Frequently Asked Questions

GoodID is a multifunctional digital wallet that allows you to manage and share your personal information so you can access services in a fast, simple and secure way. The solution includes a mobile-based, zero-knowledge verification service and framework, suitable for user verification and authentication of varying security levels. For developers, we also offer a software development kit to facilitate easy integration.

You can use GoodID to verify yourself with a single click, online or offline, when service providers ask you to. Enjoy full control over who you share your personal information with and access services, online or offline, without any hassle or worry. And say goodbye to sign-in and registration troubles once and for all.

For end users, GoodID is and will always be free. Our revenue comes from fees paid by the service providers. Unlike Facebook or Google, however, we will not ask for your data in return either. We do not have access to or knowledge of the information you share.

As it does to make a cup of coffee, depending on the speed of your internet connection.

During the verification process, we will send a verification code to the email address you have provided. Click on the link in the email or type the verification code in the GoodID app to verify that the email address belongs to you. To make the process even easier, import an email address already verified by your Facebook or Google account.

Your data will only be stored in the GoodID app on your phone, using multi-layer encryption. Once you have selected what information to share, the app re-encrypts your data with the service provider’s secret key before sending it to them. As a result, it is impossible for the GoodID server to store or even know anything about your data. This is called zero-knowledge data transfer. The only exceptions are your email address and phone number that are temporarily stored during the verification process and deleted after it has been completed.

Your data will only be stored in the GoodID app on your phone, using multi-layer encryption. Once you have selected what information to share, the app re-encrypts your data with the service provider’s secret key before sending it to them. As a result, it is impossible for the GoodID server to store or even know anything about your data. This is called zero-knowledge data transfer. The only exceptions are your email address and phone number that are temporarily stored during the verification process and deleted after it has been completed.

Open GoodID’s website from a browser on your computer, tablet or mobile and click on the service provider’s icon. Or go directly to the service provider’s website and click on GoodID login.

GoodID login is available in 100+ webshops, including booksellers, grocery stores and sports retailers. You will soon be able to use it for online or offline verification at financial institutions, insurance companies, events and other service providers, as well.

GoodID QPass is an e-ticket for quick and easy entry to events.

Download the GoodID app to your phone. You will only need to enter some basic details once and then you can access any event that supports QPass verification (e.g. ecommerce.hu) with a single push of a button. After completing the purchase, you will automatically receive your ticket or will be sent an email with the access link. Go to GoodID’s Wallet for the downloaded QPass. When you arrive at the event venue, your ticket will appear on your mobile screen. Just click the ticket and show the QR or barcode to gain entry.

In GoodID, you can set up various user profiles – just go to Settings and turn on Profiles  using the toggle button.

Create a Personal, Workplace or John Doe profile, so you can control what preselected and recorded information you share with different services. If you would like to sign in to your account with a service provider using other credentials than the ones already in use, set up a new profile and make sure to select it when logging in for the first time.

For future logins, the app will automatically select the profile you used the first time.

There are more than one options. GoodID creates a unique pairwise identifier for each service provider and user at first login, then hands it over to the service provider at each subsequent login. This does not qualify as personal information, because it only enables the service provider to verify your account and not your identity.

Service providers can also ask for additional personal information to verify users, including a verified email address or phone number, home address, age or ID document number. You are always in full control of your data, so make sure to double-check what information you are sharing with a service provider at first login. GooID does not share any of your information without your explicit consent.

From your perspective, they all offer similar speed and convenience. GoodID, however, comes with a host of additional benefits compared to social logins.

• Includes multi-factor authentication using a mobile device and some other security feature for user verification (e.g. PIN, fingerprint, face).
• Zero-knowledge solution with no central server to store data on.
• Gives you full control over sharing your data with each service provider. Facebook, in comparison, shares all your public information (including your user ID, name, profile picture, cover photo, gender, school and workplace connections and groups you are a member of, language and current city) with service providers at each login, regardless of whether or not these are relevant to them.
• Allows you to set up different user profiles.
• Identifies you using a unique pairwise identifier at each service provider. Most identity verification solutions assign a single identifier to users and share it across services.
• Offers a verification and authentication solution that caters to various user and service recipient security needs.
• Supports offline authentication.
• Makes it possible for service providers to define what information to request from users, including required and optional login credentials.

