Frequently Asked Questions

The term "CH2A" stands for "CH-LOGIN to AGOV". CH2A is a strategic initiative by BK-DTI. It addresses the replacement of CH-LOGIN by AGOV across the entire federal administration.

The so-called "CH2A-Wizard" is a component of the federation communication between AGOV as identity provider and eIAM as the consumer of AGOV identities. The CH2A-Wizard assists users with the simple and secure transition from CH-LOGIN to AGOV-Login, especially if a user wants to replace an existing CH-LOGIN with their AGOV-Login. It detects an AGOV-Login that has the same email address as an existing CH-LOGIN and offers the user the option to replace the CH-LOGIN with their AGOV-Login. The wizard also supports scenarios where the AGOV-Login was registered with a different email address than the CH-LOGIN and allows the user to carry out the replacement. To ensure secure migration, a full CH-LOGIN login is always required. The transition is never carried out based solely on matching email addresses.

AGOV-Login can be used by individuals and business representatives to interact with all administrative levels in Switzerland (municipalities, cantons, federal government, and third parties authorized by EMBAG). CH-LOGIN, in contrast, is limited to federal administration applications. Unlike CH-LOGIN, AGOV-Login is compatible with e-ID. For applications that require it, AGOV can request and provide a verified AHV number. AGOV-Login eliminates outdated and less secure login methods such as passwords and SMS-mTAN. Through the use of the AGOV Access App for Apple and Android devices and physical security keys (FIDO2), AGOV-Login is fully passwordless and offers better user experience and higher security compared to password-based methods.

AGOV is Switzerland’s official government login. It enables you to interact with authorities at all administrative levels (municipal, cantonal, federal) using a single login method—without having to manage passwords.

CH2A is a project of CFh-DTI, in collaboration with FOITT. Bruno Frutiger from the Digital Standard Services (DS) department, who is responsible for digital basic and security solutions (DBS), acts as the client. Responsibility for the IAM service lies with business owner Stefan Minder, also from the DBS department and deputy project manager for the project. The CH2A project manager is Philipp Dasen from the DBS department. Edgar Kälin is responsible for the implementation of the DEV/OPS sub-project on behalf of FOITT.

AGOV usage, like CH-LOGIN usage, is included in the eIAM pricing model. If target applications require identity verification via AGOV, the end user must pay online, or the administrative unit can provide a voucher code as part of its onboarding processes. Details on ordering vouchers for administrative units can be found at:

AGOV is designed to enable end users to help themselves first. Thanks to a multi-level account recovery mechanism, fewer support cases are expected compared to CH-LOGIN. If users encounter problems that cannot be resolved via self-service, they should contact the application-specific support team, as they did with CH-LOGIN. This team records the case and attempts to resolve it. This process remains unchanged. The application support should remain the single point of contact (SPOC) for the end user. Cases can still be escalated to BIT support where necessary for resolution and communication.

Further information on support processes is available at: AGOV Supportmanual

• AGOV-Allow
  (Rollout since Q1/2024 to PROD)
  • In this phase, AGOV is one of the supported IdPs in the CH-LOGIN BYOI bundle. Users with an AGOV-Login can voluntarily use it as a BYOI (Bring Your Own Identity) and link it to their CH-LOGIN. Users can freely choose to log in to eIAM using either CH-LOGIN or AGOV-Login. Both are possible in parallel. During this phase, AGOV-Login in eIAM is limited to "normal" quality (QoA30). Verified AGOV-Logins are not yet supported.
  
  
• AGOV-First
  (REF 13.05.25 (Lenzspitze), ABN 13.08.25 / PROD 07.09.25 (Liskamm))
  • In this phase, AGOV becomes the preferred identity for new users of integrated eIAM applications in the eGOV domain. However, users can still create a new CH-LOGIN account. They are informed that AGOV is the better choice and are encouraged to use it.
    
  • Users with an existing CH-LOGIN identity may continue using it or voluntarily replace it with an AGOV identity. The upgrade from CH-LOGIN to AGOV-Login is technically supported and all access rights are retained.
    
  • AGOV identities are supported in eIAM up to QoA51 (including verified AHV numbers). The need for verified identities is consistently met through AGOV, ensuring users can benefit from their verified identity across all levels of government.
  
  
• AGOV-Push
  (Dates not yet defined)
  • In this phase, CH-LOGIN users are prompted to switch to AGOV. It remains possible to ignore or skip the prompt and continue using CH-LOGIN.
    
  • It will no longer be possible to register new CH-LOGIN accounts.
  
