Signing Service FAQ

In Switzerland we switch Mobile ID to PWD/OTP fallback mode by default if the SIM card is not enabled for Mobile ID. In the eIDAS room work per default with the Mobile ID App (https://play.google.com/store/apps/details?id=com.swisscom.mobileid, https://apps.apple.com/de/app/mobile-id/id1500393675), but we can also enable PWD/OTP.

The Mobile ID app is based on the Mobile ID interface, which also offers authentication with fingerprint or face recognition. This app only requires an Internet connection during authentication and can therefore be used internationally. However, an international SIM card (mobile phone number) is still required for the setup of the app. See https://mobileid.ch .

In general, other authentication methods are also possible, but these must be approved by KPMG. This requires the signing of an onboarding support contract, which regulates the implementation concept and the execution of the audit. New methods must be authorized separately for ZertES and eIDAS.

Unfortunately, not. You have a new means of authentication which was not initially recorded with the identification. I.e. you must be newly identified using the MobileID.

No guarantee but it should work nearly everywhere – one can have a closer to this overview:

https://www.swisscom.ch/en/residential/plans-rates/inone-mobile/roaming.html

(Go to “Tarriff Check”, select an arbitrary subscription model contract type and the country)

With the MobileID app as an authentication means, you are independent of the SMS dispatch.

The service is basically supplied for residents in the EU/EEA and Switzerland with mobile numbers from these countries. Reception on mobile numbers from other countries may not work or may be prevented by various countries. Within the framework of a project, Swisscom can be ordered to ensure reception in these countries via special SMS providers.

A 2-factor authentication is necessary for the qualified signature: “possession” and “knowledge”, i.e. only the possession (SMS) is not sufficient.

No, OTP is sufficient for advanced signatures.

The loss of the password leads to a new digital identity. The application providers can react to this and, if necessary, demand a new identification of the signer, e.g. with the RA-App.

Since both methods require a secret as well as the possession of the telephone number, no signature for the previously existing digital identity can be triggered once the telephone number has been transferred. This means that the person must be newly identified.

Since a fixed line number can practically not be assigned to a person, this is not possible. The SMS is intended to ensure that something is contacted that is solely and without exception assigned to the person signing the document.

Modern devices are equipped with WIFIcalling. These can also be used to sign in a WIFI zone. Without the Internet, however, remote signatures are not possible.

In the case of a MobileID, you can use a recovery code to transfer the MobileID to the new SIM (https://www.mobileid.ch/en/login). In the case of PWD/OTP and the same phone number, your authentication option also remains.

MobileID is always configured in combination with a PWD/OTP fallback solution, i.e. a password window is automatically sent. You can activate your MobileID on the platform https://mobileid.ch . If the MobileID app is used and activated, the MobileID app is used.

In the standard case, after identification, the customer first receives the terms of use for Swisscom’s signature service. The customer confirms this and thereby triggers an initial signature of these conditions, in the context of which he can also define the password for the first time. So called “step-up authentication”.

By default, Swisscom currently only offers these methods. However, the extension will be worked out in the future, so that biometric methods may also be possible if approval has been granted. In addition, Swisscom will optionally accompany the customer if it wishes to use an audited solution to permit an additional signature at the recognition authority. Additional costs will be incurred.

The basis of 2-factor authentication is the fact that both factors must be recorded in connection with authentication, i.e. no password may be chosen that only knows the subscriber application, but the subscriber himself has been identified with RA-App. Such an exception could only be imagined if the participant himself carries out a authorized identification by RA delegation and furthermore designs the authentication procedure in such a way that both factors (login, SMS release) are carried out in a short session. Both the own identification procedure and this session procedure must be described in detail in an implementation concept and requires a release by Swisscom and its auditors. Additional costs are incurred here.

If you have been identified and have previously used PWD/OTP:

• If you want to use the Mobile ID app, you must re-identify yourself
• If you want to use Mobile ID (Swiss mobile number), you must re-identify yourself

If you have been identified and have previously used the Mobile ID:

• If you now want to use the Mobile ID app (this will only be possible on a SIM card that does not support Mobile ID) and use the recovery code of the Mobile ID, you can continue to sign
• If you activate the app WITHOUT recovery code, you need to be re-identified
• If you want to use PWD/OTP, you must be re-identified

If you have been identified and have used the Mobile ID app so far:

• If you now want to use the Mobile ID of the SIM card (this will only be possible on a Swiss SIM card) and use the recovery code of the Mobile ID app, you can continue to sign
• If you activate the Mobile ID of the SIM card WITHOUT recovery code, you must be re-identified
• If you want to use PWD/OTP, you must re-identify yourself

This means that Mobile ID and Mobile ID App are coordinated authentication methods, PWD/OTP is a completely different authentication method. The remote signature always requires that the authentication means shall be included during registration (i.e. during identification). Therefore, in some cases, new identification will be necessary.

