In the past years, technology for validating a user's identity using a combination of a mobile phone, an identity document like a passport with NFC chip and improvements in real time facial recognition technology, have made real time, remote and trusted identity validation viable. As a result several vendors are now offering such a service, such as READ.ID and SisuID.

In the R&E community there are multiple use cases for this kind of technology. Two very dominant cases are:

• Identity vetting for research communities, typically as part of the onboarding of a user into the community. This use case [1] was brought up by CSC/Elixir and there are indications also BBMRI and Lumi EuroHPC project would benefit from such capabilities.
  The use case was also previously identified in the work in the incubator on identity vetting and 2FA token binding and led to an activity that integrated with the READ.ID service. In addition, eduTEAMS has shown interest in having this capability.
• Identity vetting for foreign students who are enrolling into a campus. This scenario was brought up by SURF, and CSC expressed interest in such a capability as well.

Other potential use cases may include the use of a passport for second factor authentication and using it as a way to do token recovery of other 2FA tokens.

Previous work in the incubator (on READ.ID) and also within CSC/Elixir (on SisuID) have shown that on the technical side implementation of such services which are offered by vendors is not too difficult for a skilled technical team. However, typically the APIs and interfaces offered by the vendors do not align well with commonly used APIs in the R&E community. Furthermore, while the vendors services provide similar capabilities highlevel, there are some differences e.g in LoA which can be established and in user experience.

This activity will investigate a possible business case to support identity verification and will consider a number of ways of delivering this (e.g. as an identity broker for a range of possible commercial identity verification services, as a GEANT offered service, as an information portal pointing to services etc).

• Collect use cases from Research Communities, NRENs and institutions. We intent to interview about 10 relevant stakeholders
• Describe potential deployment models for a centralized identity validation solution
• Discuss deployment models with stakeholders to assertion the preferred model
• Optional: Describe the preferred model and investigate relevant aspects like GDPR impact, operational model and sustainability

Identity proofing is very expensive and scales very poorly, especially in cases where the users are (very) distributed. This is the case in several scenarios of research communities as well as in cases where e.g. new students living abroad need to be identified as part of the boarding into an institution.
Multiple vendors offer identity proofing services already, but these service are not very cheap, procurement of such a service is a lengthy and potentially expensive effort and in addition, each vendor offers its own, proprietary API. These factors hinder uptake and deployment of identity proofing within our community and also impedes switching between vendors.
This activity investigates, based on requirements collected from multiple stakeholders, if and in which way this situation may be improved.

• Stakeholders may have very different requirements that cannot be reconciled into one model

There is no additional personal data processed as part of this activity

• A report is delivered describing use cases from Research Communities, NRENs and institutions and potential deployment models for a centralized identity validation solution
• The above report is discussed with relevant stakeholders
• A preferred solution is selected based on stakeholder input
• The preferred solution is described including relevant aspects like e.g. like GDPR impact, operational model and sustainability

The study identified that a number of factors contribute to the efficient onboarding of users to access digital services and that an automated or automation-assisted document-based identity verification solution could be of benefit for the R&E community, particularly amongst certain segments of users, where the problem is most acute. This was confirmed through interviews with stakeholders, and although there was no strong pull for an immediate solution by many, some are already investigating or deploying solutions and many others expressed strong interest. Due to the early stage of this area the study was not able to determine the exact requirements of any solution or the potential deployment models, nevertheless it was able to collect valuable information and to make recommendations for subsequent steps. Although other identity-based initiatives such as eIDAS and European student card initiatives are underway the state of these initiatives indicates that there may still be utility in a document-based identify verification solution, at least in the short and medium term.

Our findings indicated a strong desire for information about the capabilities of the various document-based identity verification solutions, which would help in defining what the requirements and suitable deployment model for an R&E focused solution could be. In particular we concluded that further work would be needed to reach a definitive conclusion and recommended:

• Establishment of a platform for information capture and exchange on document-based identity verification solutions
• Comparative analysis of available commercial solutions should be performed and made available
• Surveying of the broader R&E community based on the findings so far to see the level of interest and support more generally
• Constructing a preliminary business case for a community-operated service following the broader survey

It is hoped that an interested party or parties can take this work forward, as further work on this topic is currently outside the scope of the Incubator.