Identity Proofing with Airlock IAM

Self-registration has always been a feature of Airlock IAM, enabling users to sign up and create accounts for services independently. However, this process often results in low data quality and unverified user identities. Even with email or mobile phone verification, the end result is only a claimed identity.

In many cases, accurately identifying the user is crucial. Traditionally, banks and insurance companies have sent letters to users' postal addresses for verification. While effective, this method is outdated, causing user frustration, process interruptions, and slow resolution times.

Online identity proofing offers a modern alternative. Various suppliers provide these services as SaaS (Software as a Service). Customers expect the flexibility to choose between these services, but the lack of standardized interfaces means each service requires individual integration efforts.
 

Integration Options

Airlock IAM's pluggable architecture has always allowed customers to create custom plugins for added functionality. Some projects have used this option to integrate identity proofing.

With the introduction of Airlock Flows, Airlock IAM offers a no-code option to design user processes flexibly. Version 8.2 introduced a Scriptable Step, adding low-code extendability. While not all aspects of Airlock IAM can be extended this way, it offers several advantages:

• Faster development cycles
• Simple and easy-to-use API
• Easier upgradability due to reduced API dependencies
• Less dependency on external specialists

Figure 2: Airlock IAM self-registration flow
 

Key steps involve Scriptable Steps that communicate with external services to verify identity documents.
 

Detailed Integration Steps

Assuming readers are familiar with IAM configuration, this section focuses on PXL Vision integration specifics. For interested parties, an example Airlock IAM configuration including necessary details, such as Lua scripts and flow step input/output mappings, is available on GitHub.

1. Authentication: Obtain an access token using credentials (API key or client id & secret, provided by PXL Vision). These credentials should be managed using Airlock IAM's native secret mechanism to keep them secure.
2. Initiate Workflow: Start the PXL Vision workflow and receive a transaction id for later use. The associated scriptable result set is assigned to a namespace so it is not overwritten by a subsequent step.
3. Switch to Smartphone: Convert the target URL (including transaction id) to a QR code for user convenience. For this proof of concept, use the online service goqr.me.
4. Proofing Process: Perform the proofing on a smartphone with camera access. This is completely handled by PXL Vision and no interaction with Airlock IAM is required.
5. Continue Registration Flow: Ask the user to switch back to the desktop browser and acknowledge continuation of the registration process.
6. Retrieve Results: Request the proofing results from PXL Vision, which include the user's first and last name and the document's serial number.
7. Complete Registration: Pass the verified identity information to the rest of the self-registration process for persistence and further use.
    

Conclusion

Airlock Flows, combined with the Scriptable Flow Step, enable flexible and easy integration of third-party services. This example demonstrates adding identity proofing to a self-registration flow, showcasing the potential of Airlock IAM's extensible architecture.