ETSI certified IDV
Start here
Introduction
The EU regulatory landscape is challenging for organisations to navigate, with a patchwork of local regulations, IDV standards, sector-specific guidelines and the continuously evolving threats of fraud.
Onfido’s all-in-one identity verification solution, Compliance Suite, empowers fast-growth businesses to expand seamlessly into new markets and meet local regulatory needs for onboarding users.
ETSI Certified IDV, helps clients seeking compliance with specific AML regulations by being certified against the following EU IDV standards and regulations:
- ETSI TS 119 461 (v1.1.1)
- ETSI EN 319 401 (v2.3.1)
- eIDAS Regulation EU 2014/910 (relevant subset of articles)
To learn more about the ETSI IDV standards and KYC in Europe, please see Onfido Compliance Suite and the EU KYC requirements guide.
ETSI certified IDV solution
To enable ETSI certified IDV on your account, you will need to contact your Customer Success Manager or Account Executive. Alternatively, contact Client Support.
Integration Overview
Clients are required to integrate and configure the following products and features:
- Onfido Studio
- Configure a Studio workflow with at least the following Verification Suite tasks:
- Document capture (with NFC either enabled or disabled)
- Motion capture
- Document Video Report
- Facial Similarity Report: Motion
- Device Intelligence Report
- Known Faces Report (optional but recommended)
- Integrate Smart Capture SDKs (Mobile or Web) into your app or use Smart Capture Link.
- Create an automated process that, on completion of a Studio workflow run, downloads the Evidence Folder via API and retains it in line with local laws and regulations.
Onfido Studio Integration
Onfido Studio is a tool for building, managing, and deploying identity verification journeys. You can build workflows visually using our no-code Workflow Builder tool, in a format similar to flow charts or process diagrams.
Onfido Studio offers a number of benefits including:
- Automated, smart decision making through no-code workflows
- Customised and flexible user verification flows
- Scalability to new markets and user requirements
You will use Studio to build compliant workflows for the different regulatory contexts required.
Onfido generally recommends that clients configure and maintain separate workflows for each regulated IDV context as requirements tend to differ from one country to the next. This will make it easier to maintain, analyse and optimise your workflow performance over time while making the necessary changes to remain compliant.
To get started with your ETSI certified IDV workflow, select a template from the Template modal in the Workflow Builder. The templates have been designed for use in different countries, therefore select the template that best suits your needs - for example the "ETSI Certified IDV for Romania 🇷🇴" template.
After selecting the template, your workflow will look similar to the one pictured below. You may then wish to add additional verifications, or make further changes as needed.
Please note: Templates are provided for guidance and informational purposes only. Check that they meet your regulatory or business needs in the context of your specific use case.
You can learn more about Studio in our product guide. For clients who have an existing Classic integration, read our Studio migration guide.
Onfido Verification Suite
The following Verification Suite tasks should be included in your Studio workflow at a minimum but can be extended with additional verifications.
Document Video Report
Required input: Document capture task (with NFC either enabled or disabled)
Document verification leverages multiple techniques, including specially trained Machine Learning powered algorithms, to classify documents, extract their data and verify their authenticity through specific data integrity and visual authenticity checks. When required, document verification is supported by a team of highly trained human analysts.
In addition to capturing a photo of the document, Document Video Report also captures the video of the document through the SDK and provides the ability to download the video through our API and Dashboard.
You can read more about Document Video Report in the product guide.
eMRTD documents (most passports, newer national identity cards and residence permits) contain a chip which can be accessed using Near Field Communication (NFC) readers on mobile devices using Onfido’s mobile SDKs. In this case, the Document Video Report can use this chip to fully validate the authenticity of the document using cryptographic methods.
You can read more about Document NFC in the product guide.
Facial Similarity Report - Motion
Required input: Motion capture task
Facial Similarity Motion provides highest assurance for biometric comparison and liveness detection with low friction and high performance. The user records a video of themselves performing simple head movements. Facial Similarity Motion has been certified iBeta level 2 for PAD (Presentation Attack Detection).
You can read more about the Facial Similarity Report - Motion in the product guide.
Device Intelligence Report
Required input: Document capture task AND Motion capture task
Device Intelligence uses non-visual passive signals to identify fraudulent activity and protect our clients from malicious actors.
This includes the verification of the device, app and network’s integrity and their connection with recent fraudulent activity.
You can read more about the Device Intelligence Report in the product guide.
Known Faces Report
Required input: Motion capture task
Known Faces report compares a specific applicant’s likeness in their most recent live face capture to live face captures from the last 1 year of applicant faces processed through your specific client account.
It alerts clients to faces which have already been through their identity verification flow, to prevent duplicate accounts from being opened by the same user.
Note: Including Known Faces Report in your workflow is not mandatory but is highly recommended to mitigate the risk and impact of repeated fraud.
You can read more about the Known Faces Report in the product guide.
Onfido Smart Capture SDKs and API Version Compatibility
To ensure the best performance, we recommend that clients always use the latest versions of our Smart Capture SDKs and APIs.
The following minimum SDK versions are required for ETSI certified IDV and are subject to change over time to ensure compliance with evolving requirements:
- Web SDK 14.31.0 or later (reference)
- Mobile SDKs:
- API v3.6 or later (API documentation)
To authenticate the SDK when integrating Onfido's ETSI certified IDV solution, customers must use SDK tokens obtained from the workflow run payload returned by the API when a workflow run is created, as documented here.
