Certification process for regify authentication
Authentication methods
Authenticating a regify account means the identification of the account holder. It may be a person or an organization. The higher the level of authentication, the stronger the proof of identity will be. regify supports two authentication paradigms:

Personal authentication
A user authenticates himself to the regify provider. As a result, the recipient can take the sender’s authenticity as read.

Organizational authentication
A user authenticates his affiliation to an organization. The recipient can take the sender’s association to the authenticated organization as read.
In order to represent the different qualities of authentication methods, regify introduced the following authentication levels:
Level | Authentication of persons | Authentication of organizations |
---|---|---|
0 |
User has access to the used email-address. This level is identifying the absence of any further authentication. The regify provider simply checked, if someone clicked the activation link inside of the initializing e-mail. |
|
1 |
The user contacted the regify-provider verbally and made his identity credible (social barrier). This can be done by telephone, Skype or other voice systems. |
|
3 |
The user sent or faxed a copy of his identification card to the regify-provider. |
The user sent a copy of the identification card of the manager or a copy of the business registration / certificate of registration. |
5 |
The details of the user or company are checked against a public directory (e.g. call back phone number out of the telephone directory). Alternatively, the regify-provider already has an existing, attestable long business relationship with the user or organization. The regify-provider personally knows the user (e.g. human resources department). |
|
7 |
The user personally verified his identity to the regify-provider (e.g. personally showing identification card). The user is employed by the regify-provider for more than 2 months. |
not applicable |
9 |
The user has been authenticated by a legally accepted authentication procedure like PostIDENT (Germany), Ident.Brief (Austria), Die Gelbe Identifikation (Switzerland) etc. |
not applicable |
The even levels 2, 4, 6, 8 and 10 are today unused and reserved for future usage.
The purpose of authentication
The purpose of authentication is to ensure a binding proof of the identity of the counterpart within the regify process. For certain functions of the regify-service, a minimum level of authentication is required. For example, a regipay or regibill document could only be sent with accounts that are authenticated with level 3 or higher.
Authentication levels 1-3 (immediately available)
Providers can award levels from 1 to 3 to their customers’ regify accounts without any additional certification. Before starting, the provider receives a brief introduction to the relevant site features. After that he only has to document and archive the type of authentication and the authenticating person (filing of photocopies, note the phone number, etc.)
Authentication levels 4-9 (available after certification)
Awarding higher authentications will be granted to the provider after a successful completion of the certification process. The process is performed by an authorized partner or regify. The regify-provider will be guided in the various authentication techniques and possibilities.
Principles and rules
Among other things, the provider must comply with certain principles and rules:
-
Compliance with regify guidelines
-
Documentation
-
Long-term archiving
Finally, the future process to be implemented will be developed. After
the introduction of the process, the implementation and effectiveness
will be tested as part of an audit conduct by regify. If the audit is
successful, the regify-provider will receive the official
certification.
The basis of the certification is the documented provider-specific
authentication process. Regular audits in the future ensure continuous
compliance with the process.
Procedure to implement authentication
The following procedure describes the general approach to gain a certification for a regify provider authentication process. It should be followed as close as possible to gain authentication levels of 5 or higher.
-
Designation of a responsible person and further beneficiaries for the certification process.
-
Introductory talk.
-
Joint processing of the questionnaire.
-
Decide which authentication steps and procedures are to offer.
-
Decide for which countries the authentication will be offered.
-
Documentation of the specific processes needed.
-
-
Agreement about the implementation of the process.
-
Auditing of the process by regify or authorized partner.
-
Final conversation.
-
For a successful audit
→ free the technical functionality in the regify-provider software. -
Publication of certification on the regify website.
-
Verification audits every three years.
regify authentication guideline
Authorized authentication agents
The authorized authentication agents must be briefed on the authentication process and be named in the check list. Later added agents must also be trained and mentioned in an attachment of the checklist.
Transmission of the unlock-code
The transmission of the unlock-code must be made through an internet-independent service (e.g.: SMS, Phone call, personal handover, post, etc.). This applies to the first and all following requests.
Independent of the authentication level, unlock-codes are never transferred using email (also not by regimail) or chat (like skype, jabber etc.).
Address change (relocation, marriage)
If the address details of a regify user are changing, e.g. due to marriage or relocation, the user must authenticate again. A modification within the existing authentication is not allowed.
Decease
If a provider receives the information that an authenticated user has died, the authentication must be repealed. This process must be documented as well.
Increase authentication level
If a regify user wants to increase his authentication level, the user must authenticate again using the appropriate process. A modification within the existing authentication is not possible.
Documentation
All authentications must be documented. At minimum, authentication level, issuing date, authentication agent and the chosen authentication process must be archived. Copies of documents that have been used for the authentication process must also be archived.
Long term archiving
The long-term archiving can be physically and digitally, and 10 years respectively. For digital archiving, a valid storage media must be chosen.
Checklist about certification
Responsibilities
Customer / (Sub)Provider: |
|
Responsible persons: |
|
Authorized authentication agents: |
Authentication levels
Level 3: |
□ Not implemented |
Level 5: |
□ Not implemented |
Level 7: |
□ Not implemented |
Level 9: |
□ Not implemented |
Documentation
Documentation process for authentications: |
|
Long term archiving of documentation: |
|
Supported countries: |
Process implemented:
-----------------------------------------
(Date, regify Auditor)
Implementation checked and confirmed:
-----------------------------------------
(Date, responsible at regify-provider)