Frequently Asked Questions about CH2A

Is your question missing? Please post it at

AGOV-First CH2A Readiness-Checklist

What is meant by "AGOV-First CH2A Readiness"? ▼

AGOV-First CH2A Readiness includes the following points:

CH2A Readiness Application
CH2A Readiness Documentation
CH2A Readiness Support Organization

What does "CH2A Readiness Application" mean? ▼

The eIAM-integrated application has been successfully tested in preproduction (REF/ABN) using the AGOV-First CH2A-test cases. In particular, the migration of existing CH-LOGIN users to AGOV-Login.

See also the articles in the "Testing" section of this documentation.

What does "CH2A Readiness Documentation" mean? ▼

The organization responsible for the application integrated into eIAM keeps the documentation published for its application up to date. This documentation reflects the latest developments and includes the CH2A text modules provided by FOITT and FCh Chancellery Communications.

See also the articles in the section «User Guidance – Documentation provided by the business unit/application».

What does "CH2A Readiness Support Organization" mean? ▼

The support organization responsible for the eIAM-integrated application is capable, using the information available at , of answering end-user questions on the following topics:

Why is CH-LOGIN being replaced by AGOV?
Do I have to switch from CH-LOGIN to AGOV-Login immediately?
Should I register an AGOV-Login or a CH-LOGIN?
How can I switch from CH-LOGIN to AGOV-Login?
Where can I find help and information about CH-LOGIN, AGOV, and the migration from CH-LOGIN to AGOV?
What should I do if my CH-LOGIN / AGOV-Login no longer works?
What do I need to do if the application requires a verified (clarified) identity?

Glossary

What does the abbreviation "CH2A" mean? ▼

The term "CH2A" stands for "CH-LOGIN to AGOV". CH2A is a strategic initiative by BK-DTI. It addresses the replacement of CH-LOGIN by AGOV across the entire Federal Administration.

What is the "CH2A-Wizard"? ▼

The so-called "CH2A-Wizard" is a component of the federation communication between AGOV as identity provider and eIAM as the consumer of AGOV identities. The CH2A-Wizard assists users with the simple and secure transition from CH-LOGIN to AGOV-Login, especially if a user wants to replace an existing CH-LOGIN with their AGOV-Login. It detects an AGOV-Login that has the same email address as an existing CH-LOGIN and offers the user the option to replace the CH-LOGIN with their AGOV-Login. The wizard also supports scenarios where the AGOV-Login was registered with a different email address than the CH-LOGIN and allows the user to carry out the replacement. To ensure secure migration, a full CH-LOGIN login is always required. The transition is never carried out based solely on matching email addresses.

Strategic Context

What are the advantages of AGOV-Login compared to CH-LOGIN? ▼

AGOV-Login can be used by individuals and business representatives to interact with all administrative levels in Switzerland (municipalities, cantons, Federal Government, and third parties authorized by EMBAG). CH-LOGIN, in contrast, is limited to Federal Administration applications. Unlike CH-LOGIN, AGOV-Login is compatible with e-ID. For applications that require it, AGOV can request and provide a verified AHV number. AGOV-Login eliminates outdated and less secure login methods such as passwords and SMS-mTAN. Through the use of the AGOV Access App for Apple and Android devices and physical security keys (FIDO2), AGOV-Login is fully passwordless and offers better user experience and higher security compared to password-based methods.

Why AGOV? ▼

AGOV is the official login for Swiss authorities. It enables you to interact with authorities at all administrative levels (municipal, cantonal, federal) using a single login method—without having to manage passwords.

Why is CH-LOGIN being replaced by AGOV? ▼

Cantons and municipalities were unable to use the Federal Administration's CH-LOGIN for their eGovernment services because there was no legal basis for doing so. With the Federal Law on the Use of Electronic Means to Carry Out Official Tasks (EMBAG), the Federal Administration has been able to provide ICT services to cantons and municipalities since January 1, 2024. AGOV, as a further development of CH-LOGIN, is the first example of the CH-wide use of an ICT service and can be used across all federal levels, i.e., federal, cantonal, and municipal.

Organisation

How is CH2A organised? Who can I contact? ▼

CH2A is a project of CFh-DTI, in collaboration with FOITT. Bruno Frutiger from the Digital Standard Services (DS) department, who is responsible for digital basic and security solutions (DBS), acts as the client. Responsibility for the IAM service lies with business owner Stefan Minder, also from the DBS department and deputy project manager for the project. The CH2A project manager is Philipp Dasen from the DBS department. Edgar Kälin is responsible for the implementation of the DEV/OPS sub-project on behalf of FOITT.