Password managers are designed to take the burden of managing passwords away. GoodID, however, takes a completely different approach to this challenge.

• Makes passwords obsolete instead of just simplifying password management.
• Offers greater security, thanks to multi-factor authentication and strong customer authentication processes.
• Available on websites at a click of a button. Password managers must be installed on each browser and device.
• Unlike password managers, GoodID can be used for both user verification and authentication purposes, which means faster and more convenient registration online.
• Available in all popular platforms and browsers. Password managers, especially extensions and more specifically, mobile browser extensions, only work with a single type of browser.
• Protects users from cybersecurity attacks passwords managers are defenseless against, such as man-in-the-middle or phishing.
• Supports offline authentication.

With GoodID, you do not need to enter your username and password at all. This means faster and more convenient sign-ins to a given service provider’s website across browsers.

Powered by algorithms such as TOTP or HOTP, one-time passwords enable two-factor authentication as part of an existing password-based login process. Hardware tokens, text-based and mobile app-based verification solutions (e.g. Google Authenticator) and many other applications run on OTPs.

GoodID uses an entirely different approach:

• Completely replaces sluggish password-based login processes instead of complementing them. There is no need for additional codes or passwords each time you sign in.
• Unlike OTP-based solutions, GoodID can be used for both user verification and authentication purposes, which means faster and more convenient registration online.
• Protects users from cybersecurity attacks OTPs are defenceless against, such as man-in-the-middle or phishing.
• Supports offline authentication.

FIDO Alliance has published two sets of specifications for stronger user authentication: U2F and UAF. Both use asymmetric cryptography to eliminate passwords.

GoodID is based on a similar principle but offers additional benefits:

• Unlike FIDO, GoodID can be used for both user verification and authentication purposes, which means faster and more convenient registration online.
• Compliant with OpenID specifications.
• Has revoking and restoring functions.
• Available in all popular platforms and browsers. FIDO solutions are run as browser extensions, which are not supported by all browsers, especially on mobile.
• Supports offline authentication.

Our goal is to make sure that our users have full control over their data. This is why a new identifier is created for each service provider so users could not be identified even if multiple service providers colluded. Or if a user would like to sign in to the same service using multiple profiles (e.g. workplace and private). In this case, they will be given separate identifiers and will appear as different users on the service provider’s side. This is how users can stay anonymous, service provider permitting.

The only place GoodID stores your email address is on your phone. It will be promptly deleted from the server database once the verification email has been sent. We will not send you any spam or share your email address with anyone.

You can delete GoodID as any other app. Your data will also be deleted from your phone.

Register as many addresses in the app as you like. It is also possible to add different addresses for invoicing and delivery to your profile. The app will choose which one to use at each login according to the service provider’s request.

GoodID works across all major browsers (Chrome, Safari, Edge, Firefox etc.) and operating systems without any plug-ins, add-ins or other solutions. The GoodID app is compatible with iOS 9 and Android 4.3 or above.

Click on GoodID Login to start the login process. The login request will promptly pop up on your mobile screen. Choose what information to share by clicking Login (you can set it to enable PIN or fingerprint authentication at sign-in). The website then signs you in.

Examples

• Log in to an online store with basic information and no additional user authentication.
• Log in to a cloud storage provider with user authentication and no credentials.
• Log in to a blog editor with your nickname and no additional user authentication.
• Log in to your insurance company’s website with verified credentials and user authentication.

Remember:

• In the above examples, user authentication means knowledge-based (PIN) or biometric (fingerprint) authentication.
• The user and the service provider determine the method of user authentication together.
• Even if no user authentication is required, a single-factor (based on something you own) or two-factor authentication process must be completed if you need a passcode, pattern or fingerprint to unlock your phone.

From a user’s perspective, the registration process and the sign-in process are almost identical.

The only difference is that at registration you must first select which profile you would like to sign in with and add further information, if needed.

The GoodID app uses a combination of software and hardware security solutions of varying levels of safety.  Between level 1 and 3, your data is protected by our proprietary SecureBox technology. On level 4, the hardware-based security solutions available in Android (Trusted Execution Environment, TEE) and iOS (Secure Enclave) are also involved. In this case, your keys are stored on hardware instead of SecureBox.

Your phone offers hardware security that GoodID leverages to keep data safe.

