Documentation and help portal

Certification process for regify authentication

Authentication methods

Authenticating a regify account means the identification of the account holder. It may be a person or an organization. The higher the level of authentication, the stronger the proof of identity will be. regify supports two authentication paradigms:

image

Personal authentication

A user authenticates himself to the regify provider. As a result, the recipient can take the sender’s authenticity as read.

image

Organizational authentication

A user authenticates his affiliation to an organization. The recipient can take the sender’s association to the authenticated organization as read.

In order to represent the different qualities of authentication methods, regify introduced the following authentication levels:

Level Authentication of persons Authentication of organizations

0

User has access to the used email-address. This level is identifying the absence of any further authentication. The regify provider simply checked, if someone clicked the activation link inside of the initializing e-mail.

1

The user contacted the regify-provider verbally and made his identity credible (social barrier). This can be done by telephone, Skype or other voice systems.

3

The user sent or faxed a copy of his identification card to the regify-provider.

The user sent a copy of the identification card of the manager or a copy of the business registration / certificate of registration.

5

The details of the user or company are checked against a public directory (e.g. call back phone number out of the telephone directory).

Alternatively, the regify-provider already has an existing, attestable long business relationship with the user or organization.

The regify-provider personally knows the user (e.g. human resources department).

7

The user personally verified his identity to the regify-provider (e.g. personally showing identification card).

The user is employed by the regify-provider for more than 2 months.

not applicable

9

The user has been authenticated by a legally accepted authentication procedure like PostIDENT (Germany), Ident.Brief (Austria), Die Gelbe Identifikation (Switzerland) etc.

not applicable

The even levels 2, 4, 6, 8 and 10 are today unused and reserved for future usage.

The purpose of authentication

The purpose of authentication is to ensure a binding proof of the identity of the counterpart within the regify process. For certain functions of the regify-service, a minimum level of authentication is required. For example, a regipay or regibill document could only be sent with accounts that are authenticated with level 3 or higher.

Authentication levels 1-3 (immediately available)

Providers can award levels from 1 to 3 to their customers’ regify accounts without any additional certification. Before starting, the provider receives a brief introduction to the relevant site features. After that he only has to document and archive the type of authentication and the authenticating person (filing of photocopies, note the phone number, etc.)

Authentication levels 4-9 (available after certification)

Awarding higher authentications will be granted to the provider after a successful completion of the certification process. The process is performed by an authorized partner or regify. The regify-provider will be guided in the various authentication techniques and possibilities.

Principles and rules

Among other things, the provider must comply with certain principles and rules:

  • Compliance with regify guidelines

  • Documentation

  • Long-term archiving

Finally, the future process to be implemented will be developed. After the introduction of the process, the implementation and effectiveness will be tested as part of an audit conduct by regify. If the audit is successful, the regify-provider will receive the official certification.

The basis of the certification is the documented provider-specific authentication process. Regular audits in the future ensure continuous compliance with the process.

Procedure to implement authentication

The following procedure describes the general approach to gain a certification for a regify provider authentication process. It should be followed as close as possible to gain authentication levels of 5 or higher.

  1. Designation of a responsible person and further beneficiaries for the certification process.

  2. Introductory talk.

  3. Joint processing of the questionnaire.

    1. Decide which authentication steps and procedures are to offer.

    2. Decide for which countries the authentication will be offered.

    3. Documentation of the specific processes needed.

  4. Agreement about the implementation of the process.

  5. Auditing of the process by regify or authorized partner.

  6. Final conversation.

  7. For a successful audit
    → free the technical functionality in the regify-provider software.

  8. Publication of certification on the regify website.

  9. Verification audits every three years.

regify authentication guideline

Authorized authentication agents

The authorized authentication agents must be briefed on the authentication process and be named in the check list. Later added agents must also be trained and mentioned in an attachment of the checklist.

Transmission of the unlock-code

The transmission of the unlock-code must be made through an internet-independent service (e.g.: SMS, Phone call, personal handover, post, etc.). This applies to the first and all following requests.

Independent of the authentication level, unlock-codes are never transferred using email (also not by regimail) or chat (like skype, jabber etc.).

Address change (relocation, marriage)

If the address details of a regify user are changing, e.g. due to marriage or relocation, the user must authenticate again. A modification within the existing authentication is not allowed.

Decease

If a provider receives the information that an authenticated user has died, the authentication must be repealed. This process must be documented as well.

Increase authentication level

If a regify user wants to increase his authentication level, the user must authenticate again using the appropriate process. A modification within the existing authentication is not possible.

Documentation

All authentications must be documented. At minimum, authentication level, issuing date, authentication agent and the chosen authentication process must be archived. Copies of documents that have been used for the authentication process must also be archived.

Long term archiving

The long-term archiving can be physically and digitally, and 10 years respectively. For digital archiving, a valid storage media must be chosen.

Checklist about certification

Responsibilities

Customer / (Sub)Provider:

Responsible persons:

Authorized authentication agents:

Authentication levels

Level 3:

□ Not implemented
□ Implemented

Level 5:

□ Not implemented
□ Implemented

Level 7:

□ Not implemented
□ Implemented

Level 9:

□ Not implemented
□ Implemented

Documentation

Documentation process for authentications:

Long term archiving of documentation:

Supported countries:

Process implemented:

-----------------------------------------
(Date, regify Auditor)

Implementation checked and confirmed:

-----------------------------------------
(Date, responsible at regify-provider)