Communication

Who is responsible for which communication? ▼

CH2A Communication Subproject

The topic of communication will result in different measures in the context of the various CH2A phases (see details under “Roadmap”).
Communication is carried out in a target-group-oriented manner through a variety of channels.
Communication takes place in close coordination between the communication departments of the FCh/DTI and FOITT.

Customer communication for a business application

Important announcements, planning information, and requests are distributed via the Release eIAM mailing list at eIAM-Releases@bit.admin.ch. We will use this channel to communicate whenever we require communication measures from specific stakeholder groups, such as business application managers.
Please send us an email at eIAM-Releases@bit.admin.ch if you would like to be added to the mailing list.
Should you receive questions regarding CH2A, we kindly ask you to refer to our project page containing all relevant information.
If you have any questions or concerns, you can contact us at any time via eIAM-Releases@bit.admin.ch.

Are there templates available for communication? ▼

In principle, specialist departments should not create their own user manuals for login via eIAM and/or account registration processes. Reference should always be made to the documentation in the help articles provided, specifically linking directly to the homepage help.eiam.admin.ch.
For the topic of CH2A, text templates for use by the specialist departments are available on the following page: Text templates.
The text templates have already been sent by email to the various communications departments of all offices. They should therefore be informed about the CH2A situation and the use of these text templates in your communication.

Costs and Billing

What does AGOV usage cost for my administrative unit? ▼

AGOV usage, like CH-LOGIN usage, is included in the eIAM pricing model. If target applications require identity verification via AGOV, the end user must pay online, or the administrative unit can provide a voucher code as part of its onboarding processes. Details on ordering vouchers for administrative units can be found at:

Support

How do users receive support? ▼

AGOV is designed in such a way that end users can primarily help themselves. Thanks to a multi-level recovery mechanism for account restoration, it is expected that support cases will decrease compared to CH-LOGIN. If users nevertheless encounter problems that they cannot solve via self-service, they will, as before, contact the specialist support of the application they wish to access. This support takes over the case and attempts to resolve it. This also takes place as it did previously with CH-LOGIN. Specialist support should be and remain the Single Point of Contact (SPOC) for the end user. An incident case can, of course, as is the case today, be forwarded to the FOITT support units, where any problem will be resolved and the appropriate information provided.

Further information on the support processes can be found here

What support exists for support organizations? ▼

For end users, the premise of self-help applies. For this purpose, the central help page

has been set up. It can be referred to at any time. It contains information and help articles on AGOV, CH-LOGIN as well as on the migration process. On this page, end users will also find references to the support organizations and NOW have the possibility, in the corresponding help article, to open a ticket directly if they still encounter problems.

The 20 support organizations with applications having the highest CH-LOGIN usage are contacted and trained in the use of Halo ITSM. This is the ticket tool into which customer tickets submitted via the help page flow. As part of the triage by the citizen support of FOITT, tickets that the remaining specialist supports should resolve themselves are returned to them via e-mail.

Roadmap

What are the timelines and contents of the CH2A roadmap? ▼

AGOV-Allow
Phase completed.
AGOV-First
Phase completed.
AGOV-Push (current phase)
Start REF 17.03.2026 / ABN 21.04.2026 / 10.05.2026 (Mönch)
- In this phase, CH-LOGIN users are prompted to switch to AGOV at each login. It remains possible to ignore or skip the prompt and continue using CH-LOGIN.
- It will no longer be possible to register new CH-LOGIN accounts. When attempting to register a CH-LOGIN, the user is prompted to register an AGOV login instead.
AGOV-Force
Start REF 15.12.2026 / ABN 27.01.2027 / 14.02.2027 (Obergabelhorn)
- In this phase, CH-LOGIN users are forced to upgrade to AGOV-Login.
- CH-LOGIN can no longer be used to log in to eIAM-integrated applications. It can only serve as proof of identity for upgrading to AGOV-Login.
AGOV-Only
Expected launch Q4/2027
- In this phase, CH-LOGIN can no longer be used. Neither for logging into applications nor as proof of a CH-LOGIN identity for upgrading to AGOV-Login. Users who have not upgraded their CH-LOGIN to AGOV-Login by this point will lose their existing authorisations in applications.
- During this phase, CH-LOGIN will be phased out. This also includes the removal of orphaned identities (those not upgraded from CH-LOGIN to AGOV login).

When does the transition from CH-LOGIN to AGOV become mandatory? ▼

The switch from CH-LOGIN to AGOV login will be enforced with the start of the CH2A phase AGOV-Force (14 February 2027). From this point onwards, it will no longer be possible to log in with CH-LOGIN. Any attempt to log in with CH-LOGIN will result in a request to register and use an AGOV login. CH-LOGIN will no longer be available as an alternative.

The exception concerns users who require verified identities (QoA higher than QoA30). Verified identities are offered in eIAM, in the eGOV context, exclusively in AGOV starting with AGOV-First. This allows users to benefit from their verified identity also outside the federal administration in interactions with other levels of government.

