Version 0.9.0
Search
⌃K
Links

6 Functional Requirements

6.1 Identity Registration

The following UML sequence diagram shows a simple classical identity registration followed by issuance of an identity credential.
It could be detailed more around how the registration appointment is taken, how the data reaches the registration server, include creation of token identifiers, manage collection of person consent, determine options for format of the ID credential (physical or digital) and its sending back to the applicant..
Purpose of that diagram is to illustrate the key steps of the process and services involved.
Edit diagram

6.2 Identity Verification

Identity verification can be performed in several ways and based on several inputs depending on various criteria.
For example, Identity verification will be performed according to:
  • Context of identity verification : online, face to face by third party, self identity verification, in the absence of infrastructure and technologies.
  • Capacities given to the individual: having an ID Card, a person Identifier, a password or PIN code, using its biometrics, mobile subscription or smartphone.
  • Status of the individual: can he/she read ? Does he have usable fingerprints ? Is he/she old enough to have an ID Card?
  • Level of trust required: according to sensitivity of the operations, level of assurance required, policies established by the state or by the service provider, multiple factor identity verification.
  • Business constraints: does the use case require to be very fast, touchless, seamless, physical or digital
  • Local laws and regulations: the identity verification could differ according to local regulations and laws which may indicate specific ways to perform identity verification.