As RA agent you should inform Swisscom via the support page in the case the mobile phone was not properly protected against malicious attack (like password with 8 chars, etc.) or you were still logged in in the RA App since severe data protection problems could occur. In case of signatures you should cancel your SIM card, eventually change your access data and stop placing signatures till you receive your new SIM card.

Swisscom is not able to sufficiently guarantee the reception of the SMS. The only factor Swisscom is responsible is to send out the SMS as quickly as possible. Neither the reception conditions of the mobile signal nor the performance of the internal or external roaming partner can be controlled and is based on international telecom contracts and standards

The use of the sender’s name like “Swisscom” or similar would be useful for the recipient. But indeed we experienced that such SMS are very often treated as spam SMS by our roaming partners.

From the start of the signing process, you have a total of 15 minutes to enter your secure password and the unique SMS code into the web browser.

Yes, after 5 years, persons identified for advanced signatures must also be newly identified. However, for advanced signatures it is sufficient if the identity card was valid at the time of identification. If this expires within the 5 years, no new identification is necessary. For qualified signatures, on the other hand, an identification is valid for as long as the ID card was valid or for a maximum of 5 years after this identification. In special cases e.g. when bank identification is used the validity of an identification can also be restricted to a shorter period than 5 years if the regulatory requires it.

Yes, this is the sole task of the subscriber application, which then repeatedly sends the hash with the signature request to the All-in Signing Service. Any number of signatures can be generated for the same digital document.

Yes, but this requires 2 communication channels and setups, i.e. the signature must first be authenticated by the person signing via one channel (on demand) and then organizationally signed (with previously created static certificate) by an SSL authentication certificate via a second channel.

Yes, several documents can be signed with one approval within a session. At maximum ca. 250 signatures.

XML signatures according to XADES standard can be done based on seals but not on personal signatures (in the moment). In the client you have to prepare the XADES standard: The call of a “plain signature” must be implemented.

For signatures in the Swiss legal area: www.validator.ch  (Attention, the validator is not always up to date). For signatures in the EU legal area: https://www.signatur.rtr.at/de/vd/Pruefung.html

It should be noted that the EU validators are far from harmonised. This means that test portals can present an electronic qualified signature as “invalid”, even though it meets the requirements for eIDAS dating. Harmonisation is being worked on by the EU.

Only QES signatures can be validated. There are no validators for AES signatures.

Two user accounts (ClaimedIdentity) must be opened, each account is related to the respective signature type, i.e. the participant application must decide, over which account it sends a signature inquiry. Both accounts can be addressed via one interface, i.e. the same endpoint. There is a service fee per account. 2 invoices are issued at the end of the month. Therefore 2 service contracts with 2 different configuration and acceptance declarations must be submitted. If you have 2 legal areas and 2 billing types, you still have only one interface (technical), but 4 service access interface point and by this 4 times a service fee. It doubles again to 8 ClaimedIDs, if both signature levels (QES/AES) are planned with both billing types and both jurisdictions.

Yes, e.g:

https://www.seantis.ch/blog/digitale-signatur-onegov-cloud/

https://www.bcge.ch/pdf/conditions-self-en.pdf

A lot of examples can also be found on our partner pages: https://trustservices.swisscom.com/partner

In principle, a time stamp also stores the zone (the offset). In this respect, all local programs will display the actual local time.

In principle, Swisscom provides a signed hash and thus supports PADES (PDF) formats and, in the case of organisation certificates, XADES (XML) formats. Word files are not signed and are not intended for this purpose by law.

No

No, only a common time stamp exists.

Each signature is calculated individually, i.e. in this example 5 signatures are calculated.

No, they are offered via two different ClaimedIDs and will be invoiced independantly.

Swisscom does not charge any costs for sending Mobile ID or SMS. Depending on the roaming partner’s tariff, costs may be incurred for roaming (which happens very rarely, e.g. on cruises).

Here two user accounts (ClaimedIdentity) must be opened, each account is connected with a billing method. This means that the subscriber application must decide for itself which account it will use to send a signature request. There is a service fee per account. 2 invoices are issued at the end of the month.

There are no costs for these months.