PingOne Verify service is a part of the PingOne Neo decentralized identity solution that enables secure user verification based on a government-issued document, live face capture (a selfie), and voice biometrics, ensuring users are who they claim to be. For more information, see PingOne Neo.
- The user ID information is captured on a user's iOS or Android device using the
customer-created Verify app or using a user’s mobile web browser. User ID
information can also be captured through the top 5 desktop browsers with an
integrated camera or external web camera. After it has been captured, the user
ID information is then sent to the PingOne ID Verification service.Note:
Mobile/desktop web verification does not require a user to download the Verify app.
- The PingOne ID Verification service
interacts with a
service provider (SP)that verifies the submitted user ID information. service provider (SP) SP In SAML, an entity that receives and accepts an authentication assertion issued by an identity provider (IdP), typically for the purpose of allowing access to a protected resource.
- When a user's ID information is successfully verified, the PingOne ID Verification service approves the user authentication, and the verification status is available through the PingOne Verify APIs and the PingOne admin console.
Only the ID verification status is retained by PingOne. Any personally identifiable information (PII data) passed to PingOne is deleted by the ID Verification service.
To set up and configure PingOne Verify, you'll use:
- The PingFederate admin console to configure the PingOne Verify Integration Kit
- A mobile/desktop web browser or the PingOne Verify mobile SDKs
- The PingOne admin console or the PingOne Verify REST APIs
PingOne Verify transactions flow
An authentication policy for PingOne Verify is configured in the PingFederate Integration Kit for PingOne Verify. The authentication policy can enable ID verification for all users in a PingOne environment. For more information, see the PingOne Verify Integration Kit.
- When ID Verification is enabled for a user, the user's first attempts to sign on or register triggers the display of instructions from the mobile/desktop web browser or the customer Verify app created for the iOS or Android device.
- The user is instructed to scan a QR code. This code links to an ID Verification transaction ID assigned to the user by the ID Verification service. The ID Verification service then sends the transaction ID to the mobile/desktop web browser or the customer Verify app on the user's device.
- The customer Verify app then instructs the user to submit one of the
- A photo of their driver license or a photo of their passport information page (the page containing their passport photo)
- A live face photo (selfie)
- A live sample of their voice
A live sample of the user’s voice can also be recorded through a support call center and collected by the PingOne Verify APIs.
If the ID verification fails more than three times in a 1-hour period, the user must wait an hour before trying again.
- The mobile/desktop web browser or the customer Verify app sends the collected data to the ID Verification service with the transaction ID received from the ID Verification service.
- The ID Verification service then verifies the user information with the SP used
for verification. When the ID Verification service receives the results from the
- The user's ID verification status is stored in PingOne. Only the ID verification status is retained. Any personally identifiable information (PII data) passed to PingOne is deleted by the ID Verification service.
- For voice verification, PingOne removes identifying features from the user’s raw voice sample to create a voice template. The voice template, or voiceprint, is stored in PingOne for future verifications.
- If the ID verification wasn't successful, depending on the policies set in the PingOne Verify Integration Kit, a message and another QR code to scan are displayed in the customer Verify app or the mobile web browser. There is a limit of three attempts per user per hour.
- For all subsequent attempts to
single sign-on (SSO)to PingOne, the authentication policy uses the ID Verification service to check the user's ID verification status stored in PingOne. single sign-on (SSO) sso The process of authenticating an identity (signing on) at one website (usually with a user ID and password) and then accessing resources secured by other domains without re-authenticating.
Because PingOne Verify supports custom domains, your domain name can appear in any browser-based user interface that is presented to end users. PingOne routes your domain name to the relevant PingOne services. For more information, see Domains.
Branding and themes
PingOne Verify supports branding and themes to easily change the look of your registration pages, sign-on pages, and verification pages for a particular environment. For more information, see Branding and themes.
Email and phone notifications templates
PingOne Verify supports email and phone notifications templates so that you can create a notification for end users to verify their email address or phone number. For more information, see Notification templates.
Metrics collection and messaging
PingOne Verify supports metrics collection and messaging for admin users to collect and audit PingOne Verify transaction events, such as the Verify App event. For more information, see Webhooks.