You can set up two-factor authentication as soon as you create your MojeID account. Registration involves several steps, including verifying your e-mail address and phone number, followed by entering your password. After entering your password, you will be automatically redirected to the two-factor authentication settings.
If you did not set up two-factor authentication when you registered, or if the added key has already been removed, you can set it up directly in your account. After logging in to your account, you will see a red banner with an "Add a key" button. Then just select the type of key you want to set up and follow the instructions.
Key types:
You can add multiple keys to your account. You can use additional keys to restore access to your account if you lose the first key. You confirm the addition of another key to your account with the key you already use to log in.
If you have checked the Always require a second factor box in MojeID (Manage two-factor authentication), you must confirm any login with the key you set. You can select your preferred second factor method.
If the box is unchecked, the second factor is only required for logins to your MojeID account and for logins to services that require two-factor authentication (for example, public administration services, etc.).
We recommend that you use multiple security keys. You can use additional keys to restore access to your account if you lose the first key.
How to add security key ‒ detailed manual (in CZ).
MojeID Klíč is a mobile app for Android and iOS that can be used to enhance the security of your MojeID account. You will then use this app to confirm login to your account. The app can also be used as a means of accessing public administration services (level Substantial). Any number of MojeID Klíč apps can be added to a single MojeID account.
For proper pairing and functioning of the MojeID Klíč app, we recommend using the latest available version of Android/iOS.
How to set up MojeID Key:
If you are creating a new account, you will be redirected to the two-factor authentication setup immediately after registering your account and setting your password. If two-factor authentication was not set up when you registered your account, you can set it up after you log into your account by clicking the button "Add a key" in the red "Add a security key" banner.
- Click "Manage" in Two-factor authentication section and then "Add a new key"
- Download the MojeID Klíč app to your mobile device (from the store or by using the provided QR code).
- Use this app to scan the relevant QR code (the code in step 2). If you are only setting up the MojeID Klíč on your mobile device, click the "Activate App" button to open the MojeID Klíč app (no QR code is displayed and the device offers to open the MojeID Klíč app directly).
- Set the PIN and, if necessary, the biometrics.
- Confirm the settings by logging back into your MojeID account (in the browser where the original registration or login took place). If you are only setting up the MojeID Klíč on a mobile device, click "Complete activation by logging in".
In the browser where you are logged into your MojeID account, JavaScript must be enabled for the app to pair correctly with your account.
If you have linked the app to your account and are in process of identity verification or if your account is already connected to the public administration services, do not remove the app from your account or mobile device! Removing the app will cancel the identity verification process and remove your access to the public administration services.
Please note: The app must be secured with a PIN when set up. If you enter the wrong PIN five times in a row when verifying a request, the app will be blocked. The app can only be unblocked once every 24 hours. Unblocking can be done in your MojeID account in Two-factor authentication settings (if your account is secured with another second factor and you can log in), or by contacting support at +420 222 745 111 or podpora@mojeid.cz.
A physical/hardware key (also token or authentication/USB key) is used as an additional factor for user identity verification, e.g. together with a password. It is a small device with a USB connector (and/or NFC/Bluetooth technology) on which you confirm the login by pressing a button or attaching it to your phone.
The physical USB/NFC security key can be purchased from online stores. The specification for the product must include the FIDO 2 label. These keys are compatible with the older U2F standard. You may also see the generic FIDO 2 U2F label.
You can use terms such as "fido 2 usb" or "fido 2 nfc" to search for devices on the Internet.
We recommend these keys: Idem Key (GoTrust), YubiKey 5 series (Yubico), Security Key NFC (Yubico).
For access to public administration services it is necessary to add a physical key with a level of at least FIDO_CERTIFIED_L1.
We recommend adding security keys to your MojeID account in Google Chrome. Make sure you always have the latest stable version of the browser (not beta).
When you add a key in your MojeID account, you will be asked in a pop-up window if you want to allow this site access to your security key. You must allow access for the connection to public administration services to work properly. If you do not allow the MojeID website to access your security key in your browser, its certification may not be recognized. Because of this, the key cannot be used to connect to public administration services.
If your security key cannot be added to your account or suddenly stops working, try the key on another computer or mobile device and contact the key vendor if necessary.
Level "High"
The High level of assurance can only be obtained by using a computer and selected physical security keys with FIDO certification at a minimum of L2 and FIPS or L2 and CC EAL6+ certification. The security key must have a PIN code set.
Supported keys for the High level are the GoTrust Idem Key and some keys from Yubico (YubiKey 5 FIPS Series with NFC and Security Key NFC).
System security keys are included free of charge in operating systems such as Windows 10 or Android 7.0 and higher. So you can use your computer or mobile device. However, if you only have a system key set as two-factor authentication, the login is always associated with a specific device (mobile phone, tablet or computer). Therefore, you will not be able to log in to MojeID and public administration services from other devices.
