Idfy Identification Principles

 

Finnish Trust Network (FTN)

The Finnish Trust Network (FTN) constitutes a set of providers of trust services in accordance with the Finnish law of electronic identification and is supervised by the Finnish Communications Regulatory Supervisory Authority, TRAFICOM. Idfy has applied to TRAFICOM to become a member of the Finnish Trust Network.

 

General information

Information about broker services

Information about pricing, contracts, terms and conditions

Information security, auditing and supervision of the services

Privacy policy and processing of peronsal data

General information about the service provider

Idfy has applied to become a member of the Finnish Trust Network (FTN) and provides an identification broker service (intermediate service) called Idfy Identify. Idfy is a limited company incorporated in Norway and registered in the Norwegian business registry (The Brønnøysund Register Centre). Idfy currently has offices located in Bergen (headquarter) and Oslo, Norway. Official information about Idfy can be found below:

  • Official company name: Idfy Norge AS
  • Organization number: 998303168 (NO – Brønnøysund Register Centre)
  • Visiting address Bergen: Kanalveien 109, N-5068 Bergen, Norway
  • Visiting address Oslo: Drammensveien 167, N-0277 Oslo, Norway
  • Postal address: Postboks 42, N-5822 Bergen, Norway
  • Central telephone number: +47 53 01 10 30
  • Contact e-mail address (business inquiries): sales@idfy.io
  • Contact e-mail address (inquiries of technical nature and regarding information security): support@idfy.io
  • Contact e-mail address (general and other inquiries): post@idfy.io

 

Information about identification broker services

Idfy offers its identification broker service, Idfy Identify, which enables brokered identification with strong electronic identification of end customers using underlying national eID (electronic identity) schemes available in the Finnish Trust Network (FTN).

Idfy Identify is developed, maintained and operated by Idfy as Software-as-a-Service, with help of its subcontractors Microsoft Azure and Basefarm AS. Through the Idfy Identify broker service, the following providers of strong electronic identification are intermediated within the service

Identity provider

Identification method

Assurance level

Telia/Elisa/DNA

Mobiilivarmenne (mobileID)

eIDAS 2 – substantial

Nordea

Bank identification

eIDAS 2 – substantial

Aktia

Bank identification

eIDAS 2 – substantial

Ålandsbanken

Bank identification

eIDAS 2 – substantial

Danske Bank

Bank identification

eIDAS 2 – substantial

OP

Bank identification

eIDAS 2 – substantial

S-Pankki

Bank identification

eIDAS 2 – substantial

Handelsbanken

Bank identification

eIDAS 2 – substantial

Säastöpankki

Bank identification

eIDAS 2 – substantial

OmaSP

Bank identification

eIDAS 2 – substantial

POP Pankki

Bank identification

eIDAS 2 – substantial

The above diagram visualizes how Idfy Identify intermediates the underlying identity providers

The brokering principle works in the way that the Idfy Identify lets the end user choose which identity provider to use, and then the user is redirected to the chosen identity provider. When the user has performed identification towards the chosen identity provider, the user is redirected back to the Idfy Identify solution and ultimately the customer/relying party, and the verified identity data are retrieved by Idfy Identify backend and relayed to the customer/relying party as-is. Instead of having direct connections to each underlying identity provider, the customer/relying party can instead use a single access point (Idfy Identify) with multiple different underlying identity providers for identifying the person.

Idfy Identify supports two technical interfaces for accessing the identification broker service, following industry standard protocols:

  • OpenID Connect (OIDC)
  • OAuth2 (REST API)

Idfy also offers several other services, e.g. for digital signatures (Idfy Sign).

Please refer to Idfy’s developer documentation for further information about the technical interfaces for the Idfy Identify service:

https://developer.idfy.io/

Information about pricing, contracts, terms and conditions

The price model for Idfy Identify service consists of three elements, based on the commercial agreement with the customer (relying party) using Idfy’s services:

  1. a one-time establishment fee for setup of the service
  2. a fixed monthly fee for access to the service, including SLA and support and 3) usage-based (metered) transaction fees
  3. third party fees from the underlying identity providers are billed through to the customer from Idfy as described in the Finnish identification legislation

Idfy has entered into commercial contracts with the underlying identity providers brokered through Idfy Identify, and therefore the customer/relying party only needs Idfy as a single contractual party instead of having separate agreements with each underlying identity provider. End users who authenticate themselves through Idfy Identify are not charged by Idfy for the service. Contract terms and other conditions for the use of Idfy Identify can be made available upon request to sales@idfy.io.

Information security, auditing and supervision of the services

Idfy has implemented an information security management system for the scope of services delivered as an identification trust broker in the FTN, in accordance with the ISO/IEC 27001:2013 standard. KPMG IT Sertifiointi Oy has assessed and audited Idfy’s services in January 2019, and the report from the conformity assessment has been submitted to TRAFICOM. In accordance with the FTN requirements, the conformity assessment will be performed by a FINAS accredited audit body every two years, or sooner in case the Idfy Identify service changes significantly. TRAFICOM supervises Idfy’s operations regarding Idfy Identify and the requirements set out by the identification legislation, and the Finnish Data Protection Authority supervises Idfy’s operations regarding requirements set out by the data protection legislation. Some highlights from our information security program can be found below:

  • Hosting, data centers and business continuity: Idfy’s operational facilities are set up with multiple levels of redundancy, both geo-redundancy and other failover and data backup strategies. Idfy uses subcontractors Microsoft Azure (North/West European data centers) and Basefarm AS (Norwegian data centers) to host its services.
  • HR policies: All Idfy employees are required to provide valid police certificates prior to employment at Idfy. Only authorized personnel can access customer data for operations and support purposes.
  • Physical security: Several physical and logical access controls are implemented for both offices and operational facilities (data centers).
  • API security, data transport controls and cryptography: All communication with Idfy services is protected with TLS encryption, API gateways and authentication/authorization using the OAuth2 protocol.

Idfy uses industry standard encryption in its services, with minimum requirements for key lengths, algorithms and secure storage of keys and secrets. Particularly sensitive keys and secrets are secured by hardware security modules (HSMs).

 

For general information about Idfy’s information security program, please see link below:

Information security

Privacy policy and processing of personal data

Idfy takes privacy seriously and has implemented a set of information security controls and measures to protect the data of its customers and end users. Idfy will only process data to the extent necessary to deliver its identification broker services. Idfy follows the Code of Conduct provided by TRAFICOM, as well as the requirements for personal information protection set out by the applicable identification legislation (Tunnistuslaki), and data protection and privacy regulations (Tietosuoja-asetus and Henkilötietolaki).

For the scope of the services delivered under Idfy Identify as an identification broker, Idfy has the role as data processor on behalf of the customer/relying party that is performing the identification of the natural person (end user). Idfy provides a technical solution for connecting the end user to the identification providers, and upon consent from the end user, returning the extracted ID data to the customer/relying party. The data that are transmitted to the customer/relying party from an identification include full name, personal ID number (HETU) and date of birth. Idfy uses these data to deliver and support the service to the customer/relying party and does not process the personal data for any other purpose.

 

For further information about Idfy’s privacy policy, please see link below:

 

Privacy policy

 

Questions? Feel free to contact us and we are more than happy to answer