Identity Verification as a Service (IDVaaS)
IDVaaS is a mobile digital enrolment and identity verification service. IDVaaS uses common smartphone technology and app to guide applicants through a private, secure and convenient self-service process 100% remotely. IDVaaS incorporates realtime biometric and document authentication checks, liveness detection and works with all common forms of machine-readable ID documents.
Features
- Applicants use their phone to register and verify claimed identification
- Intelligent multilingual guidance on privacy and applying with video assistance
- OCR scan of the Passport or ID Card transcribes biographics
- Checks document authenticity, integrity and validity and detects fakes
- Authenticates a selfie using facial matching comparing face from chip
- Configurable rules-based workflow automates casework, eligibility checks and decisions
- Validates citizen, migrant or client identification and lost or stolen
- Integrates easily with a digital identity ecosystem and enrolment processes
- Compatible with all ICAO compliant ISO/IEC 14443 enabled ID documentation
- Includes optional payment gateway functionality for fee collection
Benefits
- Supports settlement, ETA, eVisa, ePassport, residency and digital onboarding programmes
- Remote application means no government facility visit is required
- Selfie matching against document chip with liveness detection recognises/authenticates users
- Secure, private, app guides applicants and obtains informed consent
- eID chip reading using iOS/Android phone NFC&MRZ scanning reduces errors
- Checks validity, authenticity and integrity of ePassports or eID
- GDPR compliant, ISO accredited, components deliver cyber security
- Scalable, integrates via API with other systems and applications
- Configurable workflow allows integration within application enrolment or registration processes
- Provides a trusted Identity as a Service (IaaS) capability
Pricing
£0.55 to £1.00 a transaction
Service documents
Request an accessible format
Framework
G-Cloud 14
Service ID
5 3 3 6 9 5 9 0 8 4 8 5 9 9 1
Contact
Entrust Datacard (Europe) Limited
Robert Hann
Telephone: 07818 552411
Email: robert.hann@entrust.com
Service scope
- Software add-on or extension
- No
- Cloud deployment model
- Public cloud
- Service constraints
- Mobile application is currently constrained to Android and iOS devices subject to technology innovations and client requirements.
- System requirements
-
- Applicant: Connectivity via the cellular network or Wi-Fi
- Applicant: Smartphone with camera to conduct the facial biometric check
- Applicant: 3G or higher connection, can also use GPRS link
- Applicant: A modern browser that supports HTML5 and HTTPS connections
User support
- Email or online ticketing support
- Email or online ticketing
- Support response times
-
Support is 24/7 where a Critical (severity 1) issue resolution is applied according to the determined severity of the problem.
For all Critical (severity 1) problems reported to Entrust's 24/7 helpdesk, support begins within one hour of being reported.
Questions or advice requests from the customer will be responded to in due course dependent on the information request during regular business hours Monday to Friday 9:00 to 17:00. - User can manage status and priority of support tickets
- No
- Phone support
- Yes
- Phone support availability
- 24 hours, 7 days a week
- Web chat support
- No
- Onsite support
- Yes, at extra cost
- Support levels
- Entrust has flexible support levels that can be tailored to the needs of the client. Response and corrective actions are defined based on the level of severity of the reported incidents. Our support staff are available by phone and email for reporting incidents and general inquiries. We also offer 24/7 support. Costs dependent upon Service Agreement, some services may be at additional costs as per SFIA. All new customers are assigned a Customer Success Manager that will provide proactive support and advise throughout the contract.
- Support available to third parties
- Yes
Onboarding and offboarding
- Getting started
- All new customers are assigned a Customer Success Manager that will provide proactive support and advice throughout the contract. Our architects ensure the appropriate solution is provisioned and maximised for workloads, along with a range of instructions and of user guides. Training options combine instruction, workflow assessment, real-world examples and hands-on exercises so that users, trainers and system administrators walk away with the knowledge they need to impact operational results, accelerate adoption and lower software administration costs. Training options include onsite classroom style and virtual training sessions or combinations of both. The virtual options include: online tutorials, web-based sessions, telephone or regional training sessions. The smartphone app can optionally provide multi-lingual guidance to applicants on its use.
- Service documentation
- Yes
- Documentation formats
-
- HTML
- ODF
- End-of-contract data extraction
- Entrust provides assistance in extracting the data in CSV or DB backup format.
- End-of-contract process
- There is no need for offboarding due to the IDVaaS service not retaining operational data.
Using the service
- Web browser interface
- Yes
- Supported browsers
-
- Internet Explorer 11
- Microsoft Edge
- Firefox
- Chrome
- Safari
- Application to install
- Yes
- Compatible operating systems
-
- Android
- IOS
- Designed for use on mobile devices
- Yes
- Differences between the mobile and desktop service
- IDVaaS has a mobile component for use by the public to verify identity. This can be supplemented by a web application if desired with seamless transition between them. The other desktop component is for use by the government agency to manage these applicants.
