Page principale Navigation Contenu Contact Sitemap Recherche

Process Transition for the Decommissioning of Vasco Tokens in CH-LOGIN

This page presents the potential improvements to the RIO process (Vasco token issuance in the social security sector of the federal administration). The considerations can be applied to other administrative units as well, even if Vasco tokens are distributed via postal mail (in which case, variants 2 and 3 are applicable). The authentication level AGOVaq300 mentioned corresponds to eIAM’s QoA50, i.e., a substantially verified electronic identity aligned with LoA3 according to eCH-0170.

Please note that although the variants mentioned below generally apply to the removal of Vasco tokens at the Confederation level (i.e. CH-LOGIN and A3), only CH-LOGIN (and only new Vasco users) is currently affected by this change. A3 is expected to be decommissioned in 2027. Users (new and existing) who use CH-LOGIN without Vasco — i.e., with username, password, and SMS mTAN (or Google/Microsoft Authenticator) — will not experience technical changes (only minor visual adjustments) and may continue using CH-LOGIN as usual (or voluntarily switch to AGOV).

Description of the variants for the nationwide abolition of Vasco tokens.
Variants regarding the nationwide abolition of Vasco tokens.


Accessing data requiring increased protection, or for business process reasons, requires the user authentication to meet three quality criteria:
  1. The user must use cryptographically hardened login factors (credentials).
  2. The user's real identity must be substantially verified based on an official photo ID and facial recognition.
  3. There must be a reliable link between the substantial identity verification and the login factor; the login factor must be directly involved in the verification process.
The federal administration supports multiple login methods using different login factors that can meet this level of authentication. This quality level is referred to as "high" in IKT specification Si001, QoA50 in the eIAM quality scale, AGOVaq300 in the AGOV scale, and approximately Level of Assurance 3 (LoA3) according to eCH-170.

Login methods in the federal administration capable of supporting LoA3 include:

  1. FED-LOGIN for employees and affiliates
  2. AGOV for non-employees (replacing CH-LOGIN)
  3. Logins via the so-called A3 server
Credentials used for LoA3 include smartcards (only for employees and close affiliates), FIDO-based access apps, physical FIDO security keys, and currently, Vasco tokens.

Vasco tokens — also known as One-Time Passwords (OTP) — will soon be phased out within the federal administration, along with the A3 server.

It explains how the identity verification procedures associated with Vasco tokens - also referred to as identity clarification - work, and how they can be transitioned to other identity verification methods that do not rely on Vasco tokens.

Vasco tokens are small, battery-operated devices about the size of a lighter that periodically display a new number on their screen. This number is a One-Time Password used as a login factor.

The identity verification process involving Vasco tokens is based on the physical handover of the token to a person whose official ID is checked and facial features compared. This process may also be delegated to Swiss Post.

Vasco tokens are owned by the application provider (in this case, the federal administration) and issued to the end user. Once Vasco tokens are discontinued, this handover and verification process is no longer possible, as end users must bring their own login factors (e.g., FIDO keys, smartphones with access apps — not to be confused with Google/Microsoft Authenticator apps — or smartphones with the Swiss e-ID).

Let us summarize the soon-to-be-deprecated Vasco-token-based identity verification process. This example assumes an in-person, on-site procedure, also known as the RIO process. RIO stands for Registration Identification Officer.

The end user visits a Registration Identification Officer, who checks their official ID and facial features, registers the data, hands over a Vasco token linked to a login account, and assigns application permissions. Variants of this process exist (e.g., delegation to Swiss Post) and produce the same result.

The new token-free identity verification processes are as follows:


Variant 1: "Classic RIO"
This closely mirrors the traditional in-person Vasco-based RIO process with identity verification.

Characteristic a): The user does not yet have an AGOV account. One is created on-site. Ideally, the RIO issues a FIDO token to avoid requiring the user to bring one or use their phone (though phones can be added later as additional tokens). The AGOV account is initially unverified. The RIO then checks the ID documents, scans and uploads them via the "AGOV counter" app. The account is now verified (i.e., AGOVaq300 / eIAM QoA50 / eCH0170 LoA3), and the RIO may assign application rights as before.

Characteristic b): The user already has an AGOV account. The RIO process is initiated (in-person ID check), and proceeds as in Variant a).

It is important to note that using a smartphone is not mandatory: physical FIDO security keys are a valid alternative, either user-provided or issued by the Registration Identification Officer. While a Vasco token costs the office approx. CHF 60 per year, a FIDO key is a one-time purchase in the low to mid double-digit range. See .


Variant 2: "RIO Federal Proof"
To virtualize the RIO visit, the end user and Registration Identification Officer may meet in a video call. The user proves their identity using the Federal Proof tool and receives the necessary permissions. The process is documented at .


Variant 3: "Access Request"
Here, the user must already have a verified AGOV identity (LoA3 aka AGOVaq300). If not, AGOV guides the user through a step-up (e.g., video identification). Based on this identity, the user triggers an access request in eIAM.

In this variant, AGOV identity data is trusted, and the target application must enforce that the identity is at least AGOVaq300. Verification methods can include video ID, Swiss Post's BmID, or the Swiss e-ID via AGOV. On first access, the user sees an online request form which is forwarded — along with verified identity data — to the authorized person (e.g., the Registration Identification Officer). No ID copy is transmitted; it was previously submitted to the Federal Chancellery during AGOVaq300 and is only released upon request by a Swiss public prosecutor. When using the e-ID via AGOV, identity data is referenced from Fedpol rather than the Federal Chancellery.


Variant 4: "Invitation"
Similar to variant 3, but here the user receives an onboarding code via email. This code can only be redeemed with a verified AGOV identity (AGOVaq300 or higher), ensuring traceability. The advantage is that the end user can be pre-authorized. When the code is redeemed, the system verifies the user owns the associated email address and didn’t receive the code from someone else.

For institutions wishing to stay as close as possible to the traditional Vasco-based RIO process, variant 1 ("Classic RIO") and its virtual version variant 2 ("RIO Federal Proof") are the most appropriate.