DocsCredential issuanceJourney patternsEnrolment/Registration

Enrolment journey pattern

This journey pattern is used to verify the identity of users registering/enrolling into a service. It can be embedded into an OID4VCI journey pattern.

Overview

  • Issuance channel: Remote, Unsupervised
  • Device/s: Same-device
  • Formats: mDocs
  • Information assurance level: High
  • Identity assurance level: High

Journey flow

Enrolment journey pattern part 1

Following a link to start the journey

Samantha begins her journey by following a link on her mobile device.

Authenticating with the issuer

Samantha authenticates with the service provider using her existing login details.

Providing supporting identity documents

Samantha must provide supporting identity documents in accordance with the provider regulatory and compliance requirements. These can include a physical copy of the credential they wish to claim (e.g. a driver’s license or national ID) and another type of supporting identity document (e.g. a passport or a birth certificate).

When enrolment is embedded into an OID4VCI journey pattern, this can be achieved using an Interaction hook.

Enrolment journey pattern part 2

Biometric checks

Samantha will provide a facial biometric by scanning her face and completing a liveness check.

When enrolment is embedded into an OID4VCI journey pattern, this can be achieved using an Interaction hook.

Submitting the request

Samantha submits the credential proof, supporting identity documents and facial biometric.

These are all checked against source databases out-of-band to confirm her identity.

Completing enrolment/registration

When verification is completed, the result is sent back to Samantha’s mobile device.

  • If verification is successful, Samantha will now be able to claim digital credentials from this provider (via embedding enrolment into an OID4VCI journey pattern, for example).
  • If verification failed, Samantha must retry or fallback to a manual in-person process.

Architecture

Enrolment architecture

Enrolment initiation

The user begins their journey by using their mobile device to access the provider’s web portal. Their goal is to claim a digital credential based on a physical credential they already hold. The user already has an account with this service provider, so they are able to authenticate themselves and log into the web portal.

Providing documents

The user accesses the enrolment service and is first required to provide some documents:

  • Physical copy of the document/credential they wish to claim as a digital credential (for example a drivers license, national ID or a passport).
  • Supporting documents that can be used to verify their identity (for example a birth certificate, drivers license, national ID or a passport).

The number and type of required documents depends on the regulatory framework the provider must comply with.

Biometric and liveness check

The user then proceeds to performing a biometric check (for example a face scan) combined with a liveness check (ensuring there is a real person performing the interaction).

Assessing submission

Once the user submits their request, the identity verification service must assess all submitted artifacts (e.g. proof of credential ownership, supporting documents, biometric and liveness checks) and compared them with existing user information bound in their database, as well as the provided documents (for example, comparing the portrait image in a passport with the biometric check). The request can then be either approved, rejected or sent for manual assessment.

Issuing credentials

Successful requests are forwarded to a configured MATTR VII tenant who can now issue the requested credentials to the holder using an OID4VCI workflow.

Regulatory frameworks

TDIF

Enrolment workflows must mitigate fraud and impersonation risks by ensuring the provider only enrols legitimate identities, by requiring enough evidence to prove that the identity truly exists.

Different legislation frameworks define the compliance requirements enrolment workflows must meet to be approved, vetted and accredited.

The Trusted Digital Identity Framework is an Australian government accreditation framework for digital identification service.

The TDIF Identity Proofing Level 2+ (IP2+) mandates the enrolling individual meets the following requirements:

  • Provide two identity documents with matching details for verification, proving they relate to the same individual. These can include different combinations of documents from the following categories:
    • Photo ID: Such as an drivers license or a passport. At least one Photo ID must be provided as part of the enrolment workflow.
    • Commencement of Identity (CoI): Such as a birth certificate.
    • Use in The Community (UiTC): Such as a Student ID card.
  • Undergo a biometric check with an integrated liveness check as part of the enrolment process.

Additional resources

Docs

OID4VCI workflow

Tutorial

OID4VCI tutorial

Guides

Issue a credential using OID4VCI
Journey patternsOpenID4VCI