- Service interface
- No
- User support accessibility
- None or don’t know
- API
- Yes
- What users can and can't do using the API
-
An alternative application process to using a mobile device can be provided. An API could be used to submit data to the Agency when used in conjunction with an access/bar code. The system can check the status of applicants after initial approval (given eTAs
& eVisas are valid for a period of time)- to see if at any point they have been revoked. - API documentation
- Yes
- API documentation formats
- API sandbox or test environment
- Yes
- Customisation available
- Yes
- Description of customisation
- IDVaaS has a flexible configuration. Users and Administrators can 'configure' many parts of their applications. Eg. Members of the Public using the app can select from available languages. Dev Ops set thresholds for photo matching, volume of users to allow on the system.
Scaling
- Independence of resources
- Client is provided a dedicated instance with auto-scaling capability.
Analytics
- Service usage metrics
- Yes
- Metrics types
- Entrust applies many metrics to its product suites for IDV, these include but are not limited to: the number of application approved or failed and reasons, the number of submitted photos approved or failed and reasons, etc.
- Reporting types
-
- Regular reports
- Reports on request
Resellers
- Supplier type
- Not a reseller
Staff security
- Staff security clearance
- Conforms to BS7858:2019
- Government security clearance
- Up to Security Clearance (SC)
Asset protection
- Knowledge of data storage and processing locations
- Yes
- Data storage and processing locations
- United Kingdom
- User control over data storage and processing locations
- Yes
- Datacentre security standards
- Supplier-defined controls
- Penetration testing frequency
- At least once a year
- Penetration testing approach
- ‘IT Health Check’ performed by a Tigerscheme qualified provider or a CREST-approved service provider
- Protecting data at rest
-
- Physical access control, complying with CSA CCM v3.0
- Other
- Other data at rest protection approach
- Entrust encourages clients to select the option to protect their data using database encryption technologies where only we have the decryption key. In this way, our customers are assured that their data can never be accessed by a third party.
- Data sanitisation process
- Yes
- Data sanitisation type
-
- Explicit overwriting of storage before reallocation
- Deleted data can’t be directly accessed
- Equipment disposal approach
- Complying with a recognised standard, for example CSA CCM v.30, CAS (Sanitisation) or ISO/IEC 27001
Data importing and exporting
- Data export approach
- Entrust provides assistance in extracting the data in CSV or DB backup format.
- Data export formats
- CSV
- Data import formats
- Other
- Other data import formats
- DB backup files.
Data-in-transit protection
- Data protection between buyer and supplier networks
-
- TLS (version 1.2 or above)
- IPsec or TLS VPN gateway
- Data protection within supplier network
-
- TLS (version 1.2 or above)
- IPsec or TLS VPN gateway
Availability and resilience
- Guaranteed availability
- 99% for the SaaS application, depending on infrastructure aspect.
- Approach to resilience
-
The Business Continuity plan details the process followed in the case of an outage, from detection to deactivation. It's a three-phased approach: Activation and Notification Phase, Recovery Phase, and Reconstitution Phase. This approach ensures system recovery and reconstitution efforts in a methodical sequence, maximizing the effectiveness of the recovery and reconstitution efforts and minimizing system outage time due to errors and omissions.
A ubiquitous security control environment is maintained across all regions. Each data centre is built to physical, environmental, and security standards in an active-active configuration, employing an n+1 redundancy model, ensuring system availability in the event of component failure. Components (N) have at least one independent backup component. All data centres are online and serving traffic. In case of failure, there is sufficient capacity to enable traffic to be load-balanced to the remaining sites.
Customers are responsible for implementing contingency planning, training and testing for their systems. Customers have the capability to implement a robust continuity plan, including the utilization of frequent server instance back-ups, data redundancy replication, and the flexibility to place instances and store data within multiple geographic regions across multiple Availability Zones. - Outage reporting
- All outages notifications will be reported to the identified client representative. Outages are identified as Planned maintenance, Emergency maintenance, and platform issues.
Identity and authentication
- User authentication needed
- Yes
- User authentication
-
- 2-factor authentication
- Other
- Other user authentication
- Agency users are assigned a user ID. A two factor authentication process is put in place such as password and Time-based One-time Password Algorithm (TOTP).
- Access restrictions in management interfaces and support channels
- For Agency use - Access to software features is restricted by roles. These roles and access controls are defined by the client during the on-boarding process. For example, an administrator role will have much broader permissions across the system.
- Access restriction testing frequency
- At least once a year
- Management access authentication
-
- 2-factor authentication
- Other
- Description of management access authentication
- Users are assigned a user ID. A two factor authentication process is put in place such as password and Time-based One-time Password Algorithm (TOTP).
Audit information for users
- Access to user activity audit information
- Users contact the support team to get audit information
- How long user audit data is stored for
- User-defined
- Access to supplier activity audit information
- Users contact the support team to get audit information
- How long supplier audit data is stored for
- User-defined
- How long system logs are stored for
- User-defined
Standards and certifications
- ISO/IEC 27001 certification
- Yes
- Who accredited the ISO/IEC 27001
- A-LIGN Compliance and Security, Inc.
- ISO/IEC 27001 accreditation date
- 01/03/2022
- What the ISO/IEC 27001 doesn’t cover
- N/A.
