ETSI certified identity verification
The EU regulatory landscape is challenging for organisations to navigate with a patchwork of local regulations, EU Identity Verification (IDV) standards, sector-specific guidelines and the continuously evolving threats of fraud.
Onfido offers a product package which helps customers seeking compliance with specific AML regulations by being certified against EU IDV standards. In particular:
- ETSI TS 119 461
- ETSI EN 319 401
- eIDAS Regulation EU 2014/910
To enable ETSI certified IDV on your account, you will need to contact your Customer Success Manager or Account Manager. Alternatively, contact Client Support.
For ETSI certified IDV, customers are required to integrate the following products and features within Onfido’s Real Identity Platform:
- Core Studio integration
Configuring ETSI-compliant workflows for each country that include the following Verification Suite reports:
- Document Video Report
- Facial Similarity Report - Motion
- Known Faces Report
- Device Intelligence Report
- Downloading the Signed evidence file & associated media after each workflow completion
- Onfido Smart Capture SDKs and API (see version compatibility below)
Onfido Studio is a tool for building, managing, and deploying identity verification journeys. Build workflows visually using our no-code Workflow Builder tool, in a format similar to flow charts or process diagrams.
Onfido Studio offers a number of benefits including:
- Automated, smart decision making through no-code workflows
- Customized and flexible user verification flows
- Scalability to new markets and user requirements
You will use Studio to build ETSI-certified compliant workflows for the different regulatory contexts you require.
While not strictly required, Onfido generally recommends that customers configure and maintain separate workflows for each regulated country they operate in as IDV requirements tend to differ from one country to the next.
This will make it easier to maintain and optimise your workflows over time while making the necessary changes to remain compliant.
To get started more easily, Onfido will provide you with a pre-approved workflow template that you can easily import into Studio. Note: Templates are provided for guidance and informational purposes only. Check that they meet your regulatory or business needs in the context of your specific business case.
The following verification tasks should be included in your Studio workflows.
Document verification leverages multiple techniques, including specially trained Machine Learning powered algorithms, to classify documents, extract their data and verify their authenticity through specific data integrity and visual authenticity checks. When required, document verification is supported by a team of highly trained human analysts.
In addition to capturing a photo of the document, Document Video Report also captures the video of the document through the SDK and provides the ability to download the video through our API and Dashboard.
You can read more about Document Video Report here.
Facial Similarity Motion provides highest assurance for biometric comparison and liveness detection with low friction and high performance. The user records a video of themselves performing simple head movements. Facial Similarity Motion has been certified iBeta level 2 for PAD (Presentation Attack Detection).
You can read more about the Facial Similarity Report - Motion here.
Known Faces report compares a specific applicant’s likeness in their most recent live face capture to live face captures from the last 1 year of applicant faces processed through your Onfido client’s account.
It alerts clients to faces which have already been through their identity verification flow, so they can catch repeat identity fraud attempts and prevent duplicate accounts from being opened.
You can read more about the Known Faces Report here.
Device Intelligence uses non-visual passive signals to identify fraudulent activity and protect our customers from malicious actors.
This includes the verification of the device, app and network’s integrity and their connection with recent fraudulent activity.
You can read more about the Device Intelligence Report here.
For each completed identity verification workflow, whether approved or rejected, Onfido generates, signs and stores a full audit trail (evidence file) of the end-to-end IDV process performed through Onfido.
Generation and storage of the evidence file is required by ETSI TS 119 461 and allows you to demonstrate the validity of each remote identity verification (E.g. in legal proceedings).
Evidence files are provided in PDF format and are signed by Onfido using the PDF Advanced Electronic Signatures (PAdES) standard which is eIDAS-compliant. This ensures that:
- the file has not been changed and
- has been generated by Onfido
How do I download a signed evidence file?
See our API documentation: Retrieve Workflow Run Signed Evidence File
How do I validate the signature of a signed evidence file?
Evidence files are signed with a qualified certificate. To validate this signature, open the document in Adobe Acrobat Reader or similar app that supports signature validation.
For Acrobat Reader, at the top of the document there should be a signature validation message saying: "Signed and all signatures are valid".
Clicking the "Signature Panel" will provide detailed information showing that the file has been signed by Onfido.
How long is the signed evidence file stored for?
Onfido applies the same data deletion policy to evidence files as it does to Applicants and Checks, and will store the evidence file for the lifetime of the applicant's data. Customers are responsible for retrieving the file via the relevant endpoints and store it as long as it is needed.
How do I compare the integrity of media files?
While not required, for customers who want to confirm the authenticity of media files referenced in the evidence file, you will need to:
- Download associated media files from the Onfido platform, using your Dashboard or via API
- Calculate the footprint (or hash) of each media file using the SHA256 algorithm
- Compare hashes you produced with the checksums included in the evidence file. If they match, you have demonstrated the media files are authentic
To ensure the best performance, we highly recommend that customers use the latest versions of our Smart Capture SDKs and API.
Smart Capture SDKs
The following minimum versions are required for ETSI certified IDV and are subject to change over time to ensure compliance as regulatory requirements evolve:
- iOS 28.3.0 or above
- Android 19.3.0 or above
- Web 13.3.0 or above
- Flutter 4.2.0 or above
- React Native 10.4.0 or above
You can read more about the Smart Capture SDK here.
V3.6 or above. You can find the API reference here.
By integrating ETSI Certified IDV, you will need to agree to and comply with additional terms alongside your existing client services agreement:
- You must provide your end users with terms and conditions for the remote identification procedure, prior to them starting the IDV flow through Onfido’s SDK. Onfido has provided example terms and conditions for you to incorporate or link to. You should also store the acceptance of terms and conditions by your end users.
- You must capture any necessary consents of end users, prior to them starting the IDV flow through Onfido’s SDK. You should store consents given by your end users.
- You must ensure you download and retain the full IDV process audit logs and associated media files for each workflow. Onfido will provide you with a signed evidence file to assist with this. Note: The data retention period will depend on your specific obligations under law.
Additional obligations for running ETSI certified IDV for specific countries:
- Romania (DECISION 564/2021): Including a One Time Password (OTP) step in the process, to verify mobile phone numbers or email addresses prior to the identification flow.
Onfido ETSI certified IDV product package has been certified by an EU-accredited Conformity Assessment Body (CAB) against the following EU standards and regulations:
- eIDAS Regulation (UE) 910/2014 Art. 24.1d - Remote identification service component.
- ETSI EN 319 401 v2.3.1 - Electronic Signatures and Infrastructures (ESI); General Policy Requirements for Trust Service Providers.
- ETSI TS 119 461 v1.1.1 - Electronic Signatures and Infrastructures (ESI); Policy and security requirements for trust service components providing identity proofing of trust service subjects.
Onfido achieved the comprehensive certification by completing an extensive audit process, meeting strict criteria which verifies that the solutions adhere to the highest security, interoperability and assurance standards, and that Onfido is a mature, reputable and established provider.
Our certification allows Onfido to act as an Identity Proofing Service Provider (IPSP) for Qualified Trust Service Providers (QTSP) and means that customers conforming to AML requirements in Europe will be able to use our solution, in combination with other trust services, to operate across the EU.
Additionally, our solution has been certified against the following country-specific regulations:
- Romania: DECISION 564/2021 on the regulation, recognition, approval or acceptance of the procedure for the remote identification of persons using video
If you require confirmation of this certification for audit or regulatory application purposes we are able to share it with you. Please contact your Customer Success Manager or Account Manager.