Overview

The IDEMIA Verify Product Suite is a touchless solution for authenticating a person’s identity credential during in-person identity verification. It removes the possibility of human error due to missed visual irregularities by employing a cryptographically secure and trustworthy machine-oriented mechanism.

The IDEMIA Verify Product Suite consists of the following:

The IDEMIA Mobile ID Verify App

A ready-to-use mobile app, available on both iOS and Android from their respective app store, for verifying a person’s identity. The verification outcome is displayed in the app on the verifier’s device. The verification transaction can only take place after the digital credential holder approves the request to share their identity attributes.
The IDEMIA Verify SDKs

A set of SDKs that can be integrated with an existing application on mobile (Android, iOS) and desktop platforms (Windows). The SDK allows you to configure your preferred user experience design while leveraging all the functionalities of IDEMIA Verify.

Note: The engagement between the IDEMIA Mobile ID Verify App and the IDEMIA Mobile ID App is conducted device-to-device, that is, devices running the IDEMIA Mobile ID Verify App or any other app using the IDEMIA Verify SDKs and devices running the

IDEMIA Mobile ID App or any other ISO 18013-5 digital driver license app, do not need an internet connection to perform verification.

Key Features:

Below are some of the key features offered by the IDEMIA Verify Product Suite:

In-person verification capabilities.
Agnostic credential method detection.
Custom attribute request templates.
Dynamic display of credential holder’s attributes.
Dedicated help resources.
Forced app upgrade.
Designed to ensure security at all times.
Personally identifiable information (PII) is never stored on the verifying device or in the cloud.
Completely touchless machine-to-machine (M2M) design.
No internet connection needed.

SDK Package

Components

The IDEMIA Verify Product Suite consists of a set of SDKs, including documentation and their APIs, that can be implemented within an existing application on mobile and desktop platforms. The IDEMIA Verify SDKs are available for integration on Android, iOS, Windows.

Package Items

The IDEMIA Verify SDK package contains the following items:

Verify SDK library
Verify SDK header files
Verify SDK library dependencies
Other dependent libraries
Sample app for immediate use to test verifications
Source code for the sample app as a starting point for a new project

APIs are for devices that fit the following requirements:

must have a working camera
must support BLE (Bluetooth Low Energy)

Exposed APIs

Note: The IDEMIA Verify SDKs have exposed APIs that are described in more detail in the related SDK documentation for each platform located on the IDEMIA Developer's Portal at: Verify SDKs.

Platforms & Devices

The IDEMIA Verify SDKs is designed to build custom applications or to integrate into existing applications for the operating systems below and their corresponding devices. Integrations are supported for PC windows, Macintosh, and Android.

Android SDK

Supported devices: supports Android smartphones 9.x or newer, except the discontinued Samsung Galaxy S5.

Skills required: developers must have knowledge of the Android operating system and Kotlin.

Resources required: you will need the following tools to use the SDK on an Android:

Android Studio 3 or above
Android SDK tools: preferred latest version (release 24 or above)
JDK: preferred latest version (7 or above)
Android device (emulator is not supported)
Minimum SDK version is 21 (Android 5.0)

iOS SDK

Supported devices: supports Apple smartphones iOS 15.x to 17.x, except the discontinued Apple iPhone 5S.

Skills required: developers must have knowledge of:

iOS frameworks built in Xcode 15.1 or higher
Swift 5.0 or higher
Mac OS 14.1 or higher
SwiftCBOR - pod 'SwiftCBOR'

Resources required: you will need the following to use the SDK a Macintosh:

Xcode 15.1 or above
iOS SDK tools: release 15 or above (preferably latest version)
Physical iOS device (simulator is not supported)

Permissions required: you will need to set the following permissions in the app info.plist file:

Privacy - Bluetooth Always Usage Description
Privacy - Bluetooth Peripheral Usage Description
Privacy - Camera Usage Description
Privacy - NFC Usage Description

Windows SDK

Supported devices: supports Windows smartphones 10.x or newer.

