Information for Providers
Page Status: DRAFT
Information for organizations that provide software or systems for mobile credentials, such as digital wallets or SDKs
--------------
Source: FIC "User Controlled Data Sharing" Requirements
Guidance for UX
5.2.1 | Best Practice (BP). | The Issuing Authority must protect the Digital ID information such that only the holder can view the data, or authorize Digital ID data release to a relying party. For example, the App or the Digital ID interface may require a PIN code for authorization, or a FIDO compliant biometric may be integrated into the OS/App (e.g. FaceID on Apple devices). |
5.2.2
| B.P. | User Consent to release each field of data, or decline transaction in physical domain, consistent with the ISO 18013-5 standard supported. |
5.2.3
| B.P. | Relying party’s to request only the minimum amount of data required for a use case, consistent with the ISO 18013-5 standard. |
5.2.4 | B.P. | As use case norms are established and guidelines are developed, the UX for Issuing Authority Digital ID applications and relying party data requests should converge. For example, user may consent to release an “Identity Bundle,” defined here as a predefined set of data agreed by relying parties as the minimum data required for a standard transaction in the relevant use case vertical and region. Any data beyond the minimum data in the Identity bundle would be optional for the user to provide, and Digital ID applications would clearly denote the required and optional fields. The data released and consent may then be captured in a standards driven and certifiable consent receipt. |
5.2.5
| B.P. | If issuing authority offers a non-standard API for access to Digital ID data in unattended use cases (prior to development of the ISO 23220 WG4 standard) they need to inform users and relying parties of additional risk. Examples may include presenting Digital ID via an App/browser without an in person verification of facial biometric, or using kiosks or video chats to replace in person verification in the unattended use case.) |
5.2.6
| B.P. | The relying parties may develop an unattended user experience to allow a user to authorize a transaction brokered between a mobile device and a browser, using the current ISO 18013-5 standard for data exchange. Obligation is on the relying party to understand the risks associated with an unattended channel, and they should have appropriate security measures in place e.g. HTTPS to secure transmission of the data and avert intercept. This scenario may be superseded once the standard in ISO23220 WG4 is defined. |
Lorem ipsum dolor sit amet, consectetur adipiscing elit. Aliquam fermentum vestibulum est. Cras rhoncus. Pellentesque habitant morbi tristique senectus et netus et malesuada fames ac turpis egestas. Sed quis tortor. Donec non ipsum. Mauris condimentum, odio nec porta tristique, ante neque malesuada massa, in dignissim eros velit at tellus. Donec et risus in ligula eleifend consectetur. Donec volutpat eleifend augue. Integer gravida sodales leo. Nunc vehicula neque ac erat. Vivamus non nisl. Fusce ac magna. Suspendisse euismod libero eget mauris.
Ut ligula. Maecenas consequat. Aliquam placerat. Cum sociis natoque penatibus et magnis dis parturient montes, nascetur ridiculus mus. Nulla convallis. Ut quis tortor. Vestibulum a lectus at diam fermentum vehicula. Mauris sed turpis a nisl ultricies facilisis. Fusce ornare, mi vitae hendrerit eleifend, augue erat cursus nunc, a aliquam elit leo sed est. Donec eget sapien sit amet eros vehicula mollis. In sollicitudin libero in felis. Phasellus metus sem, pulvinar in, porta nec, faucibus in, ipsum. Nam a tellus. Aliquam erat volutpat.
Page Tasks
- Type your task here, using "@" to assign to a user and "//" to select a due date