Challenge
A public organization (authority) needs to give external users access to some of the organization's systems and digital resources. The external users must be able to access and register certain information at regular intervals. The organization wants the user to be able to request access himself via a self-service process. An authorized person at the organization must then approve the request and grant authorization to the relevant systems. For security reasons, the organization requires that a more secure method of authentication than passwords be used, this to avoid that hackers can come across passwords and access the organization's digital information.
Authentication must use one of the following methods:
E-identification
One-time password or mobile app, for those users who do not have e-identification.
The method must be easy to use and involve minimal work with administration, in order to save time and money.
Solution
With Fortified ID Integrity, the organization can offer self-registration, access request, and authentication. With Fortified ID Control, the organization gets the opportunity for delegated authorization management.
Self-registration and access request
Self-registration is performed using e-identification authentication in combination with registration of e-mail address and/or mobile phone number. User must prove ownership of email address and/or mobile phone number by entering one-time password distributed via email/text. The user can select from a list the system or systems to which the user requests access. It is also possible to add a free text comment. Users who do not have e-identification are instead offered to register a mobile app for secure login. Other steps in the self-registration process are the same as for e-identification holders.
Authorization administration
An administrator at the organization receives an email when a user requests access. The administrator approves or denies the access request. The user is notified via e-mail of the outcome of the decision. Upon approval, a link is also sent to the portal where users can log in and see the resources that the user now has access to.
Authentication
The user logs into the system by entering the address of the portal offered to external users, where all applications to which the user has authorization are displayed. The user authenticates with e-identification or mobile app.
About the solution
With Fortified ID Integrity, e-identification or a mobile app can be used as a method, both for self-registration and logging into the organization's systems and digital resources.
e-identifications:
Swedish BankID
Freja eID
Swedish passport
SITHS
EFOS
Freja OrgID
Norwegian BankID
The Norwegian ID port
eIDAS
With Fortified ID Control, the organization can give administrators the opportunity to approve authorization for users to the organization's system via a graphical interface. The solution is very cost-effective:
Self service
Customizable
The solution provides support for the organization's process and can be easily changed based on conditions
Requires minimal administration in the organization
Standardized integrations
The graphical interface, the one that faces users, is fully customizable to match the organization's graphical profile.
Other
User accounts and their permissions are managed in the organization's directory of external people, such as an Active Directory. The connection between the user's e-identification and the user's account in the directory is made via a lookup against the directory. The solution uses the identifier on the user's eID with an attribute on the user's account in the directory, to associate the eID authentication with the account in the directory. The organization itself chooses which attribute to use for this match. Correspondingly, the users who use the mobile app are matched with their account in the directory.
The protection of the various systems is configured via standardized integrations (SAML2 or OpenID Connect) between systems and Integrity. The user's identity characteristics (attributes) and authorizations are added at login to the tickets (tokens) that are sent on to the respective system.