Skills required: developers must have knowledge of:

C#
UWP framework ver#16299 and above in Visual Studio 2017 and above

Resources required: you will need the following to use the SDK on a Windows PC:

Windows 10 v1703 or higher
Visual Studio 2017
Webcam on PC
Bluetooth on PC
For testing the SDK, a smartphone (iOS/Android with the Mobile ID App application.)

IDEMIA Mobile ID Verify App

Introduction

The IDEMIA Mobile ID Verify ID App is designed to offer secure, offline, and in-person verification capabilities with a focus on the following:

· a modern end-user interface with friendly instructional screens

· a minimalistic attribute field names to emphasize the attribute values

· at-a-glance age, trust level, and status icons with configurable thresholds

· in-app user guides for instant support

Figure 1. The IDEMIA Mobile ID Verify App with configurable age verification example.

Note: this user experience is only available with the IDEMIA branded app.

Platforms & Devices

The IDEMIA Mobile ID Verify App is designed for use on smartphones. Below are some platform-specific considerations for operation:

Android

Supports Android smartphones Android 9.x or newer, except the discontinued Samsung Galaxy S5.

iOS

Supports Apple smartphones iOS 15.x to 17.x, except the discontinued Apple iPhone 5S.

Set Up the Mobile ID Verify App

This section provides instructions for setting up the IDEMIA Mobile ID Verify App on a smartphone. To set up the app on an Android or iOS device, complete the following steps:

Download and install the IDEMIA Mobile ID Verify App for your Android or iOS device.
Launch the app by tapping the Mobile ID Verify icon
Tap I agree to the above to accept the terms of use, privacy statement, and to grant the app access to the camera and bluetooth.

Figure 2. Permissions screen example.

Note: The IDEMIA Mobile ID Verify App uses the device's camera to scan barcodes, and Bluetooth Low Energy (BLE) to communicate with and transfer data from devices with the IDEMIA Mobile ID App.

Identity Verification

Overview

The IDEMIA Mobile ID Verify App employs machine-to-machine communication (M2M) allowing for a fast, secure, and completely touchless verification of user credential. The verifier does not hold or touch the physical ID or smartphone containing the digital credential at any time during the verification process.

The IDEMIA Mobile ID Verify App offers three methods to verify a credential holder's identity:

Scanning a QR code with BLE for data transfer
Scanning a PDF417 barcode
Scanning a QR code and portrait (Optical Inspection)

All verification methods are for offline and in-person transactions and support verification on: a physical ID, Digital ID, or both.

Methods	Physical ID	Digital Credential
QR Code with BLE	No	Yes
PDF417 Barcode	Yes	Yes
Optical Inspection	No	Yes

Identity Verification Methods

Method 1: QR code with BLE for data transfer verification

The IDEMIA Mobile ID App generates an ISO 18013-based QR code that allows engagement with the Mobile ID credential holder's device. The IDEMIA Mobile ID Verify App reads the QR code and triggers a data transfer using Bluetooth Low Energy (BLE). The results of the scan are displayed on the verifier's device after the credential holder approves the request.

Below are the steps to complete an ISO QR + BLE verification:

The Mobile ID credential holder opens their IDEMIA Mobile ID App on their smartphone, and selects Share ID to display a QR code for the verifier to scan.

Figure 3. End-user shares QR code.

Note: This QR code is generated in the Mobile ID App and adheres to the international standard for mobile IDs, ISO 18013.
The verifier opens the IDEMIA Mobile ID Verify App and the home screen displays a welcome screen with instructions.

Figure 4. Opening the IDEMIA Mobile ID Verify App
The verifier taps the I'm ready to scan button.
The verifier scans the QR code on the Mobile ID credential holder's device, aligning the code to the center of the on-screen frame.
When the QR code properly aligns within the frame, the IDEMIA Mobile ID Verify App automatically captures the image of the QR code. This triggers the BLE engagement with the Mobile ID credential holder's device.

Figure 5. Scanning the QR Code Example.
If the scan is successful, the IDEMIA Mobile ID Verify App automatically communicates with the Mobile ID App over Bluetooth Low Energy (BLE) (i.e., without requiring a pairing process).

