Introduction  

Buypass Access Solution (BAS) is an eIDentity service that provide a full stack of tools and services for administration and usage of eID towards the regulated business market.  BAS supports several technologies and here we will describe BAS using passkey (FIDO) technology. 

BAS with ID Keys utilize passkey  (FIDO) technology to provide eIDAS classified identity service, certified and registered on level of assurance (LoA) High. The built inn support for passkeys by most operating systems, browsers and enterprise infrastructure suppliers cater for a service that do not require bespoke applications, drivers and adaptation, it just works out of the box.  This is good news  for enterprises that want to migrate over to this technology without major investment in own backend. 

Buypass take the role and responsibility of identity provider which main role is to prove the correct identification of the user, bind this identity to an device or carrier used to authenticate the user and online services for self service and administration. 

BAS with ID Keys offer best practice and industry standard interfaces for administration and usage. Protocols like HTTP, OCSP and SCIM are the link between Buypas and our IAM services. In addition the service feature self service clients for reduced administration cost. 

The service comes with certification for regulated identity on eIDAS LOA High, under Norwegian legislation. Buypass also offer approved and certified ID Key tokens ( HW devices) in several forms (card, token, etc.) 

The infrastructure supporting this service is operating on a modern high availability platform, offering exellent service levels, reporting and support. 

How it Works 

Buypas Access Solutions are B2B services , meaning that typically a company (Buypass customer) is set up with a dedicated realm to care for administrating and authenticate the customers employees or associated users. 

The company apply for one (or more) users to be candidate for receiving an eID.  This is don in the  Provisioning phase. 

Ten the user need to enrol in the service by proving his/hers identity. ( identity proving phase). Buypas offer a wide variety of manages and self servies options. Typically this include providing a passport to a representative of Buypass. 

When the user is identity proven by Buypass, we will issue an identity and bind this to a ID Key device.  Note that currently the mobile smartphone is not approved for holding the keys. 

Then we are ready to use. Any online service can now, by utilizing built inn passkey functionality in browsers, request an user authentication from Buypas s' OIDC server. 

A lost token of other ID Key carrier is no problem. The user can by self service, provide another means of identification to bind the eID  to another blank device. ( typically a Yubikey, or NFC enabled card. 

Buypass also offer an operator based web client for user administration. 

The user database can be administered via the SCIM based API typically from your IAM service. If a user leave the company , the ID is easily removed when the user is removed from IAM, and vice versa. 

Process 

Due to the very high level of adaption of the passkey technology by all major platform suppliers in the market there is not any ned for drivers, applications or other services by Buypass to utilize passkeys. What Buypas add is the  process of onboarding, administration and authentication of the user in a regulated and certified maner. 

The service uses generic core Buypass components and services for the processes of: 

• provisioning
• identity proofing
• enrolment and authenticator binding,
• authentication 
• lifecycle management.

The figure below show a logical view of the service    

Buypass Fido2 Identity Service will expose interfaces (API's) and web based clients to perform the following services:

Provisioning 

Registration and administration of users to be enrolled. User data transferred from IAM or external admin service via SCIM API (System for Cross-domain Identity Management).
The SCIM Protocol is an application-level, REST protocol for provisioning and managing identity data on the web.  Provisioning a user is a form of pre-registering a user (appicant) tha twil be a candidate for user to authenticate. 

Identity (ID) Proofing

To be able for Buypass to provide a level of trust in the 

User proofing his identity by Operator assisted ID proofing, self service identity document scanning or using existing eID at same LoA (BuypassID, BankID, etc). 

Enrolment and binding

Creating an identity account for an identity proofed user and binding one or more authenticators to the account (Fido2 Key). 

Authentication

Used by a service provider or an application to request a proof of identity from the user by use of OIDC based API. Buypass gives assertion on user verification as a signed ID token. The assertion may contain verified attributes as user ID (National Identity Number (NIN)), phone number, etc.

Lifecycle management

User data and authenticators are managed throughout the lifecycle of the user. Performed by self service clients, operator assisted clients, SCIM based API, Buypass customer service and monitoring of authoritative sources.