6.2.1 Capabilities

Below shown table will list the different capabilities that can be used to perform an identity verification, the Identity & Verification Building Block may use any of them including combination of several of them to verify a person identity.
Capability
Description
Recommended Use
Level of Trust
Requirements for individual or for the Context of Use
Login/
Password
Previously given login/password are typed in a login form to verify person identity
For online access on web site or in mobile application
Medium
(What you KNOW only)
Require the individual to have access to a digital device having network connectivity and sufficient power stability.
Visual physical identity credential identity control
National ID card provided to the individual includes security features allowing to verify the document is genuine and data printed on it allow to know the identity of the individual.
For fast verification in public place, or when there is no digital identity verification available or no connectivity to network
Low
(What you HAVE only)
Having been issued and delivered a physical identity credential.
eID card identity data control
National ID card provided to the individual includes a chip in which its identity information is securely written allowing them to get them and make sure about their authenticity.
For identity verification in face to face control.
Medium
(What you HAVE only)
Having been issued and delivered a physical identity credential with a chip (eID card), having access to a digital identity verification device. No need for network connectivity.
eID card based identity verification
National ID card provided to the individual includes a chip in which its identity information is securely written allowing them to get them and make sure about their authenticity. Those same data can be used for a match versus other information like who the person pretends to be, what is printed on the document or it’s biometrics captured live.
For identity verification in face to face control.
High
(What you HAVE and what you ARE)
Having been issued and delivered a physical identity credential with a chip (eID card), having access to a digital identity verification device which can perform a matching between person attributes and chip stored attributes.
Fingerprint 1:1 matching versus ID credential
The individual live capture fingerprint will be compared to its fingerprint(s) captured during its identity creation.
Those original fingerprints being stored on or within its Identity credential.
For identity verification in face to face control or self-control of identity (ie airport eGates)
High
(What you ARE)
Having been issued and delivered a physical identity credential including a digital ID into a chip (eID card) or in a cryptogram, having access to a digital identity verification device which can perform an ID Credential reading, fingerprint(s) capture and matching with attributes stored in ID credential.
Fingerprint 1:1 matching online
The individual live capture fingerprint will be compared to its fingerprint(s) captured during its identity creation.
The fingerprints are verifiable using an online service.
For identity verification in face to face control or self-control of identity (ie airport eGates)
High
(What you ARE)
Having been registered to a state recognized identity provider, having access to a connected digital identity verification device which can perform fingerprint(s) capture and access to online identity verification services.
Fingerprint recognition
The individual doesn't provide its identity, a search based on its fingerprints is performed against a database of known identities in order to identify him/her.
NOT RECOMMENDED FOR CIVIL USE. This capability is rather to be used for security purposes in criminal or border control systems or secured building access.
High
(What you ARE)
Having been registered (or not) to a state recognized identity database, having access to a connected digital identity verification device which can perform fingerprint(s) capture and access to online identification services.
Facial 1:1 matching versus ID credential
The individual live face capture will be compared to its face captured during its identity creation.
That original face capture may be stored on or within its Identity credential
For identity verification in face to face control or self-control of identity (ie airport eGates)
A face liveness detection is recommended.
High
(What you ARE)
Having been issued and delivered a physical identity credential including a digital ID into a chip (eID card) or in a cryptogram, having access to a digital identity verification device which can perform an ID Credential reading, face capture and matching with attributes stored in ID credential.
Facial 1:1 matching online
The individual live face capture will be compared to its face captured during its identity creation.
The face is verifiable using an online service.
For identity verification in face to face control or self-control of identity (ie airport eGates)
A face liveness detection is recommended.
High
(What you ARE)
Having been registered to a state recognized identity provider, having access to a connected digital identity verification device which can perform face capture and access to online identity verification services.
Facial recognition
The individual doesn't provide its identity, a search based on its face is performed against a database of known identities in order to identify him/her.
NOT RECOMMENDED FOR CIVIL USE. This capability is rather to be used for security purposes in criminal or border control systems or secured building access.
High
(What you ARE)
Having been registered (or not) to a state recognized identity database, having access to a connected digital identity verification device which can perform face capture and access to online identification services.
Iris 1:1 matching versus ID credential
The individual live iris captured will be compared to its iris captured during its identity creation.
That original iris capture may be stored on or within its Identity credential
For identity verification in face to face control or self-control of identity (ie airport eGates)
Liveness detection is recommended.
High
(What you ARE)
Having been issued and delivered a physical identity credential including a digital ID into a chip (eID card) or in a cryptogram, having access to a digital identity verification device which can perform an ID Credential reading, iris capture and matching with attributes stored in ID credential.
Iris 1:1 matching online
The individual live iris capture will be compared to its iris captured during its identity creation.
The iris is verifiable using an online service.
For identity verification in face to face control or self-control of identity (ie airport eGates)
Liveness detection is recommended.
High
(What you ARE)
Having been registered to a state recognized identity provider, having access to a connected digital identity verification device which can perform iris capture and access to online identity verification services.
Iris recognition
The individual doesn't provide its identity, a search based on its iris is performed against a database of known identities in order to identify him/her.
NOT RECOMMENDED FOR CIVIL USE. This capability is rather to be used for security purposes in criminal or border control systems or secured building access.
High
(What you ARE)
Having been registered (or not) to a state recognized identity provider, having access to a connected digital identity verification device which can perform iris capture and access to online identification services.
OTP
The individual needs to type in a form (online or app) a One Time Password (OTP) received from the identity provider.
Can be used when needing to access an online service.
To be used a second factor of authentication, for example with a login password)
High
(What you KNOW and what you HAVE)
Having been registered to a state recognized identity provider, owning a mobile subscription, being in capacity to receive messages (SMS, messaging, email), having access to service provider online services. It is important to acknowledge different patterns of phone ownership (individual, household, community).
Online ID credential matching
The individual will authenticate versus himself its ID credential online.
The process may include biometrics control versus data printed or stored in the Identity credential, together with genuity check of the document using security features and eventually control of document authenticity versus database of issued documents.
Can be used to perform remote on-boarding of persons in services. To be noted it anyway required a face to face on-boarding to enroll for the Identity credential.
Ensuring the document is genuine can be a challenge, unless an ID credential secured chip is involved as part of the process.
High
(What you HAVE, what you ARE, what you WERE)
Owning an ID Credential registered for online services verification, having a connected smartphone eventually capable of reading a chip.
Online PKI based identity verification
The individual uses its identity credential or a digital device to encrypt or sign identity verification data which can then be verified on server side. A PIN code is requested.
Can be used if ,and only if, a specific PKI infrastructure is in place to issue, read and verify online
HIGH
(What I HAVE, what I KNOW)
The individual own an identity credential or a digital device storing personal cryptographic secrets
Behavior based identity verification
The individual is authenticated seamlessly based on its context and behavior following an evaluation of the risk he/she not be himself/herself.
To be used for very frequent access control (i.e. control of office workers) when security and convenience are both importants.
Requires solid on-boarding before.
MEDIUM
(What I DO,
Where I AM)
Having been screened and tracked on normal habits, locations, behaviors to be used for evaluation of fraud risk
Being online.
Token based identity verification (SSO)
The individual has already been authenticated to a third party system allowing him to avoid a new identity verification and reuse the token.
This mechanism is also named Single Sign On (SSO)
To be used for online identity verification is usage of a digital identity
Depends on previous identity verification
Having been previously authenticated by a third party system and obtained a verifiable authentication token.
Verifiable Credential
The individual has shared a verifiable credential to a third party system which allows its identity verification.
Can be used in various contexts online/offline.
Can be related to one or several attributes of Identity.
High
(What you HAVE, what you ARE, what you WERE)
Require an electronic or physical support to verify the credential.
If a verifiable credential can be verified offline, connectivity is required to verify the security chain.
Through this list of capabilities we can see there are numerous but limited options for Identity Verification that can be combined or not, this list allows us to normalize them all into the following inputs for an identity verification:
  1. 1.
    Identifier: identifier referring to a digital retrievable identity which can give access to an individual's attributes for verification. To be noted that several kinds of identifier could be used to refer to the same person, which is particularly important to preserve privacy (see glossary).
  2. 2.
    Set of attributes: attributes provided by the individual or retrieved on/within its Identity credential for purpose of a matching versus a reference (online or ID credential), those attributes can be biographic data, biometrics data or scan of identity evidence.
  3. 3.
    Authentication token: A previous identity verification token can be used for identity verification, this token would allow the current service provider to verify against the authenticating system the genuinity of the token.