Figure 6. Device engagement example.
The verifying device sends a request for attributes to the Mobile ID credential holder's device. The Mobile ID credential holder will see a message on their Mobile ID App screen.
The request will list the attributes requested by the verifier.
Mobile ID credential holder will be prompted to Accept sharing or Decline the transaction.
Once the Mobile ID credential holder accepts the request for their attributes, the attributes transfer via Bluetooth (BLE) to the verifier's device is initiated.
- If the data is successfully received, the attributes requested from the Mobile ID App are displayed on the verifier's device.
Figure 7. Receiving data example.
- If the Mobile ID credential is authenticated, a banner displays at the top of the screen: MOBILE ID AUTHENTICATED.
Figure 8. Mobile ID Authenticated results.
- The screen, also, displays a circle indicating that the Mobile ID credential holder is above or below a certain age threshold. This eliminates the need for displaying the entire date of birth.
Figure 9. Results screen example.
- If the Mobile ID credential is not verified, the screen displays a banner: MOBILE ID NOT AUTHENTICATED.
Figure 10. Mobile ID Credential not authenticated example.
The verifier can tap the X in the upper left corner to return to the scan mode and initiate the next credential verification, or the DONE button to navigate back to the home screen.

Figure 11. Mobile ID Verify app results screen

Method 2: Scan a PDF417 barcode

The IDEMIA Mobile ID Verify App offers the capability to scan the PDF417 barcode on a physical ID or a Digital ID that is rendered in the IDEMIA Mobile ID App. Scanning the barcode allows the end-user's identity attributes to be seen on the verifier device.

Below are the steps to complete a PDF417 barcode scan verification:

The verifier opens the IDEMIA Mobile ID Verify App and the home screen displays the I'm ready to scan button.
The credential holder can either:

a). open the IDEMIA Mobile ID App on their smartphone and display the PDF417 barcode;

b). or present their physical ID with the PDF417 barcode for the verifier to scan.

Figure 12. PDF417 presentation example.
The verifier taps the I'm ready to scan button.
The verifier aims their rear-facing camera at the PDF417 barcode, aligning it so that it's centered over the PDF417 barcode.
When the PDF417 barcode properly aligns within the frame, the IDEMIA Mobile ID Verify App automatically reads the data from the PDF417 barcode.

Figure 13. PDF417 scanning example
The verifier can view the results on their device.
The verifier taps the X in the upper left hand corner or the Done button to clear the results from the screen. These actions delete all data so that the verifying device is ready to perform the next verification.

Method 3: Optical Inspection of QR code

This verification capability allows the Mobile ID Verify App to scan a portrait and QR code displayed on the Mobile ID App using the Biometric Capture SDK for image processing and matching.

Note: encrypted digital representation of the portrait provides a security mechanism to ensure that a different photo has not been laid over the end-user’s photo.

Below are the steps to verify identity credentials using Optical Inspection:

The verifier scans the digital holder's optical inspection portrait and QR code.

Figure 14: Optical Inspection screen on Mobile ID App with sample portrait and QR code
The QR code contains all fields for the transaction and a secure, encrypted digital representation of the portrait associated with the Mobile ID credential. A biometric template is used to compare the captured portrait with the end-user’s credential. The biometric template contains facial recognition data, such as the distance between the credential holder’s eyes, length of the nose, etc.

Figure 15. Mobile ID Verify App Optical Inspection scan results screens.
The photo presented to the verifier matches the photo associated with the Mobile ID back-end service. The verifier scans the whole screen to get a return value confirming whether the captured portrait matches the QR code as compared with the biometric template.
A hash of the provided end-user portrait image is calculated and compared this against the hash of the end-user's portrait extracted directly from the QR code. This comparison results in a matching score, which is returned to gauge authenticity of the credential.
The IDEMIA Mobile ID Verify App displays an indicator of the authentication status, the set of attributes, and an image of the captured and processed photo.

