/
Onfido Identity Verification

Onfido Identity Verification

Onfido support was added to CAS in version 20210427.

Onfido helps companies see real identity – the humans behind the screens – using world-leading AI and identity experts. Your customers can prove their identities, wherever they are, with just an ID and their face.

- from https://onfido.com/

Configuration

Modify your server configuration to expose a subdomain or port pointing to the required endpoints.

  1. Onfido must be able to contact CAS at:

    1. https://[master IP]:7743/serverapi/apiv1/identity-check/onfidowh

    2. https://[master IP]:7743/serverapi/apiv1/identity-check/submit

  2. You must build a Verification Site, which will be exposed to the public. It must contact CAS at:

    1. https://[master IP]:7743/serverapi/apiv1/identity-check/submit

The endpoints must all be exposed via TLS/SSL. Unencrypted/unprotected endpoints will fail!

Choose a method to serve the TLS/SSL endpoints:

  1. Use free NGINX and Let’s Encrypt: https://generalbytes.atlassian.net/l/cp/nfb1x7Xd

    • A detailed NGINX server block is explained below, here.

  2. Use non-free Cloudflared: https://generalbytes.atlassian.net/l/cp/V4Me1X2b

The file /batm/config/onido can be used to steer the callbacks and webhooks.

  • The 2 settings are both optional. Each URL can include a port, but not a path.

  • webhook.onfidois the URL for Onfido to contact CAS.

  • webhook.verificationSite is the URL for the Verification SIte to contact CAS.

webhook.onfido=https://onfido.yourcasdomain.com webhook.verificationSite=https://yourcasdomain.com:8743

Activate Onfido in your Organization settings:

Api Key: Setup your account with them to acquire the necessary API key.

Verification Site URL: guidelines found here on our Github page.

Onfido region: EU, US, or CA (default = “EU”)


Change your AML/KYC settings

Set your Registration requirements to “Nothing. Direct customer to identity verification service via SMS”:

  • Set your Authentication methods & limits as you normally would.

  • A phone number is (the minimum) required for Authentication.

Choose the Autoregister type:

After Onfido processes your customer at the BATM, any newly proven Identity will be added to one of these two categories: Registered, or Not Registered.

  • Click the edit icon on the “Nothing….” button to view this option.

Disabled

  • the customer Identity will be added to “Not Registered”

Enabled

  • the customer Identity will be added to “Registered”:

Save the AML/KYC setting!


How Onfido works at the BATM:

  1. Your customer chooses Registration during a transaction.

  2. Their (required) phone number is collected.

  3. Your customer will be sent further instructions via SMS (from Onfido). The link expires in 90 minutes.

  4. They click through and submit the requested documents.

  5. They’re notified of the results via SMS.


Registration procedure on CAS:

  • If the Autoregister option is enabled, and the customer is approved, then a new Registered Identity is automagically created.

  • If Autoregister is disabled, or Onfido has trouble with any of the submitted documents, then a new “Awaiting Registration” Identity is created.

    • Footnotes at the bottom of the Identity page will show what (if any) documents failed inspection.

Messages to your customers can be set in your Terminal’s Custom Strings:

See https://generalbytes.atlassian.net/l/c/FmAMHNPM for more details about Custom Strings.


Troubleshooting

Architecture

These key Onfido components are used in the Verification Flow Chart.

  1. User - a customer using ATM and later his mobile to perform the verification.

  2. BATM server - operator’s CAS server that contains all identity data and server that communicates with our terminals.

  3. Verification site - an opensource web server application that runs on a separate server than CAS is. This is the website to which are customers redirected by ATM and which they open on their mobiles at the beginning of the verification process.

  4. Onfido cloud service - Onfido paid identity verification service. CAS server uses its Onfido Verification Provider to talk and listen to Onfido service calls.

Interaction

  1. User (End Customer) visits ATM and requests a registration.

  2. BATM Server obtains an unique applicant’s id and pairs it with an identity (i.e. phone number)

  3. BATM Server calls verification site and tells to Verification Site to expect the visit of an applicant XYZ.

  4. BATM Server sends SMS to a User with a link to a Verification Site to start verification.

  5. User visits the Verification Site, which contains JS+IFRAME to the Onfido verification service.

  6. User goes through complete verification.

  7. Verification site calls CAS and informs it that the applicant has finished the verification.

  8. Onfido performs a background check on the User.

  9. CAS is informed by Onfido that the verification is finished (including the particular result). CAS also downloads the Identity information (e.g. ID card photo) from Onfido service.

  10. BATM Server informs the User by SMS that their registration is finished, and the result.

  11. User is now registered and revisits the ATM and performs the purchase.

  12. Alternatively you can use Open Extension to change the automatic registration for example not to autoregister older people or kids.

Verification Flow Chart:

Screenshot from 2025-01-09 07-56-58.png

Notes:

Onfido results

CAS status of Identity

Onfido results

CAS status of Identity

1

CLEAR

Registered when auto-registration is enabled.

When auto-registration is disabled, the Identity becomes: Awaiting Registration

1

Onfido results

CAS status of Identity

2

SUSPECTED_COMPROMISED_DOCUMENT

Identity rejected

3

SUSPECTED_DATA_CONSISTENCY

4

SUSPECTED_POLICE_RECORD

 

5

SUSPECTED_VISUAL_CONSISTENCY

6

SUSPECTED_DATA_VALIDATION

7

SUSPECTED_FACE_COMPARISON

Onfido results

CAS status of Identity

Onfido results

CAS status of Identity

1

REJECTED_AGE_VALIDATION

Rejected.

The customer will need to retry the registration process again.

2

REJECTED_IMAGE_INTEGRITY

Onfido results

CAS status of Identity

Onfido results

CAS status of Identity

1

CAUTION_VISUAL_CONSISTENCY

Awaiting registration.

Demands manual verification, even if auto registration set up.

2

CAUTION_IMAGE_INTEGRITY

3

CAUTION_DATA_COMPARISO

4

CAUTION_FACIAL_COMPARISON

5

CAUTION_DATA_VALIDATION

6

CAUTION_DATA_CONSISTENCY


NGINX Server Block

This demonstration NGINX server block contains typical settings.

server { server_name onfido.yourcasdomain.com; access_log /var/log/nginx/onfido_access.log; error_log /var/log/nginx/onfido_error.log; listen 8743 ssl; ssl_certificate /etc/letsencrypt/live/yourcasdomain.com/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/yourcasdomain.com/privkey.pem; location /serverapi/apiv1/identity-check/onfidowh { proxy_pass https://10.3.2.1:7743/serverapi/apiv1/identity-check/onfidowh; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; } location /serverapi/apiv1/identity-check/submit { proxy_pass https://10.3.2.1:7743/serverapi/apiv1/identity-check/submit; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; } }

 

Related content

Copyright © 2020-2024 General Bytes USA LLC