  
• AGOV-Force
  (Dates not yet defined)
  • In this phase, CH-LOGIN users are forced to upgrade to AGOV-Login.
    
  • CH-LOGIN can no longer be used to log in to eIAM-integrated applications. It can only serve as proof of identity for upgrading to AGOV-Login.
  
  
• AGOV-Only
  (Target from 2028 onward)
  • In this phase, CH-LOGIN users are forced to upgrade to AGOV-Login.
    
  • CH-LOGIN can no longer be used to log in to eIAM-integrated applications. It can only serve as proof of identity for upgrading to AGOV-Login.

AGOV-Login has been available to federal administration applications as part of CH-LOGIN (via BYOI – Bring Your Own Identity) since the AGOV-Allow phase, i.e., since the "Dufourspitze" release on 11.02.2024.

The AGOV-Allow phase will end with the start of AGOV-First on 07.09.2025. With AGOV-First, AGOV-Login becomes a standalone login method. Users no longer use AGOV as part of CH-LOGIN but instead choose to replace their CH-LOGIN with AGOV-Login. They are informed about AGOV as the Swiss government login and are encouraged to use it. A wizard assists with the secure transition from CH-LOGIN to AGOV-Login. Details about the rollout can be found in the Release Planning and the Release Notes.

In the first phase, switching to AGOV is voluntary; in the second, it becomes mandatory. The exact timing of these phases is not yet defined (see first FAQ above). An exception applies to users who require verified identities (QoA higher than QoA30). In eIAM's eGOV context, verified identities will be offered exclusively through AGOV starting with AGOV-First. This ensures that users can benefit from their verified identity across all levels of government—not just federal.

During AGOV-First, the eIAM service informs users directly at login runtime about AGOV as the new Swiss government login. For users accessing eIAM-integrated specialized applications with AGOV-Login, a "CH2A-Wizard" has been developed. It guides users through a simple and secure migration from CH-LOGIN to AGOV-Login. In later CH2A phases, communication with users also occurs outside direct eIAM usage. Email is used as a communication channel, ensuring even users who rarely use CH-LOGIN are informed.

Applications connected to eIAM are unaffected by the AGOV rollout and therefore do not require adaptation. This is because eIAM abstracts the authenticating identity and issues the usual/former “eIAM tokens”, including the same technical identifier of the identity.

The technical identifier of the identity, delivered by eIAM in the token to the application, remains unchanged.

Login methods in the sense of identity providers are abstracted by eIAM and are generally transparent to applications. Exceptions are specific claims in the tokens, the use of which is discouraged by eIAM. This is because they compromise transparent federation by eIAM. Tight coupling of an application with identity providers is undesirable as it counteracts standardisation and harmonisation.

Administrative units of the federal administration do not connect their applications directly to AGOV based on the market model. They always use AGOV via eIAM. This is done according to the process Integration of new applications. With integration into eIAM, you automatically receive AGOV as an identity provider.

Different rules and processes apply to cantons and their municipalities. Details on this connection procedure can be found under the following link: (Closed User Group)

AGOV is available worldwide. However, in countries that heavily filter and regulate internet traffic, unrestricted use may not be guaranteed.

You can register for an AGOV-Login at any time via the website agov.ch or log in with your existing AGOV-Login at agov.ch/me to view and, if necessary, update your personal data.

The future official Swiss e-ID is an electronic identity that can be used both as a login factor with AGOV and to verify personal data in AGOV.

AGOV offers identities ranging from QoA30 to QoA51. The actual login always takes place at the ‘high’ level. The different QoA results from the different verification of personal data. The QoA scale applies in the eIAM system, while the AGOVaq scale applies to AGOV; the assignment can be viewed internally at the following link: .

Yes, this is entirely possible. AGOV in the eIAM context offers identity verification via video identification. The video identification is triggered when a target application requires it. It can also be triggered in advance via an onboarding process. Administrative units decide, as part of their onboarding process design, whether end users must pay for video identification online themselves or whether they receive a voucher from the administrative unit. Details on ordering vouchers for administrative units can be found at the following link: Ordering vouchers

Important: Verified identities with CH-LOGIN, either via the Vasco token delivery process or via video identification in the context of nHEC+, retain their verified status when upgrading CH-LOGIN to AGOV-Login. This is valid for 5 years from the date of identification, in accordance with the current guidelines for AGOV-Login verification. A new verification in AGOV is only necessary after this period has elapsed.

With AGOV-First, verified/clarified identities in eIAM at level (QoA40 or higher) are only offered via AGOV. It is no longer possible to have CH-LOGINs verified.