Capabilities

The IDEMIA Mobile ID Verify ID App is designed to offer secure, offline, and in-person verification capabilities with a focus on the following core capabilities:

Completely touchless machine-to-machine (M2M) design
No internet connection needed
Adherence to IS0-18013 guidelines
Personally identifiable information (PII) is protected at all times, never being stored on the verifying device or in the cloud
QR Code & BLE capability
PDF417 barcode scanning and rendering
Auto-detection of credential authentication method
Pre-set age verification settings for common age verification scenarios

Capability and feature support by credential type and Platform:

Capability	Credential	Platform
QR Code + BLE transfer	Mobile ID	Android, iOS (SDKs & apps) Windows (SDKs)
PDF417 Scan	Physical ID & Mobile ID	Android, iOS (SDKs & apps) & Windows (SDKs)
Optical Inspection	Mobile ID	Android, iOS (SDKs & apps)
Configurable Templates	Mobile ID	Android, iOS (SDKs & apps) & Windows (SDKs)
Credential Auto-Detection	Physical ID & Mobile ID	Android, iOS (apps)
Dynamic Display	Mobile ID	Android, iOS (apps)
Demo Ceredential	Mobile ID	Android, iOS (apps)
Decline Notification	Mobile ID	Android, iOS (apps)
Age Verification	Physical ID & Mobile ID PDF417 (18-25); Mobile ID QR code + BLE transfer (21+)	Android, iOS (SDKs & apps) Windows (SDKs)

Credential Auto-Detection

The single "scan" button with no extra step required to select a verification method is designed to enhance the user experience and ease-of-use of the app. Tapping the I'm Ready to Scan button launches the ability for the IDEMIA Mobile ID Verify App to detect the method of sharing presented automatically, whether it's a QR code, PDF417 barcode, or Optical Inspection screen.

Dynamic Data Display

The IDEMIA Mobile ID Verify App can dynamically display results data based on the attributes exchanged with the end-user's Mobile ID credential. The verifier can select the specific attributes needed from the credential holder. The attributes not selected at this stage are removed from the request sent to the end-user.

The attributes that are not requested, and their associated field labels, are not displayed on the IDEMIA Mobile ID Verify App results page. This prevents an unnecessary waste of screen space and improves end-user experience populating the results page with only the desired and relevant information requested by the verifier.

Forced Upgrade

The IDEMIA Mobile ID Verify App contains a mechanism that can automatically notify the verifier that their current version of the app is out of date when opening the app.

The verifier is provided with two options to update the app or exit the app. The verifier will not be able to use the app again until the upgrade to the latest version is completed.

This allows IDEMIA to ensure that the verifier has the latest, most secure version of the IDEMIA Mobile ID Verify App.

Figure 16. Expired app notification example.

Demo Credential

The Mobile ID Verify App provides the ability to use a demo-only version of a Mobile ID credential. In this case, the app will display a clear banner across the top of the app stating FOR DEMO USE ONLY- NOT A VALID ID. This is to ensure that only valid production Mobile ID apps can be used throughout the digital identity eco-system.

Figure 17. Demo-use only indicator example.

Decline Notification

When the Mobile ID credential holder declines a request for identity attributes, the verifier receives a notification in the Mobile ID Verify App. the Results screen will indicate that the credential holder declined the request to share attributes. If presented with this option, the verifier can tap Try again to reinitiate the request.

Privacy

The IDEMIA Mobile ID Verify Product Suite keeps the end-user's personally identifiable information (PII) and other attributes private by design. From the ground up, the IDEMIA Mobile ID Verify Product Suite has focused on minimizing the exposure, transfer, and sharing of an end-user's information:

Any PII (or other attributes) that are used in a transaction are always encrypted while in transit.
Any PII (or other attributes) that are used in a transaction are discarded from the system as soon as the transaction is complete.

App Settings

Settings for the IDEMIA Mobile ID Verify App allow the verifier to view the following information:

Field	Description
About	Information on the IDEMIA Mobile ID App and IDEMIA Mobile ID Verify App
FAQ	Covers frequently asked questions
Help	Contact information for IDEMIA's support line
Quick Guides	Visual guides on how to use the app
Age Verification	Configurable age verification requirements set by the verifier
Attribute Settings	Verifier can select a use case template for scanning (standard information or custom)
Terms of use	IDEMIA Mobile ID Verify terms of use
Privacy Policy	IDEMIA Privacy statement for commercial products

Figure 18. Settings menu example.

