Introduction  

Buypass Access Solution (BAS) is an identity service that provide a full stack of tools and services for administration and usage of eID towards the regulated business market. BAS supports several technologies and here we will describe BAS using passkey (FIDO) technology. 

BAS with ID Keys utilize passkey (FIDO) technology to provide eIDAS classified identity service, certified and registered on level of assurance (LoA) High. The built in support for passkeys by most operating systems, browsers and enterprise infrastructure suppliers cater for a service that do not require bespoke applications, drivers and adaptation. It works "out of the box". This is good news for companies that want to migrate to new technology without major investments in own infrastructure. 

Buypass takes the role and responsibility of identity provider which main role is to prove the correct identification of the user, bind this identity to a device or carrier used to authenticate the user. Additionally Buypass provide online services for self service and administration. 

BAS with ID Keys offer best practice and industry standard interfaces for administration and usage. Protocols like HTTP, OCSP and SCIM are the link between your IAM services and Buypass. In addition the service feature self service clients for reduced administration cost. 

The service comes with certification for regulated identity on eIDAS LOA High, under Norwegian legislation. Buypass also offers approved and certified ID Key tokens ( HW devices) in several forms (card, token, etc.) 

The infrastructure supporting this service is operating on a modern high availability platform, offering excellent service levels, reporting and support. 

How it Works 

Buypass Access Solutions are B2B services, meaning that typically a company (Buypass customer) is set up with a dedicated realm to care for administrating and authenticate the customers employees or associated users. 

The company apply for one (or more) users to be candidate for receiving an eID.  This is done in the provisioning phase. 

The user needs to enroll in the service by proving his/hers identity which is called the identity proofing phase. Buypass offers a wide variety of methods and self services options. Typically this include providing a passport to a representative of the company who has got an delegated role for performing identity control. 

After the user has been identity proven, the user is what we call enrolled and an identity account for the user is established to which one or several ID Keys can be binded. This is gathered in the enrolment and authenticator binding phase. Note that currently the mobile smartphone is not approved for holding the keys. 

The user is now a holder of an ID key and ready to use it. Any online service can now, by utilizing built inn passkey functionality in browsers, request a user authentication from Buypass' OIDC server. 

A lost ID-Key device ( card, token) is no problem. The user can by self serviced, delete the one lost and issue a new ID key through issuing and binding the key to another blank device. Typically a Yubikey, or NFC enabled card. 

Buypass also offer an Operator based web client for Operator assisted user administration. 

The user database can be administered via the SCIM based API, typically from your IAM service. If a user leaves the company, the ID Key is easily removed when the user is removed from IAM based on syncing rules in scim.

Process 

Due to the very high level of adaption of the passkey technology by all major platform suppliers in the market there is not any need for drivers, applications or other services by Buypass to utilize passkeys. What Buypass adds is the  process of onboarding, administration and authentication of the user in a regulated and certified manner. 

The services uses generic core Buypass components and services for the processes of: 

• provisioning
• identity proofing
• enrolment and authenticator binding
• authentication 
• lifecycle management

The figure below shows a logical view of the service:   

BAS with ID Keys will expose interfaces (API's) and web based clients to perform the following services:

Provisioning 

Registration and administration of users to be enrolled. User data transferred from IAM or external admin service via SCIM API (System for Cross-domain Identity Management).
The SCIM Protocol is an application-level, REST protocol for provisioning and managing identity data on the web.  Provisioning a user is a form of pre-registering of a user (applicant) that will be a candidate for user to authenticate. 

Identity (ID) Proofing

To be able for Buypass to provide a level of trust we need to know the user.  

The user must prove his identity by Operator assisted ID proofing, self service identity document scanning or using an existing eID at same LoA (BuypassID etc). 

Enrolment and binding

Creating an identity account for an identity proofed user and binding one or several authenticators, that is ID Keys, to the account.

Authentication

Used by a service provider or an application to request a proof of identity from the user by use of OIDC based API. Buypass gives assertion on user verification as a signed ID token. The assertion may contain verified attributes as user ID (National Identity Number (NIN)), a unique company username, etc.

Lifecycle management

User data and authenticators are managed throughout the lifecycle of the user. Performed by self service client, Operator assisted client, SCIM based API, Buypass customer service and monitoring of authoritative sources.