How are users supported during the timely upgrade from CH-LOGIN to AGOV-Login? ▼

During the AGOV push phase of CH2A, the eIAM service informs users at each login about the new AGOV offering as the Swiss government login by means of a dedicated intermediate page.

: Recommendation to switch to AGOV

Users can continue using their CH-LOGIN or choose AGOV.

For users who subsequently access eIAM-integrated business applications with an AGOV login, the so-called “CH2A wizard” was developed. It supports users in switching from CH-LOGIN to AGOV login in a simple and secure manner.

In the subsequent phases of CH2A, communication with users will also take place outside the direct runtime use of eIAM. Email will be used as the communication channel so that users who rarely use their CH-LOGIN are also informed.

Technical

Do I need to do anything to enable users of my application to use AGOV? ▼

If your users have been able to use CH-LOGIN identities to log in to your application, they will automatically be able to use AGOV logins with CH2A.

How do I connect my application to AGOV? ▼

Administrative units of the Federal Administration do not connect their applications directly to AGOV based on the market model. They always use AGOV via eIAM. This is done according to the process Integration of new applications. With integration into eIAM, you automatically receive AGOV as an identity provider.

Different rules and processes apply to cantons and their municipalities. Details on this connection procedure can be found under the following link: (Closed User Group)

Does AGOV-Login work abroad? ▼

AGOV is available worldwide. However, in countries that heavily filter and regulate internet traffic, unrestricted use may not be guaranteed.

How can I test AGOV? ▼

You can register for an AGOV-Login at any time via the website AGOV

or log in with your existing AGOV-Login at «AGOV me

» to view and, if necessary, update your personal data.

What is the relationship between AGOV and the Swiss e-ID? ▼

The future official Swiss e-ID is an electronic identity that can be used both as a login factor with AGOV and to verify personal data in AGOV.

Backward Compatibility

Do I need to adapt my applications as part of CH2A? ▼

Applications already integrated into eIAM

In the current “AGOV-Push” phase, no application adaptations should be necessary anymore. Any required adaptations were most likely already completed during the “AGOV-First” phase.

New integration

New application integrations into eIAM are already being implemented based on the new conditions.
As part of the integration, it is important that applications are specifically tested for the use case “User switches from CH-LOGIN to AGOV login”. See also the “Testing” section.
It is very important that any issues related to switching from CH-LOGIN to AGOV are identified already in the REFERENCE environment. This allows us to jointly avoid problems for your business application and its users during the subsequent integration work and the rollout to ACCEPTANCE and PRODUCTION.

How is it ensured that users remain the same for the target applications? ▼

Yes, this is generally ensured. Nevertheless, as part of new integrations, it is important that applications are specifically tested for the use case “User switches from CH-LOGIN to AGOV login”. See also the “Testing” section.

Is backward compatibility of the delivered claims ensured for the applications? ▼

In principle, backward compatibility is ensured. Nevertheless, as part of new integrations, it is important that applications are specifically tested for the use case “User switches from CH-LOGIN to AGOV login”. See also the “Testing” section.

However, there are certain adjustments to the claims due to the adaptation of the technical integration of AGOV and the other BYOI identity providers (Switch eduID, #edaLogin, GenèveID, ZUGLOGIN, and eZug) as standalone identity providers. All identity providers are no longer connected indirectly via CH-LOGIN, but are now integrated directly. As a result, there is no longer any linkage with a CH-LOGIN, which means that CH-LOGIN-specific claims are removed and identity-provider-specific claims now contain the correct values.

Please refer to the list below for the detailed changes to the respective claims:
AGOV-First backward compatibility of delivered claims

What should I do if I suspect issues with backward compatibility? ▼

Only still possible in the context of new integrations in cases of improper claim usage. Please report any issues directly to your eIAM Service Integrator (SIE). They will be able to explain the situation and the correct usage of the claims.

Are there attributes/claims in the eIAM token that will no longer be provided with CH2A? ▼

Yes, there are. Due to the fact that these were purely CH-LOGIN specific, it can no longer be guaranteed that they will always be provided by eIAM. As part of the transition to AGOV, AGOV as the identity provider can, for example, no longer deliver them. Therefore, delivery is generally discontinued.

An overview can be found on the page Backward compatibility of the delivered claims. The claims marked in red will no longer be provided with the introduction of AGOV-First

Quality of Authentication (QoA) -
Authenticated/verified identities

What authentication qualities (login strengths) does AGOV offer? ▼

AGOV offers identities from QoA30 to QoA51 (according to eIAM taxonomy). The actual login always takes place at the ‘high’ level. The different QoA results from the different verification of personal data. The QoA scale applies in the eIAM system, while the AGOVaq scale applies to AGOV; the assignment can be viewed internally at the following link: .

