IDWallet Mobile Identity Solution

IDWallet Mobile Identity Solution
Secure mobile identity system for national ID and driving licenses, featuring end-to-end encryption, biometric verification, and comprehensive lifecycle management.
Request Demo
Contact Us
Solution Overview
Training Program
A comprehensive "IDWallet Partner Integration program" to ensure smooth implementation.
Cloud Gateway
A cloud implementation called "Gateway" operated by REACT as a service to manage the mobile identity lifecycle.
On-Premise Systems
Two instances of React's on-premise "Issuer" API to handle citizen identity requests, and two instances of "DPS" for minimal PKI infrastructure.
Mobile SDK
A core mobile SDK called "IDWallet SDK" for Android and iOS to manage citizen identity lifecycle.
The IDWallet Solution
IDWallet is designed to connect citizens with government entities that issue their secure identity. The solution consists of three major components working together seamlessly.
IDWallet Core
Mobile App SDK for citizen and verifier functions
IDWallet Gateway
For provisioning of mobile credentials
IDWallet Issuer
For lifecycle management and issuance of mobile credentials
Key Deliverables
IDWallet Issuer and API
REST APIs for provisioning all credentials and managing lifecycle. The on-premise Issuer component connects to the IDWallet Gateway and supports data preparation and signing according to ISO 18013-2 or ICAO 9303 standards.
Issuer API Documentation
Comprehensive documentation for IDWallet Issuer REST APIs, sample scripts for Postman and other apps, plus sample credential data for both citizens and verifiers to validate integration.
Mobile SDK
Core SDK for Android and iOS platforms with security framework and related functionalities for both citizens and verifiers, including sample apps demonstrating key features.
System Solution Architecture
Cloud Gateway
Manages credential lifecycle
On-Premise Issuers
Two dedicated systems for nID and DL
Security Infrastructure
PKI, HSM, and encryption systems
Mobile Applications
Citizen and verifier apps
The architecture is sized for high availability with full redundancy. It can handle 800,000 credentials over 5 years (400,000 nID, 400,000 DL) with a minimum commitment of 90,000 credentials annually. The system supports up to 600 daily issuance transactions and 10,000 daily verification transactions.
CSCA and Document Signer
CSCA (Customer Responsibility)
Based on ICAO recommendations, React will implement a country CSCA for Costa Rican electronic mobile credentials. React will:
Import DS certificate requests in CSR format
Export related DS certificates in x.509 format
Periodically (every 90 days) process new CSRs
Document Signer (REACT Scope)
The Document Signer is a submodule of the Data Preparation component (Integrale™ DPS). It performs:
DS Key Pair Generation
ICAO Data Preparation
Digital signature operations
Certificate management
Document Signer Operations
Key Generation
Asymmetric key generation using FIPS-140-2 Level 2 HSM
Certificate Request
Preparation and export of certificate requests
Certificate Import
Validation and import of signed certificates
Digital Signing
Creation of EF_SOD content and digital signatures
The DS module can be installed in a high availability configuration to improve performance and provide redundancy. For security reasons, each DS instance will have its own key pair and certificate.
DS Software Specifications
IDWallet Issuer Infrastructure
Application Servers
2 x Issuer Application Servers per instance, virtualized for redundancy
Database Servers
2 x Issuer Database Servers per instance, ensuring data availability
Security Modules
2 x network L2 HSMs per instance for cryptographic operations
Load Balancers
2 x Soft Load Balancers (Internal) per instance for traffic distribution
The virtual architecture translates to a physical architecture of 2 physical servers (each hosting virtualized instances) and 2 L2 HSMs per issuer. A separate testing environment for each document type is also included.
Key Issuer Features
End-to-End Encryption
Citizen personal data is assembled and encrypted in-country, then sent encrypted to the cloud. The cloud cannot decrypt personal data due to end-to-end encryption.
Standards Compliance
Virtual identity based on ICAO 9303 TD1 or ISO 18013-2 standards, including all mandatory Data Groups.
Authentication
Supports AKE (authenticated key exchange) and different verification roles including Law Enforcement and Age Check.
High Availability
System supports failover and redundancy in the production environment for maximum uptime.
