ISO 27001 - Security at authega

The administration acknowledges its responsibility for information technology (IT) security in the authega procedure. The protection of confidential information as well as the availability and integrity of all data to be processed within the framework of authega and their processing systems must be guaranteed.

The authega process is subject to various legal requirements for IT security. When it comes to the electronic transmission of data, a large number of legal regulations and various letters from the Federal Ministry of Finance have to be observed, which make proper handling of electronic data a challenging task. The most important legal regulations include:

  • Federal Data Protection Act (BDSG)
  • Bavarian Data Protection Act (BayDSG)
  • Act to promote electronic administration (EGovG)
  • Law on electronic administration in Bavaria (BayEGovG)
  • Telemedia Act (TMG)
  • Bavarian regulation for the creation of barrier-free information techno (BayBITV)

Authega's services are provided in an independent, certified infrastructure (ISO 27001 based on the IT-Grundschutz catalogs of the Federal Office for Information Security) that is isolated from other administrative systems.

The certification documents both that the IT-Grundschutz according to ISO 27001 has been fully implemented for these services provided by the Bavarian State Office for Taxation, and that dealing with IT security issues is an essential part of the administration's objectives .

 ISO 27001 certificate, valid until October 8th, 2023

Basic knowledge

The dangers from the Internet are increasing every day. Internet software developers, such as B. authega, are in a constant race with hackers who are always finding new ways to attack in order to spy on or manipulate electronic information communicated via the Internet. The usual dangers posed by hackers include hijacking, masquerading and phishing. When using authega, ensuring security is the top priority for the administration.

Your connection to authega is electronically encrypted. This prevents unauthorized third parties from seeing the transmission of information over the Internet between your computer and authega.

Through this connection, authega ultimately offers you the following options for the secure use of its personalized services:

  • Registration

    For security reasons, registration with authega takes place in several steps. However, it only has to be carried out once. When registering, you have to choose one of the two variants (certificate file or signature card) (the selection can be restricted in the various specialist procedures for legal or technical reasons). The user packages differ in their security level and, accordingly, in the functions available. You can find more information on the registration pages. After registration, depending on the type of login and the associated security level, you can use various personalized services for the specialist procedures. In terms of security, personalized login is only possible for registered users. Non-registered users can only access the authega public area and the specialist procedures.

  • Login
    You must register before using the personal functions. Depending on the variant selected (certificate file or signature card) and the associated security level, one of the following authentication methods has been defined as part of your registration:

    • Certificate file:
      The software certificate is an individually protected file that is stored on your computer in a special security environment and contains your personal keys and certificates. You can save this file on your computer (your hard drive) or an external storage medium (e.g. USB stick).
    • Signature card:
      The certificate required for authega is located on a signature card chip (crypto chip), a small microprocessor that can be used to access the stored data (certificate). The detour via the microprocessor allows the data on the card to be protected against unauthorized access using cryprographic methods. This ensures maximum security: Phishing and other attacks on the certificate are excluded. A card reader is required, which, like the signature card for authentication, must be purchased. The administration requires a minimum level of security when using signature cards for authentication, which can be found in the authega policy.

  • Deleting an account

    Here you have the option of permanently deleting your personal access to authega. All the data in your user account will be irretrievably deleted (data in specialist applications are fundamentally not affected, they will still be available after you register again - exception “Platform for secure communication in Bavaria”). For this you need the e-mail address stored for your user account, the lock code of your user account and the answer to your personal security question, which you specified during the registration. If you no longer know the lock code of your user account, you can have information about all user accounts registered under a VIVA personnel number sent to you. To do this, click on Lock code recovery under My user account. You do not have to log in to delete your user account. Use this functionality if you lose your certificate or if you suspect that someone has obtained unauthorized access to your certificate file or signature card.

    Further information on the procedure can be found in the FAQ on this topic.

Your browser is the gateway to the Internet. It can be used to explore websites, search for information and download files from your computer. Whether Chrome, Internet Explorer, Mozilla Firefox or Safari: New security holes are always discovered in all Internet browsers. So check your internet browser regularly and update the software with the help of security updates. All common Internet browsers also have security mechanisms in place to prevent, for example, computer viruses and Trojans from changing, deleting or reading files on your computer.
Further information on dangers and security measures when using your Internet browser can be found, for example, on the following website of the Federal Office for Information Security:

The so-called phishing e-mails lure fraudsters to fake websites or ask you to provide information on how to access Internet applications. With the data obtained in this way, the fraudsters try to harm the users. Please note: The administration will never send you e-mails that contain payment instructions or instructions on how to release security-related data such as B. require personal password, personal certificate, personnel number etc. Never provide information about your secret access data to authega - neither by phone nor by email. Therefore, ignore e-mails from supposed senders from the administration, in which you are asked to disclose confidential data. If you accidentally visit a dubious website and have disclosed your data, contact the hotline immediately and delete your authega user account if necessary.