Scenario 1: The user calls up an application with a QoA requirement higher than QoA30. The user logs in with an unverified AGOV-Login. eIAM recognises that the QoA requirement is not met. eIAM informs the user that they need a higher quality AGOV-Login and provides them with a help page where they can find all the information they need to improve their AGOV-Login to the required quality.

Scenario 2: The user calls up an application with a QoA requirement higher than QoA30. The user logs in with a CH-LOGIN that does not meet the required identity quality. CH-LOGIN recognises that the QoA requirement is not met. CH-LOGIN informs the user that they need an AGOV-Login with a higher quality and provides them with a help page where they can find all the information they need on how to register and verify an AGOV-Login with the required quality.

Scenario 3: The user calls up an application with a QoA requirement higher than QoA30. The user attempts to register a CH-LOGIN. CH-LOGIN explains to the user that new, verified identities are only supported with AGOV-Login. CH-LOGIN informs the user that they need an AGOV-Login with increased quality and provides them with a help page where they can find all the information they need on how to register and verify an AGOV-Login with the required quality.

Scenario 4: The department informs the user directly during the onboarding process that they need a verified AGOV-Login to access the application. The department provides the user with the necessary information during the onboarding process. This information includes the URL of the help page and, if necessary, a voucher code for video identification in AGOV at the organisation's expense.

Help page for verification at level QoA50 (verified identity)
Help page for verification at level QoA51 (verified identity including verified AHV number)

As part of eIAM, AGOV offers video identification. Identification is subject to a fee, which must be paid by the user before starting the identification process. In addition to other online payment methods, vouchers that can be obtained from the administrative unit and issued to the user are also accepted. Details on ordering vouchers for administrative units can be found here: Ordering vouchers

AGOV is using LID on a trial basis with several cantons. Once the results have been evaluated, the Federal Chancellery will review the areas of application for LID.

In addition to other online payment methods, vouchers that can be obtained from the administrative unit and issued to the user are also accepted. Details on ordering vouchers for administrative units can be found here: Ordering vouchers

No. It is not possible for a user to revert an already verified AGOV-Login (QoA50/QoA51) back to ‘not verified’ (QoA30) in self-service. E.g. for testing purposes. If data such as first name, last name or date of birth is changed during a verified AGOV-Login, this automatically triggers a new identity check so that the new data can be accepted. The changed data will only be accepted if the identity check with the new, changed data was successful. If you are testing test cases with verified and unverified identities, the test case must be set up so that two different identities are used. One identity with a verified AGOV-Login and one identity with an unverified AGOV-Login with the same user profile in the application.

Existing CH-LOGINs that have been verified either via video identification or the VASCO issuance process retain their status. This also applies if they switch from CH-LOGIN to AGOV-Login. If the user exchanges their verified CH-LOGIN for an unverified AGOV-Login, they retain their verification status in eIAM. This will remain the case until the verification expires (five years) or until their AGOV-Login is verified. As soon as the user uses eIAM with a verified AGOV-Login, responsibility for verification is transferred from eIAM to AGOV.

If a CH-LOGIN user with a VASCO token switches to AGOV-Login, their CH-LOGIN and therefore their VASCO token will no longer be required for CH-LOGIN. eIAM automatically notifies the organisation responsible for managing VASCO tokens that this VASCO token is no longer used in the context of eIAM CH-LOGIN. If the VASCO token was used exclusively in the CH-LOGIN context, no further recurring charges will be made for this VASCO token. If the VASCO token is used in other contexts (e.g. Admin-VDI) in addition to CH-LOGIN, this token will continue to be billed for this application purpose.

The loss or defect of the VASCO token does not mean that the user must switch from CH-LOGIN to AGOV-Login. The user reports the problem with their VASCO token as before via their support organisation. The VASCO token is then replaced outside CH-LOGIN and eIAM. The new VASCO token can be used by the user without the user having to change anything in eIAM (CH-LOGIN).

AGOV-First is a major release in eIAM and brings with it a host of new features. Details can be found both in the Release Notes and here in the Customer Portal. We therefore recommend that you conduct intensive testing of AGOV-First with your specialist applications during the extended phase on the REFERENCE between rollout with Release Lenzspitze on 13 May 2025 and further staging with Release Liskamm on ACCEPTANCE on 13 August 2025. This is to ensure that your specialist applications function properly with the introduction of AGOV-First with all login options and also when switching users from CH-LOGIN to AGOV-Login.

Yes, AGOV-First also includes the complete conversion and standardisation of the login selection, as well as additional functionalities such as just-in-time provisioning in the Federal Trust Broker (BTB). Applications that do not use AGOV-Login directly are also affected by these changes. It is therefore important that you also test the logins for these applications. E.g. with professional community identities (FEDRO, FOEN, FOCBS or FOC).