Can I use the AGOV-Login for applications that require a verified identity? ▼

Yes, this is entirely possible. AGOV in the eIAM context offers identity verification via video identification. The video identification is triggered when a target application requires it. It can also be triggered in advance via an onboarding process. Administrative units decide, as part of their onboarding process design, whether end users must pay for video identification online themselves or whether they receive a voucher from the administrative unit. Details on ordering vouchers for administrative units can be found at the following link: Ordering vouchers

Important: CH-LOGINs that have already been verified, either via CH-LOGIN video identification (nHEC+) or through the VASCO token issuance process, retain their verification status until the end of the AGOV-Force phase (end-of-life of CH-LOGIN). This remains valid even if they use a non-verified AGOV login. Only from that point onward is a new verification in AGOV required.

How does a user obtain a new verified identity? ▼

Since the AGOV-First phase, verified/validated identities in eIAM at level (QoA40 or higher) have only been offered via AGOV. It is no longer possible to have CH-LOGINs verified.

Scenario 1: The user calls up an application with a QoA requirement higher than QoA30. The user logs in with an unverified AGOV-Login. eIAM recognises that the QoA requirement is not met. eIAM informs the user that they need a higher quality AGOV-Login and provides them with a help page where they can find all the information they need to improve their AGOV-Login to the required quality.

Scenario 2: The user calls up an application with a QoA requirement higher than QoA30. The user logs in with a CH-LOGIN that does not meet the required identity quality. CH-LOGIN recognises that the QoA requirement is not met. CH-LOGIN informs the user that they need an AGOV-Login with a higher quality and provides them with a help page where they can find all the information they need on how to register and verify an AGOV-Login with the required quality.

Scenario 3: The user calls up an application with a QoA requirement higher than QoA30. The user attempts to register a CH-LOGIN. CH-LOGIN explains to the user that new, verified identities are only supported with AGOV-Login. CH-LOGIN informs the user that they need an AGOV-Login with increased quality and provides them with a help page where they can find all the information they need on how to register and verify an AGOV-Login with the required quality.

Scenario 4: The department informs the user directly during the onboarding process that they need a verified AGOV-Login to access the application. The department provides the user with the necessary information during the onboarding process. This information includes the URL of the help page and, if necessary, a voucher code for video identification in AGOV at the organisation's expense.

Where can I find the help page for identity verification? ▼

Help page for verification at level QoA50 (verified identity)

Help page for verification at level QoA51 (verified identity including verified AHV number)

Does the end user have to pay for the verification themselves? ▼

This can be determined by the administrative units themselves. As a rule, a user must pay for the verification carried out as part of the verification process. During the payment process, they can also redeem a voucher code provided by the administrative unit. Details regarding voucher ordering for administrative units can be found at the following link: Voucher ordering

We still have vouchers for CH-LOGIN. Do these expire with the switch to AGOV? ▼

No, these vouchers do not expire. They will be converted into AGOV vouchers as of 07.09.2025. They can then continue to be used for the verification of an AGOV identity. With the introduction of AGOV-First on this date, verification of CH-LOGIN accounts will no longer be possible.

What methods are available for verifying AGOV-Logins? ▼

Within the scope of eIAM, only the “ID/passport verification online” is offered in AGOV.

The identification process is subject to a fee and must be paid by the user before starting the identification procedure. In addition to other online payment methods, vouchers procured by the administrative unit and handed over to the user are also accepted. Details regarding voucher orders for administrative units can be found here: Ordering vouchers

How can the office cover the costs of video identification? ▼

In addition to other online payment methods, vouchers that can be obtained from the administrative unit and issued to the user are also accepted. Details on ordering vouchers for administrative units can be found here: Ordering vouchers

Is it possible to downgrade a verified AGOV-Login? ▼

No. It is not possible for a user to revert an already verified AGOV-Login (QoA50/QoA51) back to ‘not verified’ (QoA30) in self-service. E.g. for testing purposes. If data such as first name, last name or date of birth is changed during a verified AGOV-Login, this automatically triggers a new identity check so that the new data can be accepted. The changed data will only be accepted if the identity check with the new, changed data was successful. If you are testing test cases with verified and unverified identities, the test case must be set up so that two different identities are used. One identity with a verified AGOV-Login and one identity with an unverified AGOV-Login with the same user profile in the application.

What happens when a verified CH-LOGIN upgrades to AGOV-Login? ▼

CH-LOGINs that have already been verified via CH-LOGIN video identification (nHEC+) or the VASCO token delivery process retain their verification status until the end of the AGOV-Force phase (end of life of CH-LOGIN). This applies even if users use an unverified AGOV-Login. Only at this point will re-verification in AGOV be necessary.

