Consideration of Authentication Methods
Identity verification can be performed in several ways and based on several modalities depending on various criteria.
For example, Identity verification will be performed according to the:
Context of identity verification: online, face-to-face by a third party, self-identity verification, in the absence of infrastructure and technologies.
Capacities given to the individual: having an ID Card, a person Identifier, a password or PIN code, using its biometrics, mobile subscription, or smartphone.
Status of the individual: can they read? Do they have usable fingerprints? Are they old enough to have an ID Card?
Level of trust required: according to the sensitivity of the operations, level of assurance required, policies established by the state or by the service provider, multiple factor identity verification.
Business constraints: does the use case require to be very fast, touchless, seamless, physical, or digital?
Local laws and regulations: the identity verification could differ according to local regulations and laws which may indicate specific ways to perform identity verification.
Below shown table will list the different modalities that can be used to perform an identity verification, the Identity Building Block may use any of them including a combination of several of them to verify a person's identity.
Login/
Password
Previously given login/password are typed in a login form to verify person identity.
For online access on web site or in mobile application.
Medium
(What you KNOW only)
Require the individual to have access to a digital device having network connectivity and sufficient power stability.
Visual physical identity credential identity control
National ID card provided to the individual includes security features allowing to verify the document is genuine and data printed on it allow to know the identity of the individual.
For fast verification in public place, or when there is no digital identity verification available or no connectivity to network.
Low
(What you HAVE only)
Having been issued and delivered a physical identity credential.
eID card identity data control
National ID card provided to the individual includes a chip in which its identity information is securely written allowing them to get them and make sure about their authenticity.
For identity verification in face to face control.
Medium
(What you HAVE only)
Having been issued and delivered a physical identity credential with a chip (eID card), having access to a digital identity verification device. No need for network connectivity.
eID card based identity verification
National ID card provided to the individual includes a chip in which its identity information is securely written allowing them to get them and make sure about their authenticity. Those same data can be used for a match versus other information like who the person pretends to be, what is printed on the document or it’s biometrics captured live.
For identity verification in face to face control.
High
(What you HAVE and what you ARE)
Having been issued and delivered a physical identity credential with a chip (eID card), having access to a digital identity verification device which can perform a matching between person attributes and chip stored attributes.
Fingerprint 1:1 matching versus ID credential
The individual live capture fingerprint will be compared to its fingerprint(s) captured during its identity creation.
Those original fingerprints being stored on or within its Identity credential.
For identity verification in face to face control or self-control of identity (i.e. airport eGates).
High
(What you ARE)
Having been issued and delivered a physical identity credential including a digital ID into a chip (eID card) or in a cryptogram, having access to a digital identity verification device which can perform an ID Credential reading, fingerprint(s) capture and matching with attributes stored in ID credential.
Fingerprint 1:1 matching online
The individual live capture fingerprint will be compared to its fingerprint(s) captured during its identity creation.
The fingerprints are verifiable using an online service.
For identity verification in face to face control or self-control of identity (ie airport eGates)
High
(What you ARE)
Having been registered to a state recognized identity provider, having access to a connected digital identity verification device which can perform fingerprint(s) capture and access to online identity verification services.
Fingerprint recognition
The individual doesn't provide its identity, a search based on its fingerprints is performed against a database of known identities in order to identify him/her.
NOT RECOMMENDED FOR CIVIL USE. This capability is rather to be used for security purposes in criminal or border control systems or secured building access.
High
(What you ARE)
Having been registered (or not) to a state recognized identity database, having access to a connected digital identity verification device which can perform fingerprint(s) capture and access to online identification services.
Facial 1:1 matching versus ID credential
The individual live face capture will be compared to its face captured during its identity creation.
That original face capture may be stored on or within its Identity credential.
For identity verification in face to face control or self-control of identity (ie airport eGates)
A face liveness detection is recommended.
High
(What you ARE)
Having been issued and delivered a physical identity credential including a digital ID into a chip (eID card) or in a cryptogram, having access to a digital identity verification device which can perform an ID Credential reading, face capture and matching with attributes stored in ID credential.
Facial 1:1 matching online
The individual live face capture will be compared to its face captured during its identity creation.
The face is verifiable using an online service.
For identity verification in face to face control or self-control of identity (ie airport eGates)
A face liveness detection is recommended.
High
(What you ARE)
Having been registered to a state recognized identity provider, having access to a connected digital identity verification device which can perform face capture and access to online identity verification services.
Facial recognition
The individual doesn't provide its identity, a search based on its face is performed against a database of known identities in order to identify him/her.
NOT RECOMMENDED FOR CIVIL USE. This capability is rather to be used for security purposes in criminal or border control systems or secured building access.