We recommend that you carry out the following specific tests at an early stage so that any problems can be identified and rectified. This will ensure that the rollout of AGOV-First in ACCEPTANCE and PRODUCTION can take place without any restrictions for the end users of your specialist applications.

Important: When testing from the federal network, do not forget to disable Autologon via the cookie page

1. Test case: Log in to your application via all identity providers currently used by the specialist application with the appropriate test user for regression testing.
   
   • CH-LOGIN
     
   • FED-LOGIN
     
   • BYOI identity providers (e.g. #edaLogin, Switch edu-ID, ZUGLOGIN, eZug, Genèv eID)
     
   • Identity provider sector (e.g. V-Login, HIN, PTI, etc.)
     
   • Specialist community login (FEDRO, FOEN, FOCBS or FOC)
   
   
2. Test case: Existing user of the specialist application continues to use it with CH-LOGIN
   
   • User has already used the specialist application in the past with a CH-LOGIN identity
     
   • User accesses the specialist application.
     
   • User uses the login function of the specialist application (if interactive).
     
   • Select CH-LOGIN.
     
   • Login with CH-LOGIN.
     
   • The user is still recognised in the specialist application as the user already known from the past (ID, roles, data unchanged).
   
   
3. Test case: Existing user of the specialist application uses their AGOV-Login for the first time in eIAM – identical email address
   
   • The user has already used the specialist application in the past with a CH-LOGIN identity.
     
   • The user calls up the specialist application.
     
   • The user uses the login function of the specialist application (if interactive).
     
   • User selects AGOV.
     
   • User authenticates in AGOV with an AGOV-Login with the same email address as their CH-LOGIN. Or user registers a new AGOV-Login in AGOV with the same email address as their CH-LOGIN.
     
   • User is guided through the upgrade process by the CH2A wizard.
     
   • It is determined that a CH-LOGIN exists that was registered with the same email address as the AGOV-Login.
     
   • The user is prompted to upgrade from CH-LOGIN to AGOV-Login. To do this, they are prompted to log in with their CH-LOGIN password (and second factor, if applicable).
     
   • If the CH-LOGIN credentials are entered correctly, the upgrade to AGOV-Login is performed.
     
   • The user is still recognised in the specialist application as the user already known from the past (ID, roles, data unchanged).
   
   
4. Test case: Existing user of the specialist application uses their AGOV-Login for the first time in eIAM - Different email address
   
   • The user has already used the specialist application in the past with a CH-LOGIN identity.
     
   • The user calls up the specialist application.
     
   • The user uses the login function of the specialist application (if interactive).
     
   • User selects AGOV.
     
   • User authenticates in AGOV with an AGOV-Login with a different email address than their CH-LOGIN. Or user registers a new AGOV-Login in AGOV with a different email address than their CH-LOGIN. The AGOV-Login has not yet been used in eIAM.
     
   • The user is guided through the upgrade process by the CH2A wizard.
     
   • It is determined that no CH-LOGIN exists that was registered with the same email address as the AGOV-Login. The user is asked whether they have a CH-LOGIN that is registered with a different email address.
     
   • The user confirms that they have a CH-LOGIN.
     
   • The user is prompted to enter their email address, password (and second factor, if necessary).
     
   • If the CH-LOGIN credentials are entered correctly, the upgrade to AGOV-Login is performed.
     
   • The user is still recognised in the specialist application as the user already known from the past (ID, roles, data unchanged).
   
   
5. Test case: New user of the specialist application uses their AGOV-Login for the first time in eIAM
   
   • The user has never used the specialist application or eIAM in the past (not even with CH-LOGIN).
     
   • The user calls up the specialist application.
     
   • The user uses the login function of the specialist application (if interactive).
     
   • The user selects AGOV.
     
   • The user authenticates themselves in AGOV with an AGOV-Login. Or the user registers a new AGOV-Login in AGOV.
     
   • The user is guided through the upgrade process by the CH2A wizard.
     
   • It is determined that no CH-LOGIN exists that was registered with the same email address as the AGOV-Login. The user is asked whether they have a CH-LOGIN that is registered with a different email address.
     
   • The user confirms that they do not have any CH-LOGIN.
     
   • A new account is created for the user in eIAM.
     
   • The onboarding of the new user in the application (and in eIAM, if access management is in eIAM) works as specified by you for the application.
   
   
6. Test case: Changed spelling of email address
   
   • The user has already used the specialist application in the past with a CH-LOGIN identity. In CH-LOGIN, they used capital letters in their email address (e.g. Max.Muster@mydomain.com). AGOV does not allow capital letters in email addresses.
     