What happens when the VASCO token is no longer required for CH-LOGIN? ▼

If a CH-LOGIN user with a VASCO token switches to AGOV-Login, their CH-LOGIN and therefore their VASCO token will no longer be required for CH-LOGIN. eIAM automatically notifies the organisation responsible for managing VASCO tokens that this VASCO token is no longer used in the context of eIAM CH-LOGIN. If the VASCO token was used exclusively in the CH-LOGIN context, no further recurring charges will be made for this VASCO token. If the VASCO token is used in other contexts (e.g. Admin-VDI) in addition to CH-LOGIN, this token will continue to be billed for this application purpose.

What happens if a VASCO token for CH-LOGIN is lost or defective? ▼

The loss or defect of the VASCO token does not mean that the user must switch from CH-LOGIN to AGOV-Login. The user reports the problem with their VASCO token as before via their support organisation. The VASCO token is then replaced outside CH-LOGIN and eIAM. The new VASCO token can be used by the user without the user having to change anything in eIAM (CH-LOGIN).

Testing

Why do I need to test the switch from CH-LOGIN to AGOV? ▼

To ensure that your business applications function correctly when users switch from CH-LOGIN to AGOV login.

How can I efficiently create test accounts for testing? ▼

Important: no personal accounts may be used for testing. Otherwise, private authorizations may become mixed with business authorizations. For security and governance reasons, we advise against this.

We always recommend creating a generic test account. We have had good experience with Gmail, because there is a feature that allows the use of mail extensions with a "+" (plus sign) and merges them into a single mailbox. This allows me to manage several accounts via a central mailbox. For example, it can look like this:

Main account on Gmail: example.test@gmail.com
AGOV or CH-LOGIN test account 1: example.test+001@gmail.com
AGOV or CH-LOGIN test account 2: example.test+002@gmail.com

When creating the account, the emails are sent to the central mailbox of the main account.

For AGOV testing, we recommend the following setup:

Creation of 2 AGOV accounts
- example.test+001@gmail.com
- example.test+002@gmail.com
Creation of 2 CH-LOGIN accounts
- example.test+001@gmail.com
- example.test+003@gmail.com
This way, with the first AGOV - CH-LOGIN pair the use case of the same email address can be tested, and with the second pair the use case of different email addresses can be tested.

Which test cases should I cover in the CH2A-specific tests? ▼

For new integrations, we recommend that you perform the CH2A-specific tests listed below at an early stage in the REFERENCE environment during the integration phase. This allows any potential issues to be identified and resolved together with your integrator, so that the rollout to the ACCEPTANCE and PRODUCTION stages can take place without restrictions for the end users of your business applications.

Important: When testing from the federal network, do not forget to disable Autologon via the cookie page

Test case: Log in to your application via all identity providers currently used by the specialist application with the appropriate test user for regression testing.
- CH-LOGIN
- FED-LOGIN
- BYOI identity providers (e.g. #edaLogin, Switch edu-ID, ZUGLOGIN, eZug, Genèv eID)
- Identity provider sector (e.g. V-Login, HIN, PTI, etc.)
- Specialist community login (FEDRO, FOEN, FOCBS or FOC)
- Expected behaviour: The user is still recognised in the application as the user known from the past (before the release was introduced) (ID, roles, data, documents remain unchanged).
Test case: Existing user of the specialist application continues to use it with CH-LOGIN
- User has already used the specialist application in the past with a CH-LOGIN identity
- User accesses the specialist application.
- User uses the login function of the specialist application (if interactive).
- Select CH-LOGIN.
- Login with CH-LOGIN.
- Expected behaviour: The user is still recognised in the application as the user known from the past (before the release was introduced) (ID, roles, data, documents remain unchanged).
Test case: Existing user of the specialist application uses their AGOV-Login for the first time in eIAM – identical email address
- The user has already used the specialist application in the past with a CH-LOGIN identity.
- The user calls up the specialist application.
- The user uses the login function of the specialist application (if interactive).
- User selects AGOV.
- User authenticates in AGOV with an AGOV-Login with the same email address as their CH-LOGIN. Or user registers a new AGOV-Login in AGOV with the same email address as their CH-LOGIN.
- User is guided through the upgrade process by the CH2A wizard.
- It is determined that a CH-LOGIN exists that was registered with the same email address as the AGOV-Login.
- The user is prompted to upgrade from CH-LOGIN to AGOV-Login. To do this, they are prompted to log in with their CH-LOGIN password (and second factor, if applicable).
- If the CH-LOGIN credentials are entered correctly, the upgrade to AGOV-Login is performed.
- Expected behaviour: The user is still recognised in the application as the user known from the past (before the release was introduced) (ID, roles, data, documents remain unchanged).
Test case: Existing user of the specialist application uses their AGOV-Login for the first time in eIAM - Different email address
- The user has already used the specialist application in the past with a CH-LOGIN identity.
- The user calls up the specialist application.
- The user uses the login function of the specialist application (if interactive).
- User selects AGOV.
- User authenticates in AGOV with an AGOV-Login with a different email address than their CH-LOGIN. Or user registers a new AGOV-Login in AGOV with a different email address than their CH-LOGIN. The AGOV-Login has not yet been used in eIAM.
- The user is guided through the upgrade process by the CH2A wizard.
- It is determined that no CH-LOGIN exists that was registered with the same email address as the AGOV-Login. The user is asked whether they have a CH-LOGIN that is registered with a different email address.
- The user confirms that they have a CH-LOGIN.
- The user is prompted to enter their email address, password (and second factor, if necessary).
- If the CH-LOGIN credentials are entered correctly, the upgrade to AGOV-Login is performed.
- Expected behaviour: The user is still recognised in the application as the user known from the past (before the release was introduced) (ID, roles, data, documents remain unchanged).
Test case: New user of the specialist application uses their AGOV-Login for the first time in eIAM
- The user has never used the specialist application or eIAM in the past (not even with CH-LOGIN).
- The user calls up the specialist application.
- The user uses the login function of the specialist application (if interactive).
- The user selects AGOV.
- The user authenticates themselves in AGOV with an AGOV-Login. Or the user registers a new AGOV-Login in AGOV.
- The user is guided through the upgrade process by the CH2A wizard.
- It is determined that no CH-LOGIN exists that was registered with the same email address as the AGOV-Login. The user is asked whether they have a CH-LOGIN that is registered with a different email address.
- The user confirms that they do not have any CH-LOGIN.
- A new account is created for the user in eIAM.
- Expected behaviour: The onboarding of the new user in the line application (and in eIAM, if access management is in eIAM) works as specified by you for the line application.