IDWallet Gateway - Hub/TSM
Cloud Infrastructure
REACT cloud service gateway offering is based on Microsoft Azure, providing a production environment supported by REACT that meets performance requirements for the Costa Rican region.
Key Functions
Provides trusted routing and secure transport for provisioning credentials to citizens' mobile devices. Supports mobile ID provisioning, key generation and management, and invitation code generation.
Security
Implements robust security measures to protect sensitive data and ensure secure communication between all components of the system.
IDWallet Verification Service
Request Initiation
Verifier requests specific data groups or elements from a mobile document.
Secure Engagement
Service delivers engagement information for the IDWallet App to participate in verification.
Encrypted Response
Receives encrypted data and identifies randomized derived decryption key.
Authentication
Decrypts data, identifies document type, and confirms authenticity using trusted authorities.
The IDWallet verification service enables verification of mobile documents either on a local network or internet-facing. It supports both over-the-internet document sharing and on-site identification, with remote verification possible under proper security conditions.
Mobile Application Requirements
Citizen Applications
Citizen eID App
Citizen DL App
Support for PIN authentication
Support for LE/Full Read functionality using BLE
Ability to display both sides of the document
Verifier Applications
eID Verifier App for Law Enforcement
DL Verifier App for Law Enforcement
Support for issued credential format
Support for LE/Full Read functionality using BLE
Technical Requirements
Minimum OS support: Android 5.0+, iOS 11.0+
Signed with React App development certificate
Published under React or end customer name
Use of PUSH notifications for credential lifecycle
Azure Cloud Infrastructure
Secure Environment
The cloud infrastructure provides a secure, scalable environment for the IDWallet Gateway, ensuring reliable operation and data protection.
Global Reach
Microsoft Azure's global presence ensures low-latency access from Costa Rica and surrounding regions, optimizing performance for users.
Compliance
Azure's compliance certifications help meet regulatory requirements for handling sensitive identity information.
Mobile IDWallet SDK Features
Multi-Platform Support
Compatible with both Android and iOS operating systems.
Standards Compliance
Supports ICAO 9303 TD1 and ISO 18013-2 credential formats that satisfy Costa Rica requirements.
Data Exposure
Exposes necessary data for barcode generation and supports DS digital signature format.
Security Features
Includes PIN functionality with recovery questions, update capability, and validation with exponential waiting time.
IDWallet Core Mobile App SDK
Security Management
Manages user authentication, PIN management, and implements countermeasures to protect keys.
Communication
Handles BLE communications and connections to Cloud infrastructure.
Data Validation
Checks signature validity, Document Signer validity, and CSCA certification.
Cryptography
Implements secure asymmetric key generation and credential decryption.
The SDK is distributed for both iOS and Android platforms, including binaries and documentation. It comes with a Sample App demonstrating main features that can serve as a foundation for quick implementation.
The IDWallet Platform
Platform Overview
The IDWallet.ai platform provides an official handover to the designated third party, including detailed information about the cloud backend implemented in Azure and source code for various components hosted in Azure DevOps.
Specific Objectives
Ensure seamless integration
Describe infrastructure and key components
Guide access to source code and DevOps resources
Define support and maintenance procedures
Facilitate communication and collaboration
IDWallet Platform Deliverables
Mobile Applications
IDWallet Android and iOS applications providing comprehensive onboarding solutions for capturing and verifying document ID, face liveness, and fingerprints.
Web Components
Various web components including IDWallet Logic App, NT Face Web, Regula Doc NT Face Web, and Regula Doc Regula Face Web for document and face capture.
Backend Services
IDWallet Webservice Orquestrador, a .NET 4.6.1 WCF web service controlling business logic for mobile apps and web components.
Additional deliverables include source code in Azure DevOps, Azure platform resources and credentials, and comprehensive user manuals for all components.
IDWallet Platform Overview
Advanced Security
Cutting-edge security measures to protect sensitive data
User-Friendly Features
Intuitive interface for seamless user experience
Passive Solution
Ensures privacy protection and real-time identification
At IDWallet, we revolutionize the onboarding and identification process with our cutting-edge solutions. Our platform focuses on advanced security and user-friendly features, providing a passive solution that ensures privacy protection and real-time identification. Built on the most advanced principles, our comprehensive platform delivers a seamless and reliable experience for both businesses and individuals.