   • User calls up the specialist application.
     
   • User uses the login function of the specialist application (if interactive).
     
   • User selects AGOV.
     
   • The user authenticates themselves in AGOV with an AGOV-Login using the same email address as their CH-LOGIN but with different upper and lower case letters. Or the user registers a new AGOV-Login in AGOV with the same email address as their CH-LOGIN but with different upper and lower case letters.
     
   • The user is guided through the upgrade process by the CH2A wizard.
     
   • It is determined that a CH-LOGIN exists that was registered with the same email address as the AGOV-Login (upper and lower case letters are not relevant for the upgrade).
     
   • The user is prompted to upgrade from CH-LOGIN to AGOV-Login. To do this, they are prompted to log in with their CH-LOGIN password (and second factor, if applicable).
     
   • If the CH-LOGIN credentials are entered correctly, the upgrade to AGOV-Login is performed.
     
   • The user is still recognised in the specialist application as the user already known from the past (ID, roles, data unchanged).

An AGOV access app on a mobile device allows up to 10 different AGOV-Logins to be registered. If you need more than 10 AGOV-Logins, for example to test different use cases in your application with many different identities, we recommend the use of security keys (FIDO2). Depending on the hardware, a single security key can be used for several hundred AGOV-Logins. It is also possible to register multiple security keys for a single AGOV-Login. This is useful, for example, if several people need to perform tests with the same AGOV-Logins.

Yes. With AGOV-First, the so-called Home Realm Discovery (HRD), i.e. the selection of the identity provider with which the user wants to authenticate, will change. Test automations and E2E monitoring that include authentication with eIAM must be adapted.

No. AGOV supports the identity verification methods ‘AGOV access App’ and physical security keys (FIDO2). Neither type of identity verification method is suitable for automated E2E testing or automated monitoring. Please continue to use CH-LOGIN identities. The issue of monitoring and automated E2E testing in eIAM has been addressed.

It is still possible to order CH-LOGIN identities as so-called "Managed Techusers" for such tasks from eIAM. These are CH-LOGIN identities with a password and, if required (QoA >20), with a fixed mTAN. In the REF and ABN operating environments, such "Managed Techusers" are available up to a QoA level of 50.

With AGOV-First, the selection of login methods has been revised and optimised. As part of this revision, login with FED-LOGIN will become the default option and will therefore be selected automatically from federal administration networks. This offers users in federal administration networks an optimal user experience when logging into eIAM-integrated applications, as this takes place entirely in the background without any interaction with the end user. For people who want to use login methods other than FED-LOGIN from federal administration networks (e.g. for testing), the eIAM feature ‘Autologon Cookie’ can be used. This allows alternative login methods to be selected. Information about the ‘Autologon’ feature can be found here: Testing without Autologon

With AGOV-First, the selection of login methods has been revised and optimised. As part of this revision, login with FED-LOGIN will become the default option and will therefore be selected automatically from federal administration networks. This offers users in federal administration networks an optimal user experience when logging into eIAM-integrated applications, as this takes place entirely in the background without any interaction with the end user. For people who want to use login methods other than FED-LOGIN from federal administration networks (e.g. for testing), the eIAM feature ‘Autologon Cookie’ can be used. This allows alternative login methods to be selected. Information about the ‘Autologon’ feature can be found here: Testing without Autologon

In the AGOV Allow phase, end users can use the AGOV-Login on a voluntary basis. This applies even if they already have a CH-LOGIN. For the target applications, it is irrelevant whether the user continues to use the CH-LOGIN or their AGOV-Login.

In the AGOV-First phase (see dates above in the roadmap explanations), users can set up their AGOV-Login as a separate login, independent of a CH-LOGIN. They are guided and supported by a wizard during the secure upgrade of their CH-LOGIN to AGOV-Login. If users wish to continue using their CH-LOGIN, they do not need to upgrade to AGOV-Login during this phase. This will only take place in later phases of CH2A.

Natural persons act on behalf of legal entities and therefore log in using their AGOV-Login. AGOV itself only knows the natural person and not their assignment to legal entities. This assignment must be mapped in the target application.

For AGOV users, there are various help pages at agov.ch/help, which provide the current AGOV status as well as help articles on topics such as registration, identity verification, AGOV-Login and self-administration of the AGOV account. There are also tips and tricks in the form of AGOV explanatory videos.

In addition to this AGOV-specific help, a help page has been provided for users of the CH2A project, which supports the upgrade from CH-LOGIN to AGOV-Login.