Clients using Smart Capture Link will automatically run on the latest version of the hosted Web SDK.
Evidence Folder
What is the Evidence Folder?
The evidence folder is a ZIP-compressed directory which includes an evidence summary file, which contains all relevant information collected and validated by Onfido during a Studio workflow, as well as all the media captured during the same journey. When integrating ETSI Certified IDV, clients are required to download and retain these files so that they can demonstrate the authenticity and integrity of each remote identity verification performed through Onfido (e.g. in legal proceedings).
Onfido makes the following files available to clients under the evidence folder:
-
Evidence Summary File is a PDF document containing a time-stamped audit trail of all relevant information collected and validated by Onfido during a Studio workflow run. This file is signed by Onfido using a qualified certificate to ensure its authenticity and integrity and also meets the requirements of relevant standards and regulations.
- It is signed by Onfido using the PDF Advanced Electronic Signatures (PAdES) standard which is eIDAS-compliant and can be verified through tools such as Adobe Reader.
- It also includes references for each captured media, including unique identifiers and a hash based on the SHA256 algorithm. The hash can be compared to the hash of the captured media to verify that it is the same file referenced in the summary.
-
Captured Media includes all images/videos of the user’s identity document and the images/videos of the user’s face.
How is the Evidence Folder downloaded via the Onfido API?
The Evidence Folder is automatically generated after completion of each Workflow Run and can be retrieved via a deducatd endpoint: Retrieve Workflow Run Evidence Folder. A webhook is also available to notify you when the Evidence File is ready for download.
You can also download the Evidence Folder directly from the Workflow Results page. A download status is also provided on this screen to give visibility in to whether you have downloaded the Evidence Folder, either via the API or Results page.
How can the signature of an Evidence Summary File be validated?
The file is signed with Onfido’s qualified certificate. To validate this signature, open the document in Adobe Acrobat Reader or similar app that supports signature validation.
For Acrobat Reader, at the top of the document there should be a signature validation message saying: “Signed and all signatures are valid”.
Clicking the “Signature Panel” will provide detailed information showing that the file has been signed by Onfido.
How long are Evidence Folders stored for?
Onfido applies the same data deletion policy to evidence folders as it does to Applicants and Workflow Runs, and will store the evidence folders for the lifetime of the applicant's data. Clients are responsible for retrieving the folder via the relevant API endpoint prior to deletion and storing them for as long as required by local laws and regulations.
How can the authenticity of the Captured Media be verified?
For clients who want to confirm the authenticity of captured media referenced in the Evidence Summary File, you will need to:
- Calculate the footprint (or hash) of each media file using the SHA256 algorithm.
- Compare hashes you produced with the checksums included in the Evidence Summary File. If they match, you have demonstrated the media files are authentic.
Additional Obligations
By integrating ETSI Certified IDV, you will need to agree to and comply with additional terms alongside your existing client services agreement:
- You must provide your end users with terms and conditions for the remote identification procedure, prior to them starting the IDV flow through Onfido’s SDK. Onfido has provided example terms and conditions for you to incorporate or link to. You should also store the acceptance of terms and conditions by your end users.
- You must ensure you download and retain all Evidence Folders. Note: The data retention period will depend on your specific obligations under local law.
Additional obligations for running ETSI certified IDV for specific countries:
- Romania (DECISION 564/2021): Including a One-time Password (OTP) step in the onboarding process, verifying the user’s mobile phone number OR email address prior to the identification flow.
Certification Details
Onfido ETSI certified IDV product package has been certified by an EU-accredited Conformity Assessment Body (CAB) against the following EU standards and regulations:
- ETSI TS 119 461 v1.1.1 - Electronic Signatures and Infrastructures (ESI); Policy and security requirements for trust service components providing identity proofing of trust service subjects.
- ETSI EN 319 401 v2.3.1 - Electronic Signatures and Infrastructures (ESI); General Policy Requirements for Trust Service Providers.
- eIDAS Regulation (UE) 910/2014
- General provisions: Art.5(1),
- Trust services – General provisions: Art.13, 15,
- Trust services – Supervision: Art.19(1), 19(2),
- Qualified trust services: Art.20, 24(1), 24(2).
Onfido achieved the comprehensive certification by completing an extensive conformity assessment, meeting strict criteria which verifies that our solution adheres to the highest security, interoperability and assurance standards, and that Onfido is a mature, reputable and established provider. Surveillance assessments are completed annually by Onfido in order to maintain our certification.
Our current certificate (valid until 31 May 2025) is available here. If clients require our Conformity Assessment Report for auditing or regulatory application purposes we are able to share it with you under NDA. We also maintain a publicly available Remote IDV Practice Statement and Security Policy.
With this certification Onfido can also act as an Identity Proofing Service Provider (IPSP) for Qualified Trust Service Providers (QTSP) and means that customers conforming to AML requirements in Europe will be able to use our solution, in combination with other trust services, to operate across the EU. For clients seeking a end-to-end IDV solution that leverages trust services, see ETSI certified IDV with Qualified Electronic Signature | Onfido Developer Hub.
Additionally, ETSI Certified IDV has passed conformity assessments against the following country-specific regulations:
Romania
DECISION 564/2021 on the regulation, recognition, approval or acceptance of the procedure for the remote identification of persons using video.For more information see KYC for Romania.