Are there specific test cases? ▼

Yes. Test cases "Test Case 3" and "Test Case 4" must be tested particularly carefully with your application. Through testing and feedback from application owners, we have identified that a few applications use incorrect technical identifiers for mapping the user's identity between eIAM and the application. As a result, these applications may fail to correctly recognize a user after switching from CH-LOGIN to AGOV-Login. How this recognition works differs per application. The authorization roles from eIAM are not the decisive factor in this case. Although the user remains the same within eIAM with identical permissions, they are no longer recognized as the same user in the application.

In such cases, for example, the user may no longer see data they had entered using CH-LOGIN after switching to AGOV-Login, or they may no longer see documents they had uploaded with their CH-LOGIN.

What should I do if I detect irregularities during testing? ▼

What if I need more than 10 different AGOV-Logins for testing purposes? ▼

An AGOV access app on a mobile device allows up to 10 different AGOV-Logins to be registered. If you need more than 10 AGOV-Logins, for example to test different use cases in your application with many different identities, we recommend the use of security keys (FIDO2). Depending on the hardware, a single security key can be used for several hundred AGOV-Logins. It is also possible to register multiple security keys for a single AGOV-Login. This is useful, for example, if several people need to perform tests with the same AGOV-Logins.

CH-LOGIN had the environments PRODUCTION (PROD), ACCEPTANCE (ABN), and REFERENCE (REF). What does it look like for AGOV? ▼

AGOV provides a single productive environment for all environments of applications from the Confederation, cantons, and municipalities. This means that an AGOV-Login is registered in the productive AGOV environment and managed by its owner, regardless of whether this AGOV-Login is used in the PRODUCTION, ACCEPTANCE, or REFERENCE environment of eIAM.

Several people (testers) should be able to test defined test cases using the same identity. Is that possible with AGOV? ▼

This depends on the quality of authentication (QoA) required for the test case.

If the test case allows the use of non-verified identities, an AGOV-Login can be registered in AGOV. Up to 10 Access Apps can be registered on this AGOV-Login on different smartphones. Alternatively, multiple security keys can be registered for the AGOV-Login.
If the test case requires the use of verified identities, only personal, non-transferable, verified identities may be used. Technically, it is still possible to pass on this personal identity to other individuals. However, this is strongly discouraged. The owner of this verified personal identity is responsible and liable for its use.

Test automation/monitoring

Do I need to adjust anything for test automation or end-to-end (E2E) monitoring? ▼

Yes. With AGOV-First, the so-called Home Realm Discovery (HRD), i.e. the selection of the identity provider with which the user wants to authenticate, will change. Test automations and E2E monitoring that include authentication with eIAM must be adapted.

