ETSI certified IDV

Start here

Introduction

The EU regulatory landscape is challenging for organisations to navigate, with a patchwork of local regulations, IDV standards, sector-specific guidelines and the continuously evolving threats of fraud.

Onfido’s all-in-one identity verification solution, Compliance Suite, empowers fast-growth businesses to expand seamlessly into new markets and meet local regulatory needs for onboarding users.

ETSI Certified IDV, helps clients seeking compliance with specific AML regulations by being certified against the following EU IDV standards and regulations:

• ETSI TS 119 461 (v1.1.1)
• ETSI EN 319 401 (v2.3.1)
• eIDAS Regulation EU 2014/910 (relevant subset of articles)

To learn more about the ETSI IDV standards and KYC in Europe, please see Onfido Compliance Suite and the EU KYC requirements guide.

ETSI certified IDV solution

To enable ETSI certified IDV on your account, you will need to contact your Customer Success Manager or Account Executive. Alternatively, contact Client Support.

Integration Overview

Clients are required to integrate and configure the following products and features:

• Onfido Studio

• Configure a Studio workflow with at least the following Verification Suite tasks:

  • Document capture (with NFC either enabled or disabled)
  • Motion capture
  • Document Video Report
  • Facial Similarity Report: Motion
  • Device Intelligence Report
  • Known Faces Report (optional but recommended)
• Integrate Smart Capture SDKs (Mobile or Web) into your app or use Smart Capture Link.
• Create an automated process that, on completion of a Studio workflow run, downloads all associated Evidence Files via API and retains them inline with local laws and regulations.

Onfido Studio Integration

Onfido Studio is a tool for building, managing, and deploying identity verification journeys. You can build workflows visually using our no-code Workflow Builder tool, in a format similar to flow charts or process diagrams.

Onfido Studio offers a number of benefits including:

• Automated, smart decision making through no-code workflows
• Customised and flexible user verification flows
• Scalability to new markets and user requirements

You will use Studio to build compliant workflows for the different regulatory contexts required.

Onfido generally recommends that clients configure and maintain separate workflows for each regulated IDV context as requirements tend to differ from one country to the next. This will make it easier to maintain, analyse and optimise your workflow performance over time while making the necessary changes to remain compliant.

To get started more easily, Onfido will provide you with a pre-approved workflow template (seen below) that you can easily import into the Studio Workflow Builder.

Please note: Templates are provided for guidance and informational purposes only. Check that they meet your regulatory or business needs in the context of your specific use case.

You can learn more about Studio in our product guide. For clients who have an existing Classic integration, read our Studio migration guide.

Onfido Verification Suite

The following Verification Suite tasks should be included in your Studio workflow at a minimum but can be extended with additional verifications.

Document Video Report

Required input: Document capture task (with NFC either enabled or disabled)

Document verification leverages multiple techniques, including specially trained Machine Learning powered algorithms, to classify documents, extract their data and verify their authenticity through specific data integrity and visual authenticity checks. When required, document verification is supported by a team of highly trained human analysts.

In addition to capturing a photo of the document, Document Video Report also captures the video of the document through the SDK and provides the ability to download the video through our API and Dashboard.

You can read more about Document Video Report in the product guide.

eMRTD documents (most passports, newer national identity cards and residence permits) contain a chip which can be accessed using Near Field Communication (NFC) readers on mobile devices using Onfido’s mobile SDKs. In this case, the Document Video Report can use this chip to fully validate the authenticity of the document using cryptographic methods.

You can read more about Document NFC in the product guide.

Facial Similarity Report - Motion

Required input: Motion capture task

Facial Similarity Motion provides highest assurance for biometric comparison and liveness detection with low friction and high performance. The user records a video of themselves performing simple head movements. Facial Similarity Motion has been certified iBeta level 2 for PAD (Presentation Attack Detection).

You can read more about the Facial Similarity Report - Motion in the product guide.

Device Intelligence Report

Required input: Document capture task AND Motion capture task

Device Intelligence uses non-visual passive signals to identify fraudulent activity and protect our clients from bad-actors.

This includes the verification of the device, app and network’s integrity and their connection with recent fraudulent activity.

You can read more about the Device Intelligence Report in the product guide.

Known Faces Report

Required input: Motion capture task

Known Faces report compares a specific applicant’s likeness in their most recent live face capture to live face captures from the last 1 year of applicant faces processed through your specific client account.

It alerts clients to faces which have already been through their identity verification flow, to prevent duplicate accounts from being opened by the same user.

Note: Including Known Faces Report in your workflow is not mandatory but is highly recommended to mitigate the risk and impact of repeated fraud.

You can read more about the Known Faces Report in the product guide.

Onfido Smart Capture SDKs and API Version Compatibility

To ensure the best performance, we recommend that clients always use the latest versions of our Smart Capture SDKs and APIs.

The following minimum versions are required for ETSI certified IDV and are subject to change over time to ensure compliance with evolving requirements:

• Web SDK 13.3.0 or later (guide)

• Mobile SDKs:

  • iOS 29.6.0 or later (guide)
  • Android 19.6.0 or later (guide)
  • React Native 10.7.0 or later (guide)
  • Flutter 4.5.0 or later (guide)
• API v3.6 or later (API documentation)

Clients using Smart Capture Link will automatically run on the latest version of the hosted Web SDK.

Evidence Files

What are Evidence Files?