You can set one of these keys:
- Mobile device with Android 7.0 or higher (the device must have an active screen lock ‒ PIN, fingerprint, face recognition...). You then use this mobile device to access your MojeID account.
- Windows Hello on devices running Windows 10 and 11. To make it work, the device must have a PIN, fingerprint reader or facial recognition set up. Windows Hello is only available on the most recent version of Windows 10 and 11.
Some Apple devices can already be used as a system security key. However, it is not yet certified and unfortunately we cannot guarantee the correct functioning of these keys. It is therefore not possible to link your MojeID account to public administration services with an Apple device. The Apple system key can only be used to log in to your account or to web portals, etc.
- Warning: do not reset the device (factory reset), remove the screen lock (PIN, fingerprint, ...) or reinstall the operating system. Your system security key (Android, Windows Hello) will no longer work and you will not be able to log in to your MojeID account or public administration services. If you only use this key to access public administration services, you will lose access completely and will have to go through the whole pairing process again.
- Message Registration failed, security key sent invalid data
- If you are using a system security key (mobile phone, tablet) and you receive this message, it means that your device has sent the required data out of specification in the wrong format. The problem in this case is probably on the device manufacturer's side. Please use a different device or hardware security key. Alternatively, you can contact the device manufacturer and ask them to correct it.
It is an authentication hardware key for multi-factor authentication that provides secure login via a computer, mobile device or laptop. It requires physical presence of the key and manual user interaction to log in (pressing a button, entering a PIN code or touching a fingerprint reader).
The security key works without the need to install any software or drivers — the device acts like a USB keyboard. The user only needs an up-to-date operating system and a compatible version of a browser that supports FIDO 2 devices. The latest versions of Chrome, Firefox, Edge and Safari work well.
For keys, a security PIN can be added using the operating system or the manufacturer's application, which further increases the security of the login. For YubiKey keys, the YubiKey Manager application can be used to manage the key - it also allows the key to be reset and the PIN to be deleted. Please note, resetting will disable logging into your MojeID account, you will need to remove the key from your account and set it up again.
By using a security key, threats such as Man-in-the-Middle Attack and Phishing can be eliminated.
The security key does not serve as a storage disk, but only for logging in. It should be plugged directly into the computer, not into a docking station. We recommend connecting multiple keys to your account.
- We recommend these keys: Idem Key (Gotrust), YubiKey 5 series (Yubico), Security Key NFC (Yubico).
- Certified keys must be listed in the FIDO Alliance metadata.
- Preview the FIDO Alliance certified security key list or the FIDO MDS Explorer (in English, lists are maintained by a third party and are for reference only).
A security PIN can be entered for keys via the operating system or the manufacturer's application, which further increases security. YubiKey keys can be managed in the YubiKey Manager application. This application also allows you to reset the key and remove the entered PIN. Please note that the reset will disable your MojeID account login, so you will need to remove the key from your account and set it up again.
Using a security key can eliminate threats, such as Man-in-the-Middle Attack and Phishing.
The security key does not serve as a memory drive, but only for login. It should be plugged directly into a computer, not into a docking station. You can connect multiple keys to your account.
1. The original phone is still functional
First, install the MojeID Klíč app on your new mobile device, then add it to your account via the "Add a new key" button and follow the instructions. You must confirm the addition of the second key and log back into your account with the original MojeID Klíč app (i.e. the old phone). Once successfully added, you can remove the original key in the account (via "Manage Two-factor authentication") and the uninstall the app on the old phone.
Procedure for transferring the MojeID Klíč app using mobile devices only:
- Install the MojeID Klíč app on your new mobile device.
- Log in to your MojeID account on your new mobile device (you confirm your login using the app on your old phone).
- Click "Add a new key" in Two-factor authentication and then "Activate App".
- The mobile device will offer apps to open - select the MojeID Klíč app.
- Choose a new PIN and biometrics if applicable.
- Click on "Complete activation by logging in". You must confirm the addition of the second key and login again in the original MojeID Klíč app (i.e. the old phone).
- Once successfully added, you can remove the original key in your account (via "Manage Authentication") and the app on the old phone.
There is no limit to the number of mobile devices per account. If you use multiple mobile devices at the same time, we recommend setting up the MojeID Klíč app on a second device to keep it backed up.
2. The original phone is not working
- Unfortunately, if the original phone is lost or not working, you must remove the two-factor authentication from your account (link "Remove two-factor authentication" when logging in). You will then add the MojeID Klíč app to your account and restart the pairing process to access public administration services.
- If you do not have access to the e-mail or phone listed in the account, you must use the Zadost_o_odebrani_2FA_CZ.pdf
If you have any questions or comments concerning MojeID, contact us at podpora@mojeid.cz or call the technical support of the CZ.NIC Association, the administrator of the domain register, at +420 731 657 660 or +420 222 745 111 (24/7).