Age Verification

The Age Verification setting allows a verifier to change the age threshold that will appear in the verification results after they scan a PDF417 barcode.

The IDEMIA Mobile ID Verify App will display the age threshold as (Age+) in green if the end-user presenting the ID meets the age requirements.
The IDEMIA Mobile ID Verify App will display the age threshold as (NOT Age) in red if the end-user presenting the ID does not meet the age requirements.

Steps to set the age threshold int he Mobile ID Verify App:

the verifier taps on the Gear icon inside the IDEMIA Mobile ID Verify App and taps on Age Verification.
The verifier sets the age verification threshold to, for example, 18+ or 25+
The new choice automatically saves and is visible when the verifier taps Back to go back one screen.

Figure 19. Age verification settings example.

Attribute Settings

The Attribute Settings allows the verifier to change the template of the attribute request that will go out to IDEMIA Mobile ID App end-users. There are two choices:

Standard: request only the standard attributes preconfigured in the Mobile ID Verify App
Custom: request custom attributes by adding or removing the template

Figure 20. Standard Information menu example.

Note: The end-user must consent to share the attributes before any data transfers from the end-user's smartphone to the verifier device.

Standard Information

Standard Information is the default option within the IDEMIA Mobile ID Verify App. When this option is set, the following attributes are requested:

Attributes
Portrait
Real ID
First name
Last name
Street address
City
State
Postal code
Birthdate
Expiration date
Age Verification threshold
Age in years
License Number
Driving Privileges
Gender
Height
Eye Color

Figure 21. Standard Information menu example.

Custom

The IDEMIA Mobile ID Verify App allows Relying Parties to select the attributes they want to request from the end-user during the verification process with configurable templates. All of the IDEMIA Verify SDKs also support this functionality.

Select and deselect attributes

To select attributes in the IDEMIA Mobile ID Verify App, the verifier does the following:

Click the Gear icon and select Attribute Settings to choose from the standard set of attributes, or to select a set of attributes to request from the end-user.
On the Custom screen, slide the button to the right to select the desired attribute.
On the Custom screen, slide the button to the left to de-select an attribute. (When a button is de-selected it will appear faded out).

The following attributes are available in this section:

Attributes
Portrait
REAL ID
First name
Last name
Street address
City
State
Postal code
Birthdate
Expiration date
Age verification threshold
Age in years
birth year
License number
Driving Privileges
Gender
Height
Eye color
Nationality
Place of birth
Issuing country
Issuing authority
Issuing jurisdiction
Portrait timestamp
Last update timestamp
Next update timestamp
Validity date
Full Name (UTF)

Figure 22. verifier screen to select the attributes they want to request from the credential holder.

Help and support

This section describes help resources available for the IDEMIA Mobile ID Verify App users.

In-app quick guides

The IDEMIA Mobile ID Verify App includes illustrative guides inside the app for key functions. The verifier can access the Quick Guides inside the app by tapping on the Gear icon and then Quick Guides. This content is the same content found in IDEMIA's offline quick guides.

Figure 23. Quick guide example.

FAQs

The verifier can access frequently asked questions inside the app by tapping on the Gear icon and then FAQ to display a list of questions and answers.

Figure 24. FAQ example.

Other help resources

The verifier can access the dedicated help resources with the following steps:

Tap on the Gear icon in the IDEMIA Mobile ID Verify App.
Tap on Help in the menu and the link to a support email address and a dedicated help customer support phone number display.

Security and Privacy

The IDEMIA Mobile ID Verify Product Suite authenticates the validity of an identity-based credential via stringent security measures. It adheres to the following international standards and policies:

Personally identifiable information (PII) data, and other sensitive information, is not stored but is encrypted in transit.
ISO 18013 security certificates and mechanisms are used in validation of a credential.
Static code security analysis on the source code before compiling.

App protection

The IDEMIA Mobile ID Verify App has ProGuard protection built into the Android app to protect the code and mitigate a variety of threat vectors.