Evidence files include all relevant information collected and validated by Onfido during a Studio workflow. When integrating ETSI Certified IDV, clients are required to download and retain these files so that they can demonstrate the authenticity and integrity of each remote identity verification performed through Onfido (E.g. in legal proceedings).

Onfido makes the following Evidence Files available to clients:

1. Evidence Summary File is a PDF document containing a time-stamped audit trail of all relevant information collected and validated by Onfido during a Studio workflow. This file is signed by Onfido using a qualified certificate to ensure its authenticity and integrity and also meets the requirements of relevant standards and regulations.

   • It is signed by Onfido using the PDF Advanced Electronic Signatures (PAdES) standard which is eIDAS-compliant and can be verified through tools such as Adobe Reader.
   • It also includes references for each captured media, including unique identifiers and a hash based on the SHA256 algorithm. The hash can be compared to the hash of the captured media to verify that it is the same file referenced in the summary.
2. Captured Media includes all images/videos of the user’s identity document and the images/videos of the user’s face.

How do I download Evidence Files via the API?

For Evidence Summary File:

• Once a workflow has been completed, Onfido will automatically trigger the generation of the Evidence Summary File.
• It can then be downloaded via a dedicated endpoint: Retrieve Workflow Run Evidence Summary File

For Captured Media:

• Document photos (both sides of document) can be downloaded via a dedicated endpoint: Download document
• Document videos (both sides of document) can be downloaded via a dedicated endpoint: Download document video
• Motion videos can be downloaded via a dedicated endpoint: Retrieve motion capture

We recommend that Clients configure workflow output data to collate all captured media UUIDs into a single API response, making it easier to orchestrate the downloading of media from the respective endpoints.

How do I validate the signature of an Evidence Summary File?

The file is signed with Onfido’s qualified certificate. To validate this signature, open the document in Adobe Acrobat Reader or similar app that supports signature validation.

For Acrobat Reader, at the top of the document there should be a signature validation message saying: “Signed and all signatures are valid”.

Clicking the “Signature Panel” will provide detailed information showing that the file has been signed by Onfido.

How long are Evidence Files stored for?

Onfido applies the same data deletion policy to evidence files as it does to Applicants and Checks, and will store the evidence files for the lifetime of the applicant's data. Clients are responsible for retrieving the files via the relevant API endpoints prior to deletion and storing them for as long as required by local laws and regulations.

How do I verify the authenticity of the Captured Media?

For clients who want to confirm the authenticity of captured media referenced in the Evidence Summary File, you will need to:

1. Download all captured media via the API (see Evidence Files above).
2. Calculate the footprint (or hash) of each media file using the SHA256 algorithm.
3. Compare hashes you produced with the checksums included in the Evidence Summary File. If they match, you have demonstrated the media files are authentic.

Additional Obligations

By integrating ETSI Certified IDV, you will need to agree to and comply with additional terms alongside your existing client services agreement:

• You must provide your end users with terms and conditions for the remote identification procedure, prior to them starting the IDV flow through Onfido’s SDK. Onfido has provided example terms and conditions for you to incorporate or link to. You should also store the acceptance of terms and conditions by your end users.
• You must ensure you download and retain all Evidence Files. Note: The data retention period will depend on your specific obligations under local law.

Additional obligations for running ETSI certified IDV for specific countries:

• Romania (DECISION 564/2021): Including a One-time Password (OTP) step in the onboarding process, verifying the user’s mobile phone number OR email address prior to the identification flow.

Certification Details

Onfido ETSI certified IDV product package has been certified by an EU-accredited Conformity Assessment Body (CAB) against the following EU standards and regulations:

• ETSI TS 119 461 v1.1.1 - Electronic Signatures and Infrastructures (ESI); Policy and security requirements for trust service components providing identity proofing of trust service subjects.
• ETSI EN 319 401 v2.3.1 - Electronic Signatures and Infrastructures (ESI); General Policy Requirements for Trust Service Providers.

• eIDAS Regulation (UE) 910/2014

  • General provisions: Art.5(1),
  • Trust services – General provisions: Art.13, 15,
  • Trust services – Supervision: Art.19(1), 19(2),
  • Qualified trust services: Art.20, 24(1), 24(2).

Onfido achieved the comprehensive certification by completing an extensive conformity assessment, meeting strict criteria which verifies that our solution adheres to the highest security, interoperability and assurance standards, and that Onfido is a mature, reputable and established provider. Surveillance assessments are completed annually by Onfido in order to maintain our certification.

Our current certificate (valid until 31 May 2025) is available here. If clients require our Conformity Assessment Report for auditing or regulatory application purposes we are able to share it with you under NDA. We also maintain a publicly available Remote IDV Practice Statement and Security Policy.

With this certification Onfido can also act as an Identity Proofing Service Provider (IPSP) for Qualified Trust Service Providers (QTSP) and means that customers conforming to AML requirements in Europe will be able to use our solution, in combination with other trust services, to operate across the EU. For clients seeking a end-to-end IDV solution that leverages trust services, see ETSI certified IDV with Qualified Electronic Signature | Onfido Developer Hub.

Additionally, ETSI Certified IDV has passed conformity assessments against the following country-specific regulations:

Romania

DECISION 564/2021 on the regulation, recognition, approval or acceptance of the procedure for the remote identification of persons using video.For more information see KYC for Romania.