Should I switch my CH-LOGIN to AGOV-Login for test automation or monitoring? ▼

No. AGOV supports the identity verification methods ‘AGOV access App’ and physical security keys (FIDO2). Neither type of identity verification method is suitable for automated E2E testing or automated monitoring. Please continue to use CH-LOGIN identities. The issue of monitoring and automated E2E testing in eIAM has been addressed.

We require identities to test our specialist application automatically. New CH-LOGIN identities can no longer be registered with "AGOV-Push", and AGOV supports identity verification with "AGOV Access App" and physical security keys, which are not suitable for test automation. What should we do? ▼

It is still possible to request CH-LOGIN identities from eIAM as so-called “Managed Techusers” for such tasks. These are CH-LOGIN identities with a password and a fixed mTAN. Further details can be found in the Support section.

How can I prevent optional forms, such as the intermediate page shown to end users within the scope of AGOV-Push and AGOV-Force after selecting CH-LOGIN, from affecting my test automation or my E2E testing? ▼

To skip optional notifications during Home Realm Discovery (IdP selection) on the eIAM BTB, eIAM provides a feature that can easily be used by test automation and E2E monitoring. This feature ensures that optional notifications are suppressed.

The User-Agent can set an HTTP request header for HTTP requests to the BTB (feds-r.eiam.admin.ch / feds-a.eiam.admin.ch / feds.eiam.admin.ch):

X-MOS-Agent: Automation

Background

The flows and processes in eIAM are optimized for use by humans. This can be challenging for automated processes such as automated testing or E2E monitoring. Even small changes in the login flow are usually immediately recognized and easily adapted by human users. In contrast, automated processes typically require adjustments to the automation when such changes occur.

One possible factor is notifications to users, for example information about upcoming maintenance work or other service disruptions affecting eIAM or applications integrated with eIAM. A human user reads the information, acknowledges it, and then continues the login process. An automated process, however, is usually unable to handle such a situation. As a result, the change in the expected flow often causes an error because the automated process does not anticipate this additional step.

In particular, as part of the replacement of CH-LOGIN with AGOV, an «Intermediate Page» is displayed after selecting CH-LOGIN starting from the «AGOV-Push» phase and later during the «AGOV-Force» phase - beginning with the eIAM release «Mönch». This page informs users about the transition to AGOV, encourages them to migrate and, in the «AGOV-Force» phase, requires them to switch from CH-LOGIN to AGOV.

With the solution documented here, this page can be skipped, allowing a direct redirect to CH-LOGIN.

See the documentation here:

User guidance – Documentation provided by the business unit/application

Do I need to adapt the documentation for end users? ▼

In principle yes, if this has not already been done. If you provide users with documentation related to the following topics, it must be updated:

Registration of new CH-LOGIN identities
Login with CH-LOGIN identities
Recovery of CH-LOGIN identities (e.g. password reset)
Switch from CH-LOGIN to AGOV login
Verification/validation of identities (higher QoA)

How do I need to adapt the documentation? ▼

In principle, specialist departments should not create their own user manuals for login via eIAM and/or account registration processes. Reference should always be made to the documentation in the help articles provided, specifically linking directly to the homepage help.eiam.admin.ch.
For the topic of CH2A, text templates for use by the specialist departments are available on the following page: Text templates.
The text templates have already been sent by email to the various communications departments of all offices. They should therefore be informed about the CH2A situation and the use of these text templates in your communication.

End user-related

No selection of login methods in the federal network. Why? ▼

With AGOV-First, the selection of login methods has been revised and optimised. As part of this revision, login with FED-LOGIN will become the default option and will therefore be selected automatically from Federal Administration networks. This offers users in Federal Administration networks an optimal user experience when logging into eIAM-integrated applications, as this takes place entirely in the background without any interaction with the end user. For people who want to use login methods other than FED-LOGIN from federal administration networks (e.g. for testing), the eIAM feature ‘Autologon Cookie’ can be used. This allows alternative login methods to be selected. Information about the ‘Autologon’ feature can be found here: Testing without Autologon

Automatically logged in with FED-LOGIN. Why? ▼

With AGOV-First, the selection of login methods has been revised and optimised. As part of this revision, login with FED-LOGIN will become the default option and will therefore be selected automatically from Federal Administration networks. This offers users in Federal Administration networks an optimal user experience when logging into eIAM-integrated applications, as this takes place entirely in the background without any interaction with the end user. For people who want to use login methods other than FED-LOGIN from Federal Administration networks (e.g. for testing), the eIAM feature ‘Autologon Cookie’ can be used. This allows alternative login methods to be selected. Information about the ‘Autologon’ feature can be found here: Testing without Autologon

How do end users switch from CH-LOGIN to AGOV-Login? ▼

In this phase, users with a CH-LOGIN are prompted at every login to switch to AGOV. During this phase, it is still possible to ignore/skip this prompt and continue using the CH-LOGIN.

