# How it works

MobileID is a product that securely binds a device to a user. The device can then be used to authorise returning access or operations. MobileID consists of two main components: an identity store for storing users, and devices which are used for mobile authentication.

# Identity store

Once you have created a MobileID user in our identity store, you can add devices used for authentication and authorisation operations in your mobile app. A MobileID user can have multiple devices registered.

You also have the flexibility to add any custom attributes to a user, such as an address or phone number. Identity attributes are stored within our MobileID identity store as key-value pairs.

The identity of a user is proofed outside of MobileID. The product allows you to support different proofing mechanisms depending on your target markets, whilst still using the same identity store and mobile authentication solution. For the proofing mechanism, you can use:

# User management operations

  Create new users
  Get a user and its attributes
  Update a user and its attributes
  Deactivate a user
  Lock and unlock a user

See user management operations in our MobileID API reference documentation for further details.

# Mobile authentication

Our Strong Customer Authentication (SCA) mobile product is based on a challenge and response protocol. All communication between our MobileID backend and the SDK is secured with application layer encryption. This protects every message passed between the MobileID service and the mobile app using our SDK.


Our solution is compliant with the Payment Services Directive (PSD2) (opens new window) and can be used for high-value transactions.

# Device operations

With MobileID's device operations, you can conduct a:


Register a new device to an identity. An identity must have at least one registered device in order to perform any of the other device operations.

See Registration in our MobileID API reference documentation for further details.

Authentication and Authorisation

Trigger an authentication or an authorisation for a user.

This can be used whenever:

  • You need to verify that it is the same user accessing your services.
  • You need the user to confirm a transaction.
  • You need the user to perform a payment authorisation.

For all authorisations, we dynamically link the context to the transaction. This ensures compliance with the PSD2 RTS.

See Authