Entrust Identity as a Service™ Administrator Help
Click here to see this page in full context

Report errors or omissions

  1. Home >
  2. Manage authenticators >
  3. Manage Face Biometrics by Onfido >
  4. Step B: Set up a Face Biometric authenticator

 

Step B: Set up a Face Biometric authenticator

To use Face Biometrics with IDaaS for either registration or authentication, you need to create a workflow in Onfido and copy the Workflow ID into IDaaS. Depending on your infrastructure, you create a workflow based on the following requirements:

Local storageFace biometrics are stored on a mobile device or IDaaS. In this configuration, the user data is not store in Onfido and can be deleted after registration.

This option provides more security of personal information.

Recommended for environments that prioritize user control and privacy by limiting data storage to devices or IDaaS.

Works well for mobile-first scenarios.

Server storage—Face biometrics are stored in Onfido and can be viewed by administrators with access.

Ideal for scenarios with centralized control, enhancing scalability and security for both Web and mobile.

Step 1: Create the required Workflows in Onfido

Create the Onfido Workflow templatesCreate the Onfido Workflow templates

The following table lists the Onfido registration and authentication templates required for each storage solution. Use the Onfido documentation to help you build the Workflows and copy the Workflow ID, which you will need in Step 2: Configure the Face Biomtric authenticator policies in IDaaS. This table summarizes the workplow templates.

Table: Workflow summary

Storage Type

Platform

Registration Template

Authentication Template

Local storage

Mobile

Document and Motion with On-device storage

Authentication with On-device storage

 

Web

Document and Motion with Customer Infrastructure storage

Authentication with Customer Infrastructure storage

Server storage

Mobile and Web

Document and Motion Basic

Authentication with Document

Create the required Workflows

Open the Onfido help to use for reference.

Log into Onfido Workflow Builder.

Using the provided Workflow Summary Table, create the required workflows.

Open a text editor, such as Notepad, and copy and save the Workflow ID for each Workflow template. Be sure to make note of the template name that matches the workflow ID. You will need the workflow IDs in the next step.

In the text file, record the Property name of the Authentication Workflow.

Step 2: Configure the Face Biometric authenticator policies in IDaaS

Configure the Face Biometric authenticator policies in IDaaSConfigure the Face Biometric authenticator policies in IDaaS

Click > Policies > Authenticators. The Authenticators page appears.

Click Face Biometric. The Face Biometric page appears.

In the Registration Workflow ID field, paste the registration Workflow ID you created in Onfido in Step 1: Create the required Workflows in Onfido.

In the Authentication Workflow ID field, paste the authentication Workflow ID you created in Onfido in Step 1: Create the required Workflows in Onfido.

In the Authentication Workflow ID field, paste the Authentication Workflow ID you created in Step 3: Create an Authentication Workflow in Onfido.

Confirm that the Authentication Input Name matches the Onfido Workflow input Property name that you made note of in Step 1: Create an Authentication Workflow in Onfido.

Note: The Authentication Input Name is not required for local storage of user biometrics.

Set the Renewal Time to the number of days before a user needs to re-register a Face Biometric.

Select the Default First Name Attribute from the drop-down list. This is the first name attribute sent to Onfido for matching verification.

 Select the Default Lane Name Attribute from the drop-down list. This is the last name attribute sent to Onfido for matching verification.

Select the device that users will use during registration and authentication:

Web to use a Web browser to run identity verification.

Mobile to use a mobile device to run identity verification.

If you select Mobile for registration and authentication, do the following:

Leave the default setting for Application Launch Scheme.

Enter the Activation Lifetime to set the amount of time in seconds that a user has to activate their Face Biometric.

Select Allow Unsecure Device to allow the Face Biometric to run on an unsecured device (such as custom ROM Androids or jail-broken iOS devices).

Select Enable Mutual Challenge to require users to respond to a mutual push authentication challenge. When enabled, users must match the challenge that appears on the IDaaS page with the mutual challenge shown in their Entrust Identity soft token app.

Select Require Identity Verification to require users to perform face biometric authentication during registration of the selected authenticator.

Note: Currently, only Entrust Soft Token is available for Identity Verification, and only with mobile devices.

Click Save.

Step 3: Create a custom authentication flow and resource rule

Create a custom authentication flow and a resource rule to allow Face Biometric as a second-factor authenticator. Create a custom authentication flow and a resource rule to allow Face Biometric as a second-factor authenticator.

Create a custom authentication flow and enable Face Biometric for second-factor authentication. See Create authentication flows.

Create a resource rule that uses the custom authentication flow that allows Face Biometric for second-factor authentication. See Create resource rules.

Step 4: Optional. Enable Face Biometric in the Registration policy

Enable Face Biometric in the Registration policyEnable Face Biometric in the Registration policy

To enable Face Biometric for user registration flow, set it to Required or Optional in the Registration policy. See Configure user registration.