Mobile navigation is open Mobile navigation is close
Search icon

Public administration – level “high”

Account verified at high level of assurance enables access to all electronic public administration services, including those requiring the strongest security (e.g. opening and managing government bonds asset account). You will get level “substantial” automatically together with level “high”.

Property account for buying government bonds is designated only for Czech citizens.

1. High level of assurance can be obtained only by using a computer and hardware security keys with FIDO certification of at least level 2 and FIPS.

Security key must have a PIN set. The only key supporting level “high” is so far a GoTrust Idem Key. Depending on the browser, the key is labeled as GoTrust Idem Key U2F Authenticator or GoTrust Idem Key FIDO2 Authenticator.

Logging in to public administration services with a level of assurence “high” must be done in a browser supporting PIN entry while using the key.

2. It is necessary to verify your identity (at the Czech POINT office, via eObčanka or via I.CA identity with Starcos card).

We recommend adding the PIN on a PC or a notebook with an up to date operating system Windows 10, Windows 11 or Linux. You cannot use a mobile device.

Method for Chrome (OS Linux and Mac):

  • In the Chrome browser menu click SettingsPrivacy and SecuritySecurityManage security keysCreate a PIN and choose your PIN (4 to 8 digits). Please, remember this PIN.
    • You can also copy the following link and enter it in the address bar, which will take you directly to the security keys settings: chrome://settings/securityKeys
    • The link chrome://settings/securityKeys should also work in the Vivaldi browser.

Method for Windows Hello (Windows 10 and 11):

  • On a computer with Windows Hello click StartSettingsAccountsSign-in optionsSecurity KeyManageAdd Security Key PIN.

We recommend keeping your system up to date and using latest stable version of Chrome browser.

It might not be possible to set up PIN on older operating systems (Windows 7) or older mobile devices. In such case the only way to set up security key PIN is to use PC or notebook with suitable operating system.

If you already have your PIN set, you remember it and want to change it, you can use one of the following methods.

Method for Chrome:

  • In the Chrome browser menu click Settings Privacy and Security Security Manage security keys Create a PIN. Enter your old PIN once and then the new PIN twice (4 to 8 digits).
    • You can also copy the following link and enter it in the address bar, which will take you directly to the security keys settings: chrome://settings/securityKeys

Method for Windows Hello (Windows 10 and 11):

  • On a computer with Windows Hello click Start Settings Accounts Sign-in options Security Key Manage Add Security Key PIN. Enter your old PIN once and then the new PIN twice (4 to 8 digits).

Security key gives you 5 attempts to enter PIN code.

In case you forget your PIN and block your key by repeatedly entering wrong PIN, it‘s possible to reset the key using Google Chrome browser or Windows Hello.

Method for Chrome:

  • In the browser menu click Settings Privacy and Security Security Manage security keys Reset security key and confirm by touching the key.
    • You can also copy the following link and enter it in the address bar, which will take you directly to the security keys settings: chrome://settings/securityKeys

Method for Windows Hello (Windows 10 and 11):

  • On a computer with Windows Hello click Start Settings Accounts Sign-in options Security Key Manage.

WARNING: Resetting the key will erase all of its settings. The entire process of pairing the key and your mojeID account to public administration services must be performed again after resetting the key, including identity verification (e.g. by visiting a Czech POINT office).

This line is shown during a level “high” login, if:

  • You use a GoTrust Idem Key without a PIN set
  • You use an unsupported key that does not meet level “high” requirements

You can verify your identity with an already existing level “high” method (e.g. eObčanka or I.CA identity with Starcos card), or at the Czech POINT office with your ID card. Other identity verification methods (e.g. data box, NIA ID or Mobilní klíč eGovernmentu) are not allowed, because they do not meet level “high” security requirements.

Using MojeID to access to public administration services is available only to the citizens of the Czech republic (non-entrepreneurs with permanent residence address) and for foreigners, who have a temporary residence or permanent residence address in the Population Register.

Log in to level “high” services:

You must always use a GoTrust Idem Key paired to level “high” and a browser supporting PIN entry during login. We recommend using Chrome. You must log in on a computer. Browsers on mobile devices do not support PIN entry.

Log in to level “substantial” services:

You can use other browsers and hardware (YubiKey, Feitian, …) or system (Windows Hello, Android, …) security keys paired to level “substantial”. You do not have to enter PIN during login. To log in, you can also use MojeID Klíč mobile app paired to level “substantial”.

With level “high” you can log in to services requiring lower level of assurance.

Using other security keys is not possible. GoTrust Idem Key is approved directly by the Ministry of the Interior to be used with level “high” because it has FIDO2 L2 certification, FIPS 140-2 level 3 (Secure Element) and allows PIN to be set up (biometrics cannot be used).

Other L2 keys cannot be used, not even if they have PIN set up. MojeID Klíč mobile app as accredited only for level “substantial”, therefore it cannot be used for level “high”.

NOTE:

While adding a GoTrust Idem Key, a level 1 certification may be displayed, depending on the browser. However the security key (with PIN set) can still be used for level “high” pairing.

WARNING:

Chrome browser may display a window with a message:

  • Your security key cannot be used on this website.
  • Website mojeid.cz probably requires newer or different type of key.

It means that you are trying to use the wrong key for level “high”. It is either an unsupported type or it does not have PIN set.

If you already have an account paired to level “substantial” and have a suitable key added (GoTrust Idem Key), follow these steps:

  1. In the account, go to Settings → Access to public administration services section and click SetGet access for key. Alternatively you can click Get level “high” in the security keys overview.
  2. On the Level of assurance selection page click Get level “high”.
  3. Set up security key PIN.
  4. Click ContinueLogin and use the key and chosen PIN.
  5. Select the identity verification method (eObčanka, I.CA identity with Starcos card or verification at the Czech POINT office).
  6. Give one time consent to hand over personal inforrmation and finish the pairing.

Information about level “high” pairing completion can be found in Settings → Access to public administration services or in the Security keys overview (Two-factor authentication settings).

If you want to add another hardware security key that meets level “high” requirements to your account (GoTrust Idem Key), follow these steps:

  1. The new key must already have a PIN set. See chapter How to set up security key PIN?
  2. In your account, in the Settings click Two-factor authentication Security key Add another security key.
  3. On the Add security key page enter new key‘s name. Leave the checkbox Use the key to access services of level “high“ checked and click Add.
  4. Touch the new key, then allow the page to access the key. Touch your key again and enter the key‘s PIN. Touch the key once more and again allow access to the key.
  5. Confirm adding the key by logging in again. Enter your password and use a key that is already paired to level “high”.

How to log in to level “high” services:

To log in to level “high” services, use latest versions of Chrome, Edge, or Opera. These browsers allows PIN entry during login. Firefox unfortunately does not support PIN entry.

Edge browser can be downloaded (.deb or .rpm packages) at: https://www.microsoft.com/en-us/edge

If you have any questions or comments concerning MojeID, contact us at podpora@mojeid.cz or call the technical support of the CZ.NIC Association, the administrator of the domain register, at +420 731 657 660 or +420 222 745 111 (24/7).