It is no longer possible to register new CH-LOGINs. When a user attempts to register a CH-LOGIN, they are prompted to register an AGOV login instead.

How does the CH2A-Wizard work? ▼

Technically, the CH2A-Wizard is a helper component between AGOV and eIAM. It monitors all logins made via AGOV and activates whenever it detects that an AGOV-Login is being used that is not yet known in eIAM as a standalone, authenticating identity. The CH2A-Wizard uses its processes to guide users through a simple yet secure upgrade from CH-LOGIN to AGOV-Login, ensuring that the user retains all permissions and data in eIAM and in applications integrated with eIAM.

When the user accesses a web application of the Federal Administration that is integrated with eIAM and requires a login, they do not select "CH-LOGIN" but instead choose "AGOV" to sign in.
The user logs in to AGOV using an existing AGOV-Login or registers a new AGOV-Login.
Following a successful login or registration in AGOV, the user is automatically guided through the upgrade process by the CH2A-Wizard. Several scenarios are possible:
- a) The user has already used their AGOV-Login during the AGOV-First phase with the Federal Administration.
  - The CH2A-Wizard detects that this AGOV-Login is already known and that no upgrade from CH-LOGIN to AGOV-Login is necessary. The user is forwarded directly to the application.
- b) The user is using their AGOV-Login for the first time with the Federal Administration. They registered their AGOV-Login with the same email address as their
  CH-LOGIN.
  - The CH2A-Wizard detects via the email address provided by AGOV that a
    CH-LOGIN with the same email address exists.
  - The user is prompted to log in one last time with their CH-LOGIN. This ensures that only the legitimate owner of the CH-LOGIN can link it to the AGOV-Login.
  - After a successful login with CH-LOGIN, the user’s eIAM account is linked to their AGOV-Login.
  - The user is informed that their CH-LOGIN has been deleted, that it can no longer be used, and that they must now use AGOV to log in.
  - From now on, the user can log in securely and conveniently using their AGOV-Login. All their permissions have been transferred to their AGOV-Login.
- c) The user has already used their AGOV-Login in the context of AGOV-Allow within the Federal Administration. The user used the AGOV-Login as a "BYOI" identity with CH-LOGIN.
  - In this case, the AGOV-Login is already linked to the user's CH-LOGIN.
  - The user is informed that their CH-LOGIN has been deleted, that it can no longer be used, and that they must now use AGOV to log in.
  - From now on, the user can log in securely and conveniently using their AGOV-Login. All their permissions have been transferred to their AGOV-Login.
- d) The user is using their AGOV-Login for the first time with the Federal Administration. They registered their AGOV-Login with a different email address than their
  CH-LOGIN.
  - The CH2A-Wizard detects via the email address provided by AGOV that no
    CH-LOGIN with this email address exists.
  - The user is asked whether they have a CH-LOGIN registered under a different email address than their AGOV-Login and whether they wish to replace that CH-LOGIN with their AGOV-Login.
  - If the user confirms they have a CH-LOGIN, they are prompted to log in with it to prove they are the rightful owner of that CH-LOGIN account.
  - After successful login with their CH-LOGIN, the user's eIAM account is linked to their AGOV-Login.
  - The user is informed that their CH-LOGIN has been deleted, that it can no longer be used, and that they must now use AGOV to log in.
  - From now on, the user can log in securely and conveniently using their AGOV-Login. All their permissions have been transferred to their AGOV-Login.
- e) The user is using their AGOV-Login for the first time with the Federal Administration. The user does not have a CH-LOGIN.
  - The CH2A-Wizard detects via the email address provided by AGOV that no
    CH-LOGIN with this email address exists.
  - The user is asked whether they have a CH-LOGIN registered under a different email address than their AGOV-Login and whether they wish to replace that
    CH-LOGIN with their AGOV-Login.
  - The user selects that they do not have a CH-LOGIN they wish to link with this AGOV-Login.
  - For security reasons, the user must confirm that they really do not want to link a CH-LOGIN with their AGOV-Login. They are informed that a connection to a
    CH-LOGIN will no longer be possible later.
  - From now on, the user can log in securely and conveniently using their AGOV-Login. No permissions have been transferred because the user has not yet used any Federal Administration applications with CH-LOGIN.

Is there an AGOV-Login for legal entities? ▼

The eIAM help pages have been completely redesigned and serve as the central entry point under help.eiam.admin.ch

for all users of applications behind eIAM. The page also addresses eIAM-specific topics in the context of AGOV and particularly supports the transition from CH-LOGIN to AGOV with dedicated help articles and FAQs.

Through the context-based user guidance of the new eIAM help page, developed by a UX specialist, users can access various help articles on help.agov.ch. In addition to the help articles, the AGOV help page also provides tips and tricks in the form of AGOV explanatory videos.