Service Specification
Executive Summary
Interac's HUB is a cloud service which allows service providers, or relying parties, to obtain digital identity verification directly from their customers (or end users). All the identity verification methods Interac offers are accessible through this single integration point.
HUB service highlights include:
- A standards-based OpenID Connect protocol integration.
- Identity verification through the Interac verification service service using a bank login.
- Identity verification using a pairing of a supported government issued document verification and a biometric photo check.
- Identity verification using a combination of a Interac verification service identity verification and government document verification, matched for accuracy against each other.
The HUB allows service providers a high level of customization in the data they wish to receive for their internal processes, and manages the user experience across all the services provided. The HUB is bilingual and meets Government of Canada and Canadian financial services requirements for accessibility.
Government service providers, financial institutions and commercial services in Canada are already integrated to the HUB to gain secure and reliable access to identity proofing and verification services - new clients can integrate with confidence knowing the service already meets these high standards for data security and privacy handling, as well as scaling to meeting high service volume demands.
Intended Audience
This document is for product managers and solution architects seeking a high level understanding of the HUB service features and integration patterns. It provides an overview of what the HUB service offers and how these services are technically delivered.
The specific and authoritative integration details are captured in the Integration Guide.
The following section describes the key aspects of the HUB service.
Terminology
Term | Definition |
---|---|
Customer | The service provider's customer, or End User. |
Document Verification | The process of capturing photos of a government issued document or ID card and a live portrait or "Selfie" for face comparison. |
PAI | Pairwise Anonymous Identifier. An identifier for the customer that is unique between the HUB service and the service provider, so as not to enable service providers to correlate the customers activities through the use of the HUB. |
PII | Personal Identifiable Information. These are attributes or claims related to the customer which can be used to identify them. |
Service Provider | The service connecting to the HUB for identity verification services. Also known as a Client, Relying Party or Data Asset Consumer (DAC). |
Interac verification service | The Interac identity verification service associated with the customer's financial institution. |
Cloud Service
HUB is run as a cloud service from Interac. This cloud service makes Interac verification service and Document Verification services accessible through a standard federated protocol (OpenID Connect), and reduces the operational overhead for customers connecting to the cloud. All of the Interac verification service digital asset bundles and document verification service capabilities are available through this interface.
The cloud service meets strict Canadian Government security policies including Government of Canada Protected B, SOC 2 Type 1, and Canadian data residency. A full security compliance specification is available to customers. The HUB service does not cache, store, nor maintain any authentication credentials for the customer in any way, and therefore a customer's digital identity attributes may only be accessed with the customer's involvement and consent on every event.
User Centric Data Exchange
All data available through the HUB follows the Interac verification service service principles of ensuring that the individual customer is present and informed with regards to the information they are agreeing to share with the service provider.
Supported Flows
HUB can orchestrate several flows, depending on the needs of the Service Provider. The following flows are supported:
- Interac verification service
- Document Verification
- Interac verification service or Document Verification
- Interac verification service and Document Verification
Service providers configure their workflows to accept Interac verification service identity attributes, or attributes scanned from a government document. Service providers may take advantage of just one of these services, or offer the customer a choice of which method to use. When providing a choice to the customer, the service provider is able to help customers complete the identity proofing and verification through the path with which they are most comfortable.
Interac verification service
HUB provides access to the complete set of Interac verification service data providers for service providers capable of processing these additional customer attributes. Service providers are able to configure the data sources and the individual attributes from Interac verification service sources in their digital identification flows. Interac verification service includes the following:
- Fundamental identity information including given name, family name, date of birth and region of residence,
- Additional customer contact information such as full residential address, mobile phone number, and email address,
- Financial institution account references,
- Equifax Credit Bureau, including digital identity, "KYC" dual-source eligibility, and credit eligibility,
- Enstream mobile number verification and mobile account information.
As additional data sources become available, service providers can update their configuration to immediately take advantage of these new sources.
Document Verification
HUB provides access to a document verification process where a customer scans a government issued document and provides a real-time portrait (photo) for biometric comparison. Service providers are able to configure the document data received as the result of a scan, as well as set the acceptable document types and policies (for example, are expired-but-not-revoked documents acceptable?). Document data includes (but is not limited to) the following:
- Given names and family name,
- Date of birth,
- Address on the document if available,
- Expiration date,
- Document type and number,
- Issuing country and authority.
The document scanning and photo analysis process are designed to detect deliberate spoofing and fraud attempts to help service providers understand, in an unsuccessful ID proofing event, what went wrong.
See below for a complete list of factors which would result in a rejected or suspected document and photo scan.
For a complete list of document attributes available, please refer to the Integration Guide.
Assurance Level
The HUB service is designed to provide a high level of confidence in the customer's identity.
Service providers consuming the HUB digital identity are assured that the attributes are provided from a reliable identity source which includes a real-time authentication against that source. When a financial account is used to provide the access to the data, the individual has passed the stringent identity requirements at the financial institution to open their financial account, and the individual is required to authenticate (log in) to the account through the financial service's online service in order to consent to sharing their identity attributes. When a government document source is used, the document photo is examined for required security markers, data formats, bar-code processing, and evidence of tampering; the person's live portrait is then compared to the portrait on the document for facial matching and evidence of spoofing.
Using trusted sources and if needed multiple sources increases the level of assurance that the information provided is accurate. Each transaction requires bank authentication (multi-factor where enabled) which also provides an additional level of confidence in the identity verification process. Additional services like risk checks and data matching can be added to facilitate Service Provider end user verification.
Standard Identity Protocol - OpenID Connect
HUB allows consuming service providers to integrate through a standard identity federation protocol called OpenID Connect. This protocol is trusted by governments, financial institutions, and enterprise service providers for securely providing identity attributes about an individual with their consent. In addition, the HUB service incorporates the security best practices defined in the OpenID Connect iGov International Government Assurance Profile, FAPI Financial-grade API and the eKYC and Identity Assurance specifications. The HUB protocol therefore supports:
- Authorization code flow for securing access to customer data.
- PKCE protocol to defend against man-in-the-middle attacks.
- Digitally signed request objects, including nonce to authenticate requests to the service.
- The
private_key_jwt
client authentication method to protect against shared secret exposure. - OpenID Connect Discovery through a
.well-known
endpoint for trusted configuration.
Unique Pairwise Anonymous Identifier
The OpenID Connect interface provides an id
with a Subject field ( sub
) to uniquely identify the subject (or customer, in our case). When _Interac verification service is used by the customer to exchange identity attributes, a unique pairwise anonymous identifier is supplied in this field which is a consistent reference to the Interac verification service account the customer logged in with at their financial institution. If a customer returns and uses the same Interac verification service account to identity verify a subsequent time, the consuming service provider can use this identifier to determine if they have "seen" this customer before.
This identifier is not always going to be consistent for the same individual, however. In cases where a customer has bank accounts at different financial institutions, this identifier will be unique for the institution they choose to use - Interac verification service does not link or track the customer across accounts. For these reasons, the unique pairwise anonymous identifier may be a useful indicator for determining if this is a returning customer, but cannot be relied on wholly for this purpose.
HUB does not keep accounts for customers, nor does it store any personal identifiable information related to customers who have used the service. In cases where a customer chooses to identity proof with a document and Interac verification service is not used, the PAI will always be unique for the session.
Multilingual Support
HUB supports a user experience in both english and french based on the language preference used at the service provider, or falling back to the browser preference. If the language is not currently set to english or french, the user experience will fall back to english.
User Accessibility
The HUB user experience is compliant with the WAG 2.1 accessibility requirements.
Updated about 1 year ago