A key difference is that GoodID shares sensitive data through a separate channel. With OTP-based authentication, your one-time password and user password are entered through the same interface.

End-to-end security means that GoodID uses an encrypted channel to share your information with service providers. This means that only the service provider has access to the key to decrypt the data you have shared.

If you are logging in from a browser other than your mobile’s, read the QR code and set up browser trust (e.g. if it runs on your PC) in the app after sign-in. This means the following:

1. A secure channel will be created between your browser and your mobile. After that, you will no longer need to read a QR code to sign in from this browser. The login request will automatically be sent to your phone once you have clicked GoodID login. To make the login process even faster, turn on app notifications to receive instant push notifications when signing in.
2. If you use a trusted browser to sign in, you will only receive a request at your first login to a service provider’s website. You will not need your mobile for future logins, because the GoodID server will approve them based on your previous activity. In other words, you will be able to log in with a single click – just as if you had saved your password in your browser.

Be careful about browser trust. For example, you should never trust a browser if you are browsing on a friend’s laptop or in an internet café. You can still log in with GoodID by reading a QR code, while keeping your data safe.

Go to GoodID’s Settings and remove the browser from Trusted browsers.

Yes.

With your phone’s built-in safety features used for unlocking the device (passcode, PIN, pattern, fingerprint, face recognition etc.), your GoodID PIN and some cryptographic keys. When you decide to share your data with a service provider, GoodID uses the most secure encryption algorithms available for data transfer.

If someone can physically access your phone and sign in to the GoodID app (meaning they can unlock your device and also know your PIN, if you have set one), they will be able misuse your data. Remember to set a PIN for singing in to GoodID (Settings → Secure PIN).

You will not be able to sign in with GoodID.

You will not be able to sign in with GoodID.

Set a secure PIN in GoodID (Settings → Secure PIN).

To protect your data as much as possible.

Change your PIN every 3-4 months.

GoodID uses multi-layer security (multi-level encryption) to store your data and re-encrypts every piece of information that you choose to share with a service provider before transfer. This way, only the service provider whose website you have just logged into will receive the information. Plus, all communication is carried out via a TLS secure channel. In other words, data transfers also benefit from multi-layer security.

Our servers are stored in Amazon Cloud Services with multi-level security and added redundancy. Technically, of course, they can still be broken into. In this case, the worst that can happen is that you will have trouble signing in with GoodID. Your data will still be safe as they are not stored on our servers.

Fighting phishing is a core mission of ours. As we have no knowledge of your data, it is impossible for us to share it with anyone.

GoodID asks for a 6-digit PIN or fingerprint to verify users. If your phone supports fingerprint recognition, you can also use your fingerprint to sign in.

Go to Contact on our website to get in touch with us or send an email to hello@goodid.net

As of 2016, electronic identification documents, or eIDs, with an eSignature feature can be used to electronically sign documents. The function can be used free of charge. Signatures made with an eID are recognised as qualified electronic signatures, which offer the highest security level of all e-signatures and are accepted across the European Union.

Make sure to have this function enabled when applying for your eID at a Government Customer Service Desk (Kormányablak). You can apply for an eID for free at any time, even if your current ID hasn’t expired yet.

Remember that your eID’s signing certificate is valid for two years but can be extended at any Government Customer Service Desk. You can easily check the validity of your eID’s signing certificate in the GoodID app: just open the Wallet menu and select your eID to check the icon signalling if the ID’s eSignature function is enabled and the certificate is valid.

To sign a document, click on your eID. On the data sheet, click Sign a document to start the uploading and signing process.

During the application process for your eSignature-enabled eID, you will receive an envelope with a blue border at the Government Customer Service Desk or via post.

In the envelope, you will find a blue card, which contains your PIN code under a scratch-off layer.

Start the activation process either with the help of the relevant function of the eID data sheet or by uploading a document with the GoodID app. If you can’t find your blue card, contact any Government Customer Service Desk. Learn more about eIDs here.

Go to revocation.goodid.net and type in an email address you have already registered and verified in the app. Then follow the steps in the email you receive. If your phone is online, the app will be revoked within 60 minutes of the revocation or suspension request.

Once the app has been deleted or the mobile device has been reset, the information stored and registrations set up in the app can no longer be retrieved due to security reasons.