH-LOGIN - Support for users after upgrading from CH-LOGIN to AGOV-Login

It is to be expected that users will simply forget that they have already made the switch from CH-LOGIN to AGOV in the past and later try in vain to log in with their former CH-LOGIN. The user will be informed by eIAM in the following cases that he has already upgraded to AGOV-Login:
  • User tries to log in with his former CH-LOGIN (identified via the e-mail address).
  • User tries to recover the password of his former CH-LOGIN because the login does not work.
  • User tries to register a new CH-LOGIN with the same e-mail address as his old CH-LOGIN or his AGOV-Login already used in eIAM.
In these cases, the user is informed that they have already upgraded to AGOV login and that they should use their AGOV login. These processes have also been designed in such a way that no information about existing or already upgraded accounts is disclosed to a potential attacker.

CH-LOGIN - Support for new users when choosing an identity provider

With AGOV-First, after selecting CH-LOGIN and choosing to register a new CH-LOGIN, the user is informed about AGOV and motivated to register an AGOV login instead of a CH-LOGIN. However, the user is offered both options. They can choose whether they want to register an AGOV login or a CH-LOGIN. An exception to this behaviour is if the user has called up an application that requires a higher quality of authentication (> QoA30). In this case, the user is informed that new, verified identities are only offered with an AGOV login. In this case, the user only has the choice of registering an AGOV login or cancelling the registration.

Illustration with information about registering for an AGOV login instead of a CH-LOGIN.
Information about registering for an AGOV-Login instead of a CH-LOGIN.

CH-LOGIN - Fade-Out support VASCO token

Previously, it was possible with CH-LOGIN to register VASCO tokens issued by the BIT as a strong second factor. With AGOV-First, it is no longer possible to register VASCO tokens as a means of authentication for CH-LOGIN identities. CH-LOGIN with already registered VASCO tokens will continue to work with VASCO tokens as a second factor.

Note: Please note that this explicitly refers to the re-registration of VASCO tokens for CH-LOGIN identities. The "OTP login" is a different login method. It is not affected by this change and should not be confused with the CH-LOGIN.

Illustration CH-LOGIN TILE
CH-LOGIN TILE
Illustration OTP-Login TILE
OTP-Login

CH-LOGIN - Fade-out of identity verification support with video identification

Previously, it was possible to upgrade CH-LOGIN identities with identity verification means at level "high" (Mobile ID / FIDO2 security key) from level QoA30 to level QoA50 by means of a verification process with video identification (VIPS). With AGOV-First, this upgrade is no longer offered for CH-LOGIN identities. Users who now require a verified identity in the eGOV context create an AGOV login, carry out the identification process in AGOV and upgrade their existing CH-LOGIN with their verified AGOV login.

CH-LOGIN who had already completed this verification process before AGOV-First will retain their clarification status until the identification expires (5 years after the video identification was carried out).

AGOV - Support of verified AGOV identities in eIAM (QoA50)

Until now, AGOV identities could already be used in eIAM. However, AGOV identities were accepted in the same way as other so-called Bring Your Own Identity (BYOI) identities as an alternative login method in the CH-LOGIN context and only with a classification of "normal", i.e. the "medium" level according to Si001. Even if the authentication of the user has been carried out with a credential at level "high" and the identity of the owner of the AGOV login has been established by means of a high-quality clarification process. With AGOV-First, users can also use Federal Administration applications in the eGOV context with their AGOV login if the application requires a quality of authentication of "high" (up to QoA50).

If the QoA level is too low, the user is notified after authentication that they require a verified AGOV-Login and is guided through the process of obtaining a verified AGOV-Login at QoA50 level. The procedure is described here: Verified AGOV-Login (QoA50).

With the release of Lenzspitze and the rollout of AGOV-First, AGOV identities can be used in eIAM up to a QoA level of QoA51. See also ‘AGOV – Support for AGOV identities with verified AHV numbers in eIAM (QoA51)’.

Information about the eIAM QoA levels can be found here:

AGOV - Support of AGOV identities with verified AHV number in eIAM (QoA51)

AGOV is able to provide the verified AHV number for persons with an AGOV login. The basis for this is a verified AGOV identity. By verifying the AHV number against the ZAS Register, AGOV verifies whether the AHV number actually belongs to this person. eIAM-integrated applications can now request the authentication quality QoA51. It should be noted that the application can then only be used with AGOV as the identity provider, as only AGOV can provide the verified AHV number. Of course, the application can then only be used by people who have an AHV number.

If the QoA level is too low, the user will be notified after authentication that they require a verified AGOV-Login and will be guided through the process of obtaining a verified AGOV-Login at QoA51 level. The procedure is described here Verified AGOV-Login with SSN (AHV) number (QoA51).

Information about the eIAM QoA levels can be found here:

Automatic updating of identity data in eIAM - just-in-time provisioning

Before AGOV-First, users had to update changes to identity-related information (first name, surname, email address and preferred correspondence language) in eIAM MyAccount themselves. This was also the case if the user used the identity of an external identity provider. With AGOV-First, the identity information first name, surname, e-mail address and preferred correspondence language are automatically updated in eIAM each time the user logs in. The advantage for the user is that they can maintain their data centrally with the identity provider. Multiple administration of data at the identity provider and in eIAM is no longer necessary.

eIAM-MyAccount - Editing identity data blocked with external identity providers

With AGOV-First, the editing of identity data ("User profile" tab) is blocked in eIAM-MyAccount if the user uses the identity of an external identity provider. This is because AGOV-First automatically updates this data with the identity provider's data each time the user logs in. The user is informed in MyAccount that the data is supplied by the external identity provider and that they must update their data there if necessary. The data updated in the external identity provider is displayed to the user in eIAM-MyAccount after the next login.


AGOV-First: Your feedback is important to us!
If you have tested AGOV-First in the REFERENCE environment, please let us know about your experiences using Feedback form AGOV-First.