App User Notifications & Safeguards
Issuers are required by law to have a process in place to notify Covered Accounts of physical address changes and requests for additional or duplicate physical cards. This is because physical cards are mailed to the physical address on file for that Covered Account. However, digital ID cards within ID123 are linked to a person through their confirmed email address and phone number. We therefore automatically notify each mobile application user to their email address of any new device logging into their account and having access to their digital ID cards. We also notify mobile application user of any change requested to their accounts registered email address and phone number. We require any change in the email address or phone number go through a double confirmation process with both the old and new email addresses to confirm the change.
When adding a card to an account, mobile application users are notified that we may submit their identity and device data to the institution issuing the card to verify their identity and to prevent identity theft. We provide options to Institutions to receive notifications of changes to accounts with their ID cards installed. This notification will enable them to know when new cards are duplicated, new devices are added or certain information has changed. The institution can then determine their obligations to investigate.
IDMS Administrator Safeguards
Institutions manage their IDMS(ID Management System) and are solely responsible for the account administrators they invite to manage the account and the accuracy of the data they add, edit, modify or delete from their account. The invitation process uses a two-factor activation in order to confirm the email address of the invitee. Institutions can revoke any administrators access to the IDMS instantly from within the IDMS. Roles are given to each administrator so that access can be configured only by those with more privilege. ID123 will keep a log of most actions taken by each administrator. An email notification is sent to IDMS administrators when a new administrator is added or an existing administrator is removed from the system.
When a mobile app user wants to add their digital ID card to the mobile application we create the Institution in our system and card templates for the type of card (ie Student, Parent, Employee, Member, etc) being requested. During this process, we make commercially reasonable efforts to check for the existence of the Institution being requested. This oftentimes requires us to request additional supporting information from the requestor. Because the card data is being manually added by the mobile app user either through a scan or typed in, we are not able to authenticate the card in question. To prevent misuse we do not display a ‘verified’ symbol a card of an institution that has not been authenticated so that it can be distinguished from an institution that has claimed and authenticated their account and issued their card to the user.
When a person claims to represent an institution and wants to creates or claim an account we take steps to authenticate their request and authority. We will compare their submitted information with known databases and request additional attestations. We continually review our procedures for authenticating IDMS ownership and authority.