Key Components and Their Roles
IDWallet Android Application
Comprehensive onboarding tool for document ID capture, facial liveness verification, and fingerprint scanning.
IDWallet iOS Application
iOS counterpart providing the same onboarding capabilities with a seamless user experience.
IDWallet Logic App
Orchestrates various actions in the onboarding process, integrating different services and managing data flow.
IDWallet Webservice Orquestador
Controls business logic for mobile apps and web components, handling biometric data storage and authentication.
Web Components
IDWallet NT Face Web
Web component for the production environment that hosts the NT Web Face component used for facial recognition and verification through a web interface.
IDWallet Regula Doc NT Face Web
A .NET 4.6.1 web component that integrates Regula Document capture and Neurotechnology face capture components for passive liveness detection.
IDWallet Regula Doc Regula Face Web
Similar to the previous component but uses Regula face capture components for both document and face capture, implementing active liveness detection.
Solution Benefits
Security
Guarantees unique identity with highest levels of technological security, using state-of-the-art encryption and security protocols.
Process Continuity
Fully integrable with existing processes, ensuring minimal disruption and seamless adoption.
Mobility
Enables decentralization of face-to-face procedures through mobile technology.
Online Operation
100% online and real-time operation for instant identification and verification.
Process Efficiency
Transforms traditional processes for enhanced operational efficiency.
Platform Infrastructure
Cloud Solution
Hosted on Microsoft Azure with numerous certifications including ISO 27001, ISO 27017, ISO 27018, PCI DSS Level 1, SOC 1/2/3, FedRamp, and ISO 9000.
Integral Solution
Comprehensive authentication verticals providing a holistic approach to identity verification and management across various use cases and industries.
Security Standards
Adherence to the highest global security standards, meeting and exceeding industry benchmarks for data protection and system integrity.
Mobile Architecture
User Interaction
End user opens the customer app to begin the verification process.
Document & Biometric Verification
App initiates document validation, face verification, and fingerprint capture using appropriate SDKs.
Data Transmission
Captured data is packaged as JSON and sent to REACT servers with service credentials for authentication.
Backend Processing
Data is validated by LogicApp and sent to the Orquestrador for biometric processing and verification.
Biometric Verification Mobile Application
Multiple Biometric Modalities
Collection and verification of fingerprints (2-10), face photos, and dynamic signatures.
Face Liveness Detection
Ensures the client is a live person, not a still photograph, using both passive and active modes.
High Customization
Additional fields can be added to supplement biometric verification for specific use cases.
High Security
SSL data encryption and protection against unauthorized access, with compliance to ICAO and ISO standards.
Platform Access
Role-Based Access Control
Access to the IDWallet.ai platform is strictly controlled through Role-Based Access Control (RBAC), ensuring each user has appropriate access for their role. User accounts within the IDWallet.ai or IDWallet.us domains are assigned specific roles:
Developer: Access to development resources and code
Operator: Access to operational tools and monitoring
Viewer: Read-only access to reports and data
Access Procedure
The third party must identify individuals requiring access, specifying name, email, and required role. Based on this list, roles will be assigned and credentials provisioned. Regular reviews ensure access levels remain appropriate.
Security measures include:
Multi-Factor Authentication (MFA)
Comprehensive logging and monitoring
Periodic access audits
Platform Architecture
The architecture of IDWallet.ai is designed with a multi-layered approach, focusing on security, scalability, and high availability. The platform utilizes an Azure hub-and-spoke network topology to centralize and manage its services efficiently.
Network Infrastructure
Virtual Networks, NSGs, Load Balancers, and Application Gateways
Compute Resources
Virtual Machines hosting web applications, Orquestadors, and backend services
Data Storage
Azure SQL Databases, PostgreSQL Servers, and Storage Accounts
4
Security Measures
RBAC, Azure Defender, Firewall, WAF, and DDoS Protection
Security Measures
Role-Based Access Control
Manages who has access to Azure resources, what they can do with those resources, and what areas they can access, providing granular control.
Azure Security Suite
Includes Azure Defender for Cloud, Azure Firewall, Web Application Firewall (WAF), and DDoS Protection to provide comprehensive security against threats.
Monitoring and Analytics
Azure Sentinel, Azure Monitor, Log Analytics, and Application Insights provide advanced threat detection, monitoring, and diagnostics capabilities.
Endpoint Protection
Microsoft Defender for Cloud and Microsoft Endpoint Protection secure cloud workloads and endpoints from threats.
Compliance and Governance
The IDWallet.ai platform leverages Microsoft Azure's robust compliance framework to ensure the highest level of security and regulatory compliance. Azure datacenters comply with numerous industry standards and certifications, including ISO 27001 (Information Security Management), ISO 27017 (Cloud Security), ISO 27018 (Personal Data Protection), PCI DSS Level 1, SOC 1/2/3, FedRamp, and ISO 9000.
By utilizing Azure's IaaS, IDWallet.ai benefits from these rigorous compliance measures, ensuring the platform is built on a secure and compliant foundation.
Component Architecture
1
2
4
1
Document Verification
Regula Document Reader SDK
2
Biometric Verification
Regula Face SDK and Neurotechnology Face Verification
Identity Management
Nexus SmartID
4
Biometric Storage
Neurotechnology MMABIS
The IDWallet.ai platform integrates multiple advanced software solutions to provide comprehensive and secure identity verification services. Each component plays a critical role in ensuring the platform's overall functionality, security, and efficiency.
Regula Document and Face Solutions
Regula Document Reader SDK
Verifies the authenticity of identity documents through:
Document capture with quality assessment
MRZ reading for encoded information
NFC-based authenticity checks
Barcode reading and decoding
Regula Face SDK
Performs facial recognition and liveness detection:
High-resolution facial capture
Liveness detection to prevent spoofing
Face matching with document photos
Neurotechnology and Nexus Solutions
Neurotechnology Face Verification SDK
Ensures secure and accurate face recognition with passive liveness detection, identifying faces from video streams or static images and performing biometric comparison without requiring user interaction.
Nexus SmartID
Acts as the Identity Manager for the IDWallet platform, supporting multi-factor authentication (SMS, OTP, digital certificates), managing credentials and access policies, and functioning as a reverse proxy to publish services securely.
Neurotechnology MMABIS
Manages large-scale biometric identification and verification, storing fingerprints and facial images with high-speed matching capabilities and scalability for millions of records.
IDWallet Android Application
Document ID Capture
Utilizes the device's camera to capture high-quality images of government-issued identity documents for accurate verification.
Face Liveness Detection
Implements both active and passive liveness detection methods to ensure that the individual presenting the face is live and not a photo or video.
Fingerprint Capture
Supports the capture of fingerprint biometrics using the device's built-in sensors or external fingerprint readers for additional verification.
Secure Data Transmission
Uses encrypted channels to transmit biometric and document data to the backend services, ensuring data protection throughout the process.
IDWallet iOS Application
Document ID Capture
Uses the iOS device's camera to capture high-quality images of identity documents, ensuring accurate data extraction and verification.
Face Liveness Detection
Supports both active and passive liveness detection methods to prevent spoofing attempts and ensure the person is physically present.
Fingerprint Capture
Facilitates fingerprint biometrics capture using compatible sensors, adding an additional layer of security to the verification process.
iOS Integration
Leverages iOS-specific features for enhanced performance and security, with a user-friendly interface designed for intuitive operation.
IDWallet Logic App
Entry Point
Primary endpoint for all requests
Validation
Verifies data integrity and validity
Routing
Directs requests to appropriate services
4
Processing
Sends validated data to Orquestador
The IDWallet Logic App serves as the primary endpoint for all requests from iOS App, Android App, and web components. It verifies the integrity and validity of received data, performs necessary validations, and communicates with the Webservice Orquestador for further processing. The app is designed for scalability, reliability, and customizability to handle high transaction volumes and complex workflows.
IDWallet Web Components
NT Face Web
Web-based solution for facial recognition and passive liveness detection, capturing high-quality facial images through a web interface.
Regula Doc NT Face Web
Integrates document verification with passive liveness detection, combining Regula Document Reader and NT Face Verification.
Regula Doc Regula Face Web
Uses Regula technologies for document and face verification with active liveness detection requiring user interaction.
All web components are designed for cross-platform compatibility, real-time feedback, and secure data handling during capture and transmission. They provide seamless integration within web environments and can handle multiple verification requests simultaneously.
IDWallet Webservice Orquestador
Business Logic
Implements core business rules and processes
Service Integration
Coordinates between different backend services
3
3
Data Management
Handles storage and retrieval of biometric data
4
4
Security
Ensures secure processing and transmission
The Webservice Orquestador is a critical backend component that manages business logic and interactions between various services, primarily communicating with the MMABIS system. It's designed for scalability to handle high transaction volumes, with robust security measures and reliable service execution.
Source Code Access and Management
Azure DevOps
The source code for the IDWallet.ai platform is hosted on Azure DevOps, a comprehensive suite of development tools that support the entire software development lifecycle. Azure DevOps offers:
Azure Repos for source control
Azure Pipelines for CI/CD
Azure Boards for project management
Azure Test Plans for testing
Azure Artifacts for package management
Repository Structure
The source code is organized into seven distinct projects:
IDWalletUS-Android-App
IDWalletUS-IOS-App
IDWalletUS-LogicApp
IDWalletUS-Web-NTWebFace
IDWalletUS-Web-RegulaDocNTFace
IDWalletUS-Web-RegulaDocRegulaFace
IDWalletUS-Webservice-Orquestador
Repository Access and Management
Accessing the Repository
The Azure DevOps repositories can be accessed at https://dev.azure.com/IDWallet-US/ with appropriate credentials. Access is managed using Role-Based Access Control (RBAC) to ensure only authorized personnel can access, modify, or deploy the code.
Branch Management
The main branch contains the latest stable version and is protected to ensure stability. Development branches are used for ongoing work, feature development, and bug fixes, with periodic merging into the main branch following successful reviews and testing.
Security Practices
Secure coding guidelines are enforced across all repositories, with regular code reviews and automated security scans. Access permissions are regularly audited to ensure only authorized users have repository access.
User Manuals and Documentation
Comprehensive user manuals and documentation for the IDWallet platform are available on a dedicated SharePoint site and within the Azure DevOps repository. These resources include detailed instructions on using, configuring, and modifying various platform components, serving as essential references for developers, integrators, and administrators.
Available Documentation
API Integration Manuals
Detailed guidelines for integrating with the IDWallet API (v6.1.2) and Orquestador API (v1.0).
Mobile Application Manuals
Instructions for integrating and understanding the Android and iOS applications (v1.0).
Web Component Manuals
Integration guides for NT Web Face, RegulaDoc NTFace, RegulaDoc RegulaFace, and IFrame integration (v1.0-2.0.1).
Backend Service Manuals
Comprehensive documentation for Web Services Orquestador integration and functionality (v1.0).
Support and Maintenance
Service Level Agreement
Support and maintenance are based on a formal SLA between REACT INTERNATIONAL SOLUTIONS SL and the Third Party, establishing clear parameters for the Digital Onboarding service with specific standards for response and resolution times.
Annual Review
The SLA undergoes annual review to ensure adaptability and continued relevance, aligning with technological evolutions and changing customer needs in the dynamic Digital Onboarding environment.
Contact Information
All support contact is handled via email at support@react.es, providing a centralized channel for communication and issue reporting.
Implementation Plan
1
Phase 1: nID IDWallet
Expected go-live in 6 months from contract signature
2
Phase 2: DL IDWallet
Expected go-live in 9 months from contract signature
3
Phase 3: Verification Service
Expected go-live in 12 months from contract signature
The implementation schedule is subject to change based on final requirements and hardware sourcing from React. The plan also depends on customer-responsible milestones, with delays potentially impacting the timeline. An important step will be the Factory Acceptance Testing (FAT) conducted at REACT offices before final installation.
Professional Services
Project Management
Comprehensive project management services to ensure smooth implementation and alignment with agreed schedules.
