German implementation of eIDAS will require an Apple/Google account to function

Original Article ↗ Hacker News Discussion ↗

What eIDAS Is and Current Context

  • eIDAS is the EU framework for interoperable electronic identification, authentication, and digital signatures across member states.
  • Many national systems already use smartcards, mobile ID apps, or bank-backed IDs; implementations are fragmented and usability varies.

Apple/Google Dependency and Attestation

  • German documentation describes using mobile device attestation (Google Play Integrity on Android, Apple app attestation) to secure the wallet and keys.
  • Several commenters say the HN title is misleading: a Google/Apple account is not strictly required by the APIs, but:
    • On Android, Play Integrity currently assumes a Google-certified ROM and GMS, which de facto ties it to Google.
    • In practice, almost all iOS/Android use requires an Apple/Google account anyway.
  • A German implementer confirms: some attestation is mandated by eIDAS acts; they start with Google/Android and plan to support more OSes (e.g., GrapheneOS) later.

Digital Sovereignty, Sanctions, and Lock-In

  • Strong concern that tying ID wallets to Apple/Google gives US companies (and US sanctions policy) indirect control over EU citizens’ IDs.
  • Examples raised: US sanctions already causing email/account shutdowns; people losing Google accounts without recourse.
  • Critics see this as undermining EU “digital sovereignty” and hard-coding dependence on foreign platforms.

Security vs. User Freedom

  • Pro-attestation side:
    • Argues high-assurance identity needs hardware roots of trust and anti-duplication to limit identity theft and large-scale abuse.
    • Notes average users cannot realistically secure their own OS; secure boot + attestation protects against pre-infected or modified phones.
  • Anti-attestation side:
    • Sees remote attestation as an existential threat to user control and free software, blocking alternative OSes and reimplementations.
    • Argues security should come from cryptographic keys and open standards, not from vendors judging “legitimate” OSes.

Alternatives and Implementation Choices

  • Suggested alternatives:
    • Use existing national eID smartcards (ISO 7816 / NFC) and card readers more broadly.
    • Hardware tokens (FIDO2/U2F, dedicated TAN/OTP devices), SIM-based or eSIM-based Mobile-ID.
    • Standard Android hardware attestation (AOSP) instead of Play Integrity; new “UnifiedAttestation” initiative.
    • Open APIs so any client/OS can implement the wallet behavior.
  • Some note eIDAS 2.0 itself does not require specific hardware; they attribute Google dependence to national implementer choices or “laziness”.

Mandatory Use, Accessibility, and Process

  • Official EU FAQ says use of the EUDI wallet must be voluntary, with other identification methods remaining available.
  • Commenters worry about “de facto” compulsion as banks and agencies drop alternatives over time.
  • Concerns about excluding users without smartphones or with custom ROMs; some expect legal challenges in Germany.
  • Broader criticism targets EU/German digital projects as overregulated, lobbyist-driven, and technically conservative.