Registration with authega begins with the collection of your personal data. These are v. a. Your email address or information to determine your postal address. Based on this data, evidence is provided that your electronic identity matches your person. For security reasons, the exchange of data between you and the specialist applications will be necessary for proof of identity. Registration consists of several steps. The administration must know exactly that you are the person you claim to be electronically to prevent the electronic misuse of your personal access to authega and the specialist procedures. After successful registration, the services of authega and the specialist procedures are available.

authega offers you different ways to register, i.e. to provide proof of your identity. These paths differ in their claim to security, in the acquisition costs, in the procurement effort and ultimately in their validity. Depending on the security of the different registrations, authega offers you two user packages with different services. This information is clearly shown on the Registration page.

So that it can be excluded that someone other than yourself logs on to authega, you must purchase an authentication medium as part of the registration processes. The authentication means can be one of the following:

  • Certificate file
  • Signature card

You can use this to authenticate authega quickly and quickly via the login. After registration is complete, access to your personalized services is only possible via the authentication means connected to your authega user package.

When using a certificate file, the security of your personal access to authega also depends heavily on the security of the computer used. This security is your personal sovereignty and is exposed, among other things, to dangers from the Internet (e.g. hijacking, masquerading and phishing). For example, you can copy a certificate file on your computer as often as you like and, if necessary, fall into the wrong hands due to carelessness. However, since copying can also take place unnoticed (e.g. by computer viruses or Trojans infiltrated via the Internet), a certificate file entails risks for you that you should take into account. We therefore recommend that you take security measures to limit Internet threats. Measures to consider include installing a virus scanner, personal firewall, or security check of your computer configuration. Information on dangers and security measures can be obtained from the Federal Office for Information Security or from "Deutschland Sicherheit im Netz e. V." to find:

In contrast to the certificate file, which is stored on the hard drive of your computer, your keys on the signature card for authentication are outside the security environment of your computer. The private keys stored in this way cannot be read out. In addition, the signature card for authentication is automatically blocked after a few unsuccessful accesses - usually three - and has to be activated again. The likelihood that someone will gain access to your certificate by trying passwords is very low. Sensitive cryptographic operations with your private keys can be carried out within a signature card and do not depend on the security environment of your computer, which is characterized by dangers from the Internet. The signature card also meets higher security requirements. If you for your part see uncertainties in the security of the computer used or cannot implement the proposed security measures in terms of secure use of a certificate file (e.g. in the Internet café), we recommend that you register for the signature card.

Deleting an account

Here you have the option of permanently blocking your access (login) to authega. Your data will be irretrievably deleted in authega. Data in the specialist procedures are fundamentally not affected by this and are accessible again after registration (with the exception of "Platform for secure communication in Bavaria"). On the one hand, you can use the function if you no longer need your access. On the other hand, this function is available to you in terms of security if your authentication means (certificate file or signature card for authentication) has accidentally gotten into someone else's hands or you have lost it. In this case, you should delete your authega user account immediately, as there is an increased risk that an unauthorized person can gain access to your personalized services. To delete the user account, you need personal data (blocking code of the user account or the Bavarian employee service personnel number and date of birth) and the answer to the security question that you selected and answered when you registered with authega. This means that only you can initiate the deletion or blocku do not have to log in to delete your user account.

If you no longer know the lock code of your user account, you can have information about all user accounts registered under a personnel number sent to you. To do this, click on Lock code recovery under My user account.

Note on deleting the user account for the certificate file:
If you perform the deletion process, your authega certificate and your data will be blocked or deleted immediately and access (login) will be irrevocably prevented.

Note on deleting the user account for signature cards for authentication:
If you carry out the deletion process, your data will be deleted or blocked immediately and the access (login) for this user account will be irrevocably prevented. Your signature card (certificate) remains valid. You can register again with your signature card and open a new user account. If you also want to block your signature card for authentication, you must contact the issuer of your signature card.

Further information on the procedure can be found in the FAQ on the topic.

Once you have successfully identified yourself with authega, allow the block by entering your answer to the assigned security question. Your personal access will then be blocked immediately. If an unauthorized person wanted to block one of your accesses, they would have to know your blocking code and the answer to your personal security question, which is unlikely. In addition, there is no particular motivation for unauthorized persons to block personal access. The motivation for unauthorized persons or hackers would rather be to receive your personal data, which at authega is reliably secured by security technologies in the areas of authentication and encryption.