6.3 Use Cases

6.3.1 Use Case 1: Identity Enrollment

Enrollment to a National Digital Identity is a sensible process as the created digital identity will be recognized by law and then consequence of its use.
In some countries, it’s possible to enroll a National Digital Identity remotely based on an existing form of identity like for example an ID card. If they are convenient they open the risk for fraud or identity theft.
For all these reasons, it appears that an identity enrollment has to be rolled-out in a face to face proces, with collection of identity attributes being demographic, biometrics or related proof of them.
This process will be developed later, for now we can list its main steps for the face process::
  1. 1.
    Explanation of purpose of process and usage that will be made of data
  2. 2.
    Identity verification: process start by providing evidence of identity (birth certificate, or previous ID card, passport, ..)
  3. 3.
    Collection of demographic data (confirmed with evidences provided)
  4. 4.
    Collection of biometric data including
    1. 1.
      Generally a portrait capture which will be used to visually recognize the person, for example printed on a ID card
    2. 2.
      Sometimes fingerprints and iris are captured for identity deduplication purpose or for further biometric authentication
  5. 5.
    Scan of identity evidences to sustain the identity attributes certification
  6. 6.
    Collection of external identifiers (Birth ID number, Social security card number, ..) to establish links with external pre-existing forms of Identity
  7. 7.
    Verification of the data captured by the individual
  8. 8.
    Consent collection to launch registration process
  9. 9.
    Delivery of a registration number
  10. 10.
    In case Enrollment process be synchronous issuance and delivery of a unique identity number
These are only the steps visible by the individual and the process will pursue within IDV BB notably with following steps:
  1. 1.
    Packing and securing the data (signature & encryption)
  2. 2.
    Transport of data to identity registration system
  3. 3.
    Control of format and origin of data collected to ensure their authenticity
  4. 4.
    Control of eligibility criterias
    1. 1.
      Could include biometrics unicity in case of centralized identity
    2. 2.
      Could include additional checks like nationality, age, (but those ones are not recommended to ensure an inclusive system)
  5. 5.
    Generation of a Unique Identity number
  6. 6.
    Storage of identity data by respecting privacy by design principles
  7. 7.
    Communication of the Unique Identity Number to the individual
  8. 8.
    Eventual issuance of a physical or digital credential
  9. 9.
    Optionally notification of the systems around having subscribed to identity creation events (ie social security, health, finance, education, ..)

6.3.1 Use Case 2: Identity Verification Generic

The following diagram introduces what are the different steps, interactions and stakeholders of generic use cases of identity verification.
The possible inputs being what the capabilities just presented in the Capabilities section and the output being an authentication token.
It’s to be noted that the identity verification is generally a stop point as part of an overall business process which is expecting to perform afterward
  1. 1.
    Control of authorization of the verified identity to access to some services
  2. 2.
    Eventually collection of some attributes related to the identity. After individual consent (managed with Consent Building Block) and under authorization of access to the requesting services provider.
Edit diagram

