DocsCredential verificationJourney patternsmDocs remote

mDocs remote verification journey pattern

This journey pattern is used to verify an mDoc remotely via an online verification workflow, as per ISO/IEC 18013-7:2024 and OID4VP.

Overview

  • Issuance channel: Remote, unsupervised
  • Device/s: Same-device / Cross-device
  • Formats: mDocs
  • Information assurance level: High
  • Identity assurance level: High

Journey flow - Same-device

mDocs remote verification journey pattern part 1

Mobile device online interaction

Samantha interacts with a website on her mobile device browser.

Credential request

Samantha is being asked to present a birth certificate. In the request she can see:

  • Why is this information required.
  • Whether or not the verifier is trusted in this trust network and is allowed to request this type of information.

Invoking a digital wallet

Samantha is redirected to a wallet that is installed on the same mobile device.

mDocs remote verification journey pattern part 2

Authenticating with the wallet

The wallet authenticates Samantha

Sharing credentials

Samantha is presented with the following information:

  • What credentials she is about to share.
  • What information from those credentials will be shared.

She can then provide consent to sharing that information with the verifier.

Redirect back to the website

Samantha is redirected back to her browser where the verification results are displayed and she can continue with the interaction accordingly.

Architecture - Same-device

Enrolment architecture

Interacting with the website

The user is using a web browser on their mobile device to access a website.

Requesting a credential for verification

On that website, they engage in an interaction that requires them to present a credential for verification.

The credential request is created by the MATTR Pi Verifier Web SDK which is embedded into the webpage. First, the Verifier Web SDK makes a request to a configured MATTR VII Verifier tenant. That request defines what credentials and claims are required for verification.

The MATTR VII verifier tenant is configured with the following:

  • What domains it can accept requests from.
  • What workflows it supports (e.g. same-device and/or cross-device).
  • What wallet applications it can interact with.
  • How to invoke these supported wallet applications.

Based on the above, the MATTR VII verifier tenant responds with a link that is used by the Verifier Web SDK to redirect the user from their web browser and invoke the matching digital wallet installed on their mobile device.

Presenting request details to the user

Once the wallet is launched, it authenticates the user and interacts with the MATTR VII tenant to retrieve and display the request details to the user:

  • What credentials are requested.
  • What claims from the credentials are requested.
  • Whether the relying party is vetted by the digital trust service, and whether they are allowed to request this type of information.
  • What matching credentials are available and can be shared with the verifier.

Based on that information, the user can select to proceed with the verification workflow and share the required information with the verifier.

Verifying the credential

The MATTR VII verifier tenant verifies the shared credentials to validate that:

  • The information has not been tampered with.
  • The credential has not been revoked or suspended.
  • The credential has not expired.
  • The credential was issued by a trusted issuer (based on information retrieved from the DTS).

Displaying verification results

The MATTR VII verifier tenant shares the verification results with the Verifier Web SDK, which redirects the user back to their browser where they can continue the interaction.

The MATTR VII verifier tenant can also be configured to share the verification results with a configured back-end rather than the front-end directly.

Journey flow - Cross-device

mDocs remote verification journey pattern part 1

Desktop online interaction

Samantha opens a website on a web browser on her laptop.

Credential request

Samantha is being asked to present a birth certificate. In the request she can see:

  • Why is this information required.
  • Whether or not the verifier is trusted in this trust network and is allowed to request this type of information.

Scanning a QR code

Samantha scans a QR code using a different mobile device, where she has a wallet which holds a birth certificate digital credential.

Invoking a digital wallet

Samantha is redirected to an app that is installed on the same mobile device.

mDocs remote verification journey pattern part 2

Authenticating with the wallet

The wallet authenticates Samantha

Sharing credentials

Samantha is presented with the following information:

  • What credentials she is about to share.
  • What information from those credentials will be shared.

She can then provide consent to sharing that information with the verifier.

Returning to the desktop to complete the interaction

Verification results are displayed in Samantha’s laptop browser, and she can continue with the interaction accordingly.

Architecture - Cross-device

Enrolment architecture

Interacting with the website

The user is using a web browser on their desktop to access a website.

Requesting a credential for verification

On that website, they engage in an interaction that requires them to present a credential for verification.

The credential request is created by the MATTR Pi Verifier Web SDK which is embedded into the webpage. First, the Verifier Web SDK makes a request to a configured MATTR VII Verifier tenant. That request defines what credentials and claims are required for verification.

The MATTR VII verifier tenant is configured with the following:

  • What domains it can accept requests from.
  • What workflows it supports (e.g. same-device and/or cross-device).
  • What wallet applications it can interact with.
  • How to invoke these supported wallet applications.

Based on the above, the MATTR VII verifier tenant responds with a link that is rendered as a QR code by the Verifier Web SDK.

The user then scans that QR code with a mobile device, which invokes a matching digital wallet.

Presenting request details to the user

Once the wallet is launched, it authenticates the user and interacts with the MATTR VII tenant to retrieve and display the request details to the user:

  • What credentials are requested.
  • What claims from the credentials are requested.
  • Whether the relying party is vetted by the digital trust service, and whether they are allowed to request this type of information.
  • What matching credentials are available and can be shared with the verifier.

Based on that information, the user can select to proceed with the verification workflow and share the required information with the verifier.

Verifying the credential

The MATTR VII verifier tenant verifies the shared credentials to validate that:

  • The information has not been tampered with.
  • The credential has not been revoked or suspended.
  • The credential has not expired.
  • The credential was issued by a trusted issuer (based on information retrieved from the DTS).

Displaying verification results

The MATTR VII verifier tenant shares the verification results with the Verifier Web SDK. These results are then displayed to the user on their desktop browser, allowing them to continue the interaction.

The MATTR VII verifier tenant can also be configured to share the verification results with a configured back-end rather than the front-end directly.

Additional resources

Docs

mDocs remote (online) verification overviewmDocs remote (online) verification detailed workflowVerifier Web SDK

Guides

mDocs remote (online) verification
mDocs in-personCWT in-person