Requirements Definition
Discussion sessions to understand system environment and finalize user requirements for the anticipated system.
System Design
Specification, system design, program development, and customization based on agreed requirements.
Installation & Integration
Setup of hardware and system components, with testing services and production rollout support.
Training Services
System Administrator and Operator Training
One-day class using a train-the-trainer approach, covering:
Basic daily operations and troubleshooting
Key and certificate lifecycle management
System interfaces
Target audience (5-10 trainees): System Managers, Operating Managers, System Administrators, and Operators.
Deployment Training
One-day hands-on deployment training at a branch office in the capital, targeting:
Operating Managers
System Operators
Deployment Staff
All training is conducted and materials provided in English. Additional training sessions are available on a charged basis if desired.
Maintenance Support Services
Support Level
2nd and 3rd level support through Cloud-based Help Desk for global technical assistance and partner-accessible online knowledge base.
Software Maintenance
Provision of upgrades, updates, patches, service packs, and error corrections, with instructions for proper use of corrected versions.
System Support
Installation of software updates, problem determination and resolution, bug fixing, and source/release controls for testing fixes in production.
REACT provides 12-month ongoing system support and maintenance as warranty after successful installation, with service available 5 days x 24 hours through Global Help Desk. Details of terms and conditions are subject to the final maintenance agreement.
Mobile Application Development
Citizen Applications
React will develop and provide Citizen eID App and Citizen DL App, ensuring they can provision and parse issued credentials to display both sides of the document. Apps must support PIN authentication and LE/Full Read functionality using BLE.
Verifier Applications
React will develop eID Verifier App and DL Verifier App for Law Enforcement, supporting the issued credential format and LE/Full Read functionality using BLE.
Development Responsibilities
React will handle unit testing, developer testing with local devices, and app store submission. REACT's SDK will expose credential data conditioned to a security mechanism (6-digit PIN), with React responsible for GUI implementation.
System Capacity and Performance
800K
Total Credentials
Maximum volume over 5 years (400K nID, 400K DL)
90K
Annual Minimum
Minimum commitment of credentials per year
600
Daily Issuance
Maximum daily issuance transactions
10K
Daily Verifications
Maximum daily verification transactions
The system is designed to handle these volumes assuming the hardware provided by React complies with REACT recommendations. REACT estimates a total of 10 working days per year planned downtime for critical maintenance.
Security Infrastructure
1
1
End-to-End Encryption
Protects personal data throughout the system
Hardware Security Modules
FIPS 140-2 Level 2/3 compliant HSMs
PKI Infrastructure
CSCA and Document Signer certificates
Authentication
PIN-based access and biometric verification
Security is a fundamental aspect of the IDWallet solution, with multiple layers of protection ensuring the integrity and confidentiality of identity data. The system employs strong cryptographic measures, secure key management, and tamper-resistant hardware to safeguard sensitive information.
Data Protection Features
Secure Key Generation
Asymmetric keys are securely generated and never exported outside of protected environments.
Signature Validation
The system verifies that signatures are valid and belong to authorized Document Signers from the expected CSCA.
Access Control
Verifier profiles ensure data visibility is limited to only what each verifier is authorized to receive.
Anti-Tampering
The SDK includes countermeasures to identify attacks and code obfuscation to prevent reverse engineering attempts.
Benefits of Mobile Identity
1
1
Convenience
Citizens can carry their official ID documents on their smartphones, eliminating the need to carry physical cards.
2
2
Enhanced Security
Digital credentials with cryptographic protection are more difficult to forge than physical documents.
Real-time Updates
Credentials can be updated remotely without requiring citizens to visit government offices.
4
4
Simplified Verification
Authorized verifiers can quickly confirm identity information through secure digital channels.
Privacy Control
Citizens can share only the specific information required for each verification scenario.
Contact
Spain: Onboarding & Identification SL - Calle Cronos 63 Nivel 2 Oficina 2 - info@reactid.com - +34608896284
Costa Rica: Onboarding e Identificación SA - Centro Corporativo Trilogia - info@reactid.com - +50661123683
Estados Unidos: ReactID ,Inc. - Delaware - info@reactid.com 