1.2 Case Study - Candour Multi Factor
Candour is identity verification solution for self-service digital identification. Candour is also the company developing the solution.
Candour people contacted Olevi suggesting co-operation. Candour was already in use by customers and there was ready Shibboleth plugin created by great people at CSC. It would be interesting to see if we can find new use cases together.
As it would be so easy to do proof of concept (POC), there was zero hesitation and we agreed to go on with a demo. This would make a great demo of possibilities that Olevi (based on Shibboleth IdP software) has.
The Problem
There are many things to consider while making services available for common crowds. While environmental sustainability is not the only one, without going in to details, we surely don’t want to waste computing resources that are evidently needed in identity proofing.
We wanted to add a treshold to be able to make a request for identity proofing using Candour.
The Solution
Olevi already has groups feature implemented in management interface. It would be quite easy to combine group membership as a requirement to be able to initiate an identity proofing session.
Shibboleth IdP has Multifactor Authentication (MFA) configuration option readily available. While it quickly sounds like something really strong and safe, Shibboleth MFA is merely a configuration option to set your IdP in a way that e.g. more than one authentication method will be used.
It is not an authentication method in itself. You still need actual methods to do the authentication part.
The Plan
So, we have all pieces we need and now we only need to glue them together to have working demo. This is how the plan looks like.
Now we have the required treshold that user need to cross in order to initiate identity proofing. We are able to ensure with sufficient certainty that only people in pilot group or at least people with access to email address that has been accepted as representative in pilot group can initiate identity proofing.
Step Up
In real world, when looked from point of view of an application, this would be a step up authentication case. AI-assistant in DuckDuckGo did put it quite well:
Step-up authentication is a security process that requires users to provide additional verification when accessing sensitive information or performing high-risk actions. This method enhances security by prompting for extra credentials only when necessary, balancing user convenience with protection against unauthorized access.
It other words, the user would start their yourney in an application with simple and straight forward authentication as they would do every other day. However, something comes up requiring more. We need to step on to another level to make sure that an action really is authorised.
Imagine a Recruiter
Let’s take an imaginary human resources (HR) branch. Organisation needs to find another experienced specialist. With the help of HR, they put up an annoucement for a vacancy. There are multitude of candidates scrolling through vast amount of open positions. We don’t need accurate person details from them all. Only when HR has recongniced most suitable candidates, we want to ask only those candidates to do identity proofing before they are invited to an interview.
Now, when we look at the sequence again, although more thoroughly described steps, it makes more sense for the user.
There is a Working Demo
As usual, we deliver. If you want to try it in action, go on and try.
When authenticated to demo application, register Olevi ID if you don’t have one and request access to pilot group by accessing this link. Olevi doesn’t send any notifications, so after requesting access to pilot group, it’s best to contact us so that we know to accept your request.
You can find your Candour proofing status on the front page of the demo application when authenticated.
You will find methods to contact us on Olevi web pages. Please click “Yhteydenotto” button on navigation bar.