High
(What you ARE)
Having been registered (or not) to a state recognized identity database, having access to a connected digital identity verification device which can perform face capture and access to online identification services.
Iris 1:1 matching versus ID credential
The individual live iris captured will be compared to its iris captured during its identity creation.
That original iris capture may be stored on or within its Identity credential.
For identity verification in face to face control or self-control of identity (i.e. airport eGates)
Liveness detection is recommended.
High
(What you ARE)
Having been issued and delivered a physical identity credential including a digital ID into a chip (eID card) or in a cryptogram, having access to a digital identity verification device which can perform an ID Credential reading, iris capture and matching with attributes stored in ID credential.
Iris 1:1 matching online
The individual live iris capture will be compared to its iris captured during its identity creation.
The iris is verifiable using an online service.
For identity verification in face to face control or self-control of identity (i.e. airport eGates)
Liveness detection is recommended.
High
(What you ARE)
Having been registered to a state recognized identity provider, having access to a connected digital identity verification device which can perform iris capture and access to online identity verification services.
Iris recognition
The individual doesn't provide its identity, a search based on its iris is performed against a database of known identities in order to identify him/her.
NOT RECOMMENDED FOR CIVIL USE. This capability is rather to be used for security purposes in criminal or border control systems or secured building access.
High
(What you ARE)
Having been registered (or not) to a state recognized identity provider, having access to a connected digital identity verification device which can perform iris capture and access to online identification services.
OTP
The individual needs to type in a form (online or app) a One Time Password (OTP) received from the identity provider.
Can be used when needing to access an online service.
To be used a second factor of authentication, for example with a login password).
High
(What you KNOW and what you HAVE)
Having been registered to a state recognized identity provider, owning a mobile subscription, being in capacity to receive messages (SMS, messaging, email), having access to service provider online services. It is important to acknowledge different patterns of phone ownership (individual, household, community).
Online ID credential matching
The individual will authenticate versus himself its ID credential online.
The process may include biometrics control versus data printed or stored in the Identity credential, together with genuity check of the document using security features and eventually control of document authenticity versus database of issued documents.
Can be used to perform remote on-boarding of persons in services. To be noted it anyway required a face to face on-boarding to enroll for the Identity credential.
Ensuring the document is genuine can be a challenge, unless an ID credential secured chip is involved as part of the process.
High
(What you HAVE, what you ARE, what you WERE)
Owning an ID Credential registered for online services verification, having a connected smartphone eventually capable of reading a chip.
Online PKI based identity verification
The individual uses its identity credential or a digital device to encrypt or sign identity verification data which can then be verified on server side. A PIN code is requested.
Can be used if ,and only if, a specific PKI infrastructure is in place to issue, read and verify online.
HIGH
(What I HAVE, what I KNOW)
The individual own an identity credential or a digital device storing personal cryptographic secrets.
Behavior based identity verification
The individual is authenticated seamlessly based on its context and behavior following an evaluation of the risk he/she not be himself/herself.
To be used for very frequent access control (i.e. control of office workers) when security and convenience are both importants.
Requires solid on-boarding before.
MEDIUM
(What I DO,
Where I AM)
Having been screened and tracked on normal habits, locations, behaviors to be used for evaluation of fraud risk being online.
Token based identity verification (SSO)
The individual has already been authenticated to a third party system allowing him to avoid a new identity verification and reuse the token.
This mechanism is also named Single Sign On (SSO).
To be used for online identity verification is usage of a digital identity.
Depends on previous identity verification
Having been previously authenticated by a third party system and obtained a verifiable authentication token.
Verifiable Credential
The individual has shared a verifiable credential to a third party system which allows its identity verification.
Can be used in various contexts online/offline.
Can be related to one or several attributes of Identity.
High
(What you HAVE, what you ARE, what you WERE)
Require an electronic or physical support to verify the credential.
If a verifiable credential can be verified offline, connectivity is required to verify the security chain.
Through this list of capabilities we can see there are numerous but limited options for Identity Verification that can be combined or not, this list allows us to normalize them all into the following inputs for an identity verification:
Identifier: identifier referring to a digitally retrievable identity that can give access to an individual's attributes for verification. It is noted that several kinds of identifiers could be used to refer to the same person, which is particularly important to preserve privacy (see glossary).
Set of attributes: attributes provided by the individual or retrieved on/within its Identity credential for purpose of a matching versus a reference (online or ID credential), those attributes can be biographic data, biometrics data, or scan of identity evidence.
Authentication token: A previous identity verification token can be used for identity verification, this token would allow the current service provider to verify against the authenticating system the genuineness of the token.
Last updated
Was this helpful?