6.3.2 Use case 3: Cross-Border Recognition of Professional Jobs

As regional member states’ economies become more integrated, the need for cross-border recognition of professional jobs has increased. There is a desire to boost intra-African trade and the African Continental Free Trade Agreement (AfCFTA) seeks to create an integrated market of 1.7 billion consumers by 2030 with an aggregated GDP of up to US$3.4 trillion.
Services are an essential part of integration efforts, as recognized by governments in the context of the African Continental Free Trade Agreement (Mohamed, 2020). Trade in services can help economies achieve more rapid growth, enhance domestic firms’ competitiveness, and promote inclusiveness in terms of skills, gender and the location of economic activity. Trade in services also promotes a more efficient allocation of resources and greater economies of scale. It can lead to an increase in the variety of services available to consumers and producers. Beyond these usual sources of gains, some services sectors have special or unique features that may amplify how an economy can benefit from trade in services. In focus here, services sectors have an outsized impact on factors of production, like labour. For example, the productivity of an economy’s labour force depends on how educated, skilled and healthy it is, attributes which hinge crucially on the quality of that economy’s educational and health systems, as well as the ability to enable cross border exchange of labour.
This use case examines the recognition of high-skilled jobs.
Title
Cross-border recognition of professional jobs as promoted by a regional mutual recognition agreement, focusing on the verification of the professionals’ credentials to enable the crossing at the border.
Description
Facilitate the free movement of certified professionals by streamlining and digitizing the verification processes for cross-border work permits.
In this case, the professional will provide the credential of the work permit (a card, barcode or other credential) and the national digital ID credential. The national digital ID will be verified through biometrics. The work permit is a verifiable credential, issued by the certifying authority and verified by the border control officer. (See verifiable credential as defined by open standard developed in the W3C)
Trigger
Individual travels to border intending to cross for work purposes and provides their work permit credential and national digital ID
Preconditions
Requirements (will vary per country and profession and are only examples):
● Bachelor’s degree in the respective profession.
● Diploma in the respective profession, successful completion of Certification professional course.
● Practicing certificate awarded by the Institute of Certified Professionals body (will existing for each profession)
● Successful application for a job in a neighboring country
● Received a valid work permit and a credential that can be verified by the border control officer
Professional Certificating Register:
● Training institutes from involved countries collect information about their trained professionals that have successfully finished the training and received a diploma/ degree at their institute.
● National Institutes of Certification collects information about professionals that have successfully finished the certified exam and received the certification.
● Establish a regional agreement allowing the sharing of data of professionals for the purpose of transparency and ease of verification.
● Establish data access rules based on a clear need-to-know basis, including consent management for the professional every time the data is being accessed.
Data Input
● The national training institutes capture information about professionals (according to local laws) that successfully finish the education and receive a diploma/ degree at their institute.
● The National Institutes of Certification collects information about professionals that have successfully finished the certified exam and received the certification.
● To achieve a regional technical architecture that facilitates the movement for professionals, there is a need for a regional information exchange that is based on the respective professional bodies (professional certification register).
● This register should indicate: full name, registration number, year of registration, category (profession), practicing status, Continuous Professional Development points earned per annum (this data is for illustration purpose only and needs to be developed with each country).
Actors
Employee, in possession of:
● A professional education verification
● A national digital ID
● Professional certification card
Professional Certification Register (central or federated):
● Managed by a regional agreement and in compliance with the national legal and regulatory requirements
● Has an API function and can be queried.
Certification credential (verified credential):
● Necessary information for authentication purposes made available by the data subject to those with authorization from the relevant regional body. (Incl. offline capacity)
Border control:
● The border control officer validates the individual's identity and purpose for crossing through the digital ID and certification credential.
Action Course
1. A professional with a job contract wants to cross border.
2. Their national ID facilitates their smooth movement across the border as an individual.
3. Their professional certification credential provides information to prove that they have a work permit.
4. The border control authority has permission to verify the validity of their national ID as well as ask for verification of the work permit.
5. Successful border crossing.
6. Professional will practice in the host country as per the domestic laws.
Alternate use*
Two countries have a mutual recognition of both IDs and certification, free movement of labor occurs without the need for a work permit.
The validation takes place with a paper-based work permit.
The validation takes place against a paper-based passport.
Data output
Motivate professionals to register and be certified so they can take advantage of cross border work opportunities.
Increased research and analysis capacity (e.g., how many certified professionals are crossing the border and benefitting from the advantages)
Post conditions
A streamlined certification and registration process resulting in a higher number of registered professionals that benefit from a larger market access and a decrease in unregistered (quacks) operating across the region
Copyright © 2022