- ISO 28000:2007 certification
- No
- CSA STAR certification
- No
- PCI certification
- No
- Cyber essentials
- Yes
- Cyber essentials plus
- Yes
- Other security certifications
- No
Security governance
- Named board-level person responsible for service security
- Yes
- Security governance certified
- Yes
- Security governance standards
- ISO/IEC 27001
- Information security policies and processes
-
Implemented: Formal, documented policies and procedures that provide guidance for operations and information security within the organisation. Policies address purpose, scope, roles, responsibilities and management commitment.
Employees maintain policies in a centralised and accessible location. Security Assurance is responsible for familiarizing employees with the security policies.
There are established information security functions that are aligned with defined structure, reporting lines, and responsibilities. Leadership involvement provides clear direction and visible support for security initiatives.
The output of Leadership reviews include any decisions or actions related to:
• Improvement of the effectiveness of the ISMS.
• Update of the risk assessment and treatment plan.
• Modification of procedures and controls that affect information security to respond to internal or external events that may impact the ISMS.
• Resource needs.
• Improvement in how the effectiveness of controls is measured.
Policies are approved by leadership at least annually or following a significant change to the environment.
Operational security
- Configuration and change management standard
- Supplier-defined controls
- Configuration and change management approach
- We have documented configuration and change management policies and processes, which have been implemented, maintained and assessed in accordance with the guidance from ITIL v.3 and the current ISO 20000 standard. Formal configuration management activities, including record management and asset reporting, are monitored and validated constantly, and any identified discrepancies promptly escalated for investigation. A robust, established process for the formal submission of change requests is mandated prior to review and approval of the daily Change Advisory Board, which is attended by a quorum of operational and technical management personnel.
- Vulnerability management type
- Supplier-defined controls
- Vulnerability management approach
- Entrust conducts vulnerability assessments throughout the lifecycle. Our development process includes use of static code analysis to identify vulnerabilities introduced in source code and methods to remedy. We conduct penetration testing on our service platform along with tests to identify vulnerabilities and policy-violating configurations. Entrust also employs a number of tools in the production environments to automatically identify suspicious activities and components (e.g. operating systems) with available security patches. A process exists to alert the responsible parties in the event of a security incident. Entrust also monitors newsfeeds/vendor sites and the AWS security bulletin (https://aws.amazon.com/security/security-bulletins/) for security threat information.
- Protective monitoring type
- Supplier-defined controls
- Protective monitoring approach
-
We deploy (pan-environmental) monitoring devices to collect information on unauthorized intrusion attempts, usage abuse, and network/application bandwidth usage. Devices monitor:
• Port scanning attacks
• Usage (CPU, processes, disk utilization, swap rates, software-error generated losses)
• Application metrics
• Unauthorized connection attempts
Near real-time alerts flag incidents, based on the Service/Security Team- set thresholds.
Requests to KMS are logged and visible via the account’s CloudTrail Amazon S3 bucket. Logs provide request information, under which CMK, and identify the resource protected through the CMK use. Log events are visible to customers after turning on CloudTrail in their account. - Incident management type
- Supplier-defined controls
- Incident management approach
- We have a documented incident management policy and process, which have been implemented, maintained and assessed in accordance with the guidance from ITIL v.3 and ISO27001 standards. This activity is responsible for the progression of alerts generated by automated monitoring systems, issues identified by our personnel, and incidents identified and reported to us by its customers and partners. All incidents are promptly reported into a central ticketing system, which ensures that each is promptly assigned to an appropriate resource, and its progress tracked (and escalated, as required) to resolution.
Secure development
- Approach to secure software development best practice
- Conforms to a recognised standard, but self-assessed
Public sector networks
- Connection to public sector networks
- No
Social Value
- Social Value
-
Social Value
- Fighting climate change
- Tackling economic inequality
- Equal opportunity
- Wellbeing
Fighting climate change
Environment – Our goal is to manage our manufacturing, warehousing, distribution, and office facilities to minimize ecological impact. Entrust maintains an ISO 14001 certification at its headquarters and principal manufacturing facility and is working to set organizational carbon reduction goals to achieve net zero carbon emissions by 2050. We also comply with important environmental measures such as REACH, RoHS, and Proposition 65 where applicable to our business.Tackling economic inequality
Diversity, Equity and Inclusion – Entrust has established concrete goals to build a more diverse workplace and supplier base. We actively promote an inclusive and welcoming culture across our business through our Entrust Includes initiative and we look for suppliers that embrace similar values through our formalized supplier diversity program.Equal opportunity
Diversity, Equity and Inclusion – Entrust has established concrete goals to build a more diverse workplace and supplier base. We actively promote an inclusive and welcoming culture across our business through our Entrust Includes initiative and we look for suppliers that embrace similar values through our formalized supplier diversity program.Wellbeing
Diversity, Equity and Inclusion – Entrust has established concrete goals to build a more diverse workplace and supplier base. We actively promote an inclusive and welcoming culture across our business through our Entrust Includes initiative and we look for suppliers that embrace similar values through our formalized supplier diversity program.
Pricing
- Price
- £0.55 to £1.00 a transaction
- Discount for educational organisations
- No
- Free trial available
- No