From our expert article to implementation

Our decision‑maker checklist for E‑ID, passkeys, and sovereign application landscapes

Making decisions now Why the checklist? Contact

From expert article to implementation: our decision‑maker checklist for e‑ID, passkeys, and sovereign application landscapes

In our ITforGOV expert article, we highlighted a crucial line of separation: the e‑ID is primarily a state‑verified proof of identity (identification/proofing), while passkeys represent a modern authentication mechanism. This is not an academic debate. This distinction determines whether public administrations build a scalable, secure, and politically sustainable identity and service architecture – or whether new login silos, media disruptions, and costly corrections become inevitable.

This matters especially now, because the current debate often swings between two extremes:

We wait until everything is «finished».
We integrate the e‑ID everywhere and assume this solves the IAM challenge.

Both approaches are risky. Waiting simply shifts risks and costs into the future. And «e‑ID everywhere» blurs roles in the technology stack and shifts risks to the areas where incidents actually occur in practice: recovery, delegations, role models, and governance.

Making decisions now

What we, as decision‑makers, truly need to clarify

The key question is not: Which technology is the best? The real question is: Which decisions cannot be delegated, and which do we need to make now so we do not end up in a dead end two years from now?

Three guiding principles from the article are particularly important for action:

Identity is the new security perimeter. In federal system landscapes, we no longer manage security through network boundaries but through identity, context, and policies.

We clearly separate identification, authentication, and authorization.

E‑ID for identification, attribute verification, and step‑up authentication for sensitive changes
Passkeys for phishing‑resistant everyday authentication
IAM and policies for authorization, delegation, and auditability

Sovereignty means capability to act, not maximum control. Dependencies are normal. What matters is whether we choose them consciously, govern them properly, and keep them reversible.

Why the checklist?

Why did we create this checklist?

Many organisations do not fail because of missing concepts, but because of missing operationalisation.
Questions such as Who decides? What is the minimum standard? How do we measure progress? or How do we prevent individual projects from creating new silos? often remain unanswered.

Our Decision‑Maker Checklist translates the arguments from the article into a pragmatic review framework for department heads, CIOs, CDOs, CISOs, and programme owners.

It is particularly helpful for:

Use‑case clustering instead of one‑size‑fits‑all solutions
(citizens, employees, administrators, businesses)
A step‑up matrix instead of gut feeling
(when to use passkeys, when e‑ID is sufficient, when additional controls are required)
Recovery by design
(infrequent usage makes recovery a critical success factor)
Governance and operations
(clear responsibilities, logging, support, and incident processes)

Download the checklist

If, after reading our expert article, the key question becomes: «What does this mean for our organisation in practice?», then the checklist is the best place to start. It is structured so that it can be reviewed directly in a steering committee session, resulting in clearly prioritised next steps.