5.2.1

Best Practice (BP).

The Issuing Authority must protect the Digital ID information such that only the holder can view the data, or authorize Digital ID data release to a relying party. For example, the App or the Digital ID interface may require a PIN code for authorization, or a FIDO compliant biometric may be integrated into the OS/App (e.g. FaceID on Apple devices).

5.2.2

B.P.

User Consent to release each field of data,or decline transaction in physical domain, consistent with the ISO 18013-5 standard supported. 

5.2.3

B.P.

Relying party’s to request only the minimum amount of data required for a use case, consistent with the ISO 18013-5 standard.

5.2.4

B.P.

As use case norms are established and guidelines are developed, the UX for Issuing Authority Digital ID applications and relying party data requests should converge. For example, user may consent to release an “Identity Bundle,”  defined here as a predefined set of data agreed by relying parties as the minimum data required for a standard transaction in the relevant use case vertical and region. Any data beyond the minimum data in the Identity bundle would be optional for the user to provide, and Digital ID applications would clearly denote the required and optional fields. The data released and consent may then be captured in a standards driven and certifiable consent receipt.

5.2.5

B.P.

If issuing authority offers a non-standard API for access to Digital ID data in unattended use cases (prior to development of the ISO 23220 WG4 standard) they need to inform users and relying parties of additional risk.  Examples may include presenting Digital ID via an App/browser without an in person verification of facial biometric, or using kiosks or video chats to replace in person verification in the unattended use case.) 

5.2.6

B.P.

The relying parties may develop an unattended user experience to allow a user to authorize a transaction brokered between a mobile device and a browser, using the current ISO 18013-5 standard for data exchange. Obligation is on the relying party to understand the risks associated with an unattended channel, and they should have appropriate security measures in place e.g. HTTPS to secure transmission of the data and avert intercept.  This scenario may be superseded once the standard in ISO23220 WG4 is defined.