Data security

The IDEMIA Verify Product Suite works to secure all personally identifiable information (PII) and other small chunks of data that pass through the IDEMIA Mobile ID Verify App and SDKs.

Security Assessments

Security assessments are conducted regularly via the best-in-class independent security firms, including those commissioned by our customers.

Vulnerability Mitigation Process

IDEMIA maintains a structured vulnerability mitigation process that includes configuration control board oversight, security scans, and code analysis tools:

The IDEMIA Change Control Board (CCB) exists to govern the release of the IDEMIA software to pre-production and production environments. The CCB comprises core team members who work to set the process framework, review release outcomes (e.g. epics, stories, defects, etc.), and security posture, amongst others.
Static code analysis plays a central role in ensuring the quality and security of software products. IDEMIA leverages a static code analysis tool which generates metrics that are monitored continuously to identify any detects and security vulnerabilities within the scanned application.

ISO-18013 security check

The table below describes the ISO-18013 security checks.

Security Checks	Purpose
Value Digest	Data Integrity and Data Originality. Digest Hash calculated using: 256
MSO	Data Authenticity. Algorithm used: ECDSA
IACA	Certificate Matching and Authorization used to check whether data is signed with correct source.
HMAC	Device Authenticity. Algorithm used: ECDSA with SHA

Privacy Controls

The IDEMIA Verify Product Suite employs significant privacy-enhancing design and implementation policies to enable end-user and workflow level privacy controls, including:

Identity attributes are stored in the end-user's smartphone.
IDEMIA provides transactional data in such a way that the Issuing Authority cannot track who specifically is using the IDEMIA Mobile ID App at various Relying Parties over time.
Identity information is only provided to owners or operators of verification endpoints with consent confirmed with the Mobile ID credential holder for each transaction.
Error messages have been conformed across all IDEMIA Mobile ID Verify platforms.

Standards

International standards

The IDEMIA Mobile ID Verify App provides in-person identity verification based on the following international standards:

US AAMVA standards for PDF417 barcode scanning
ISO 18013-5 standard QR code scanning, data sharing, certificate matching at the Issuing Authority attribute integrity.

ISO/IEC 18013-5 standard

ISO 18013-5 is the standard under development for digital driver's licenses and related mobile ID interoperability. The IDEMIA Verify Product Suite supports the N1677 and N1818 draft versions of ISO 18013-5.

IDEMIA periodically updates its software to support new draft versions of the ISO/IEC 18013-5 standard and has committed to support the final standard version. However, IDEMIA does not attempt to support every interim draft version that is released.

Glossary

Term	Definition
2D barcode	Two-dimensional barcode is used to describe barcode formats that encodes information in multiple rows of bars and spaces stacked on top of each other. Also called a matrix barcode. Example: PDF417
API	Application Programming Interface
BLE	Bluetooth Low Energy is a wireless personal area network technology that was initial released as part of Bluetooth 4.0. BLE is supported by iOS 5 and later and by Android 4.3 and later.
CA	Certificate Authority
CCB	Change Control Board
ID	Identity Document(s)
ISO	International Organization for Standardization
ISO-IEC 18013	A standard for obtaining data and trusting data from a mobile driver’s license (mDL)
ISO-IEC 18013-5	The part of the 18013 standard that covers the technical and interoperability requirements for mobile driver’s licenses. *Note:* This standard is expected to be finalized later in 2020.
M2M	Machine-to-Machine is a direct data exchange between devices using any communications channel, including wired and wireless, without human interaction.
NIST	National Institute of Standards and Technology
NIST 800-63-3	SP (Special Publication) 800-63-3, Digital Identity Guidelines
PDF417	A stacked linear 2D barcode format that was selected as the standard for the machine-readable zone technology on driver’s licenses.
QR Code	Quick Response Code, a 2-dimensional barcode that contains instructions or information for another device that scans it
REAL ID	A set of security standards set by US Federal law for the issuance of sources of identification, such as driver’s licenses.
RP	Relying Party
SDK	Software Development Kit
SOR	System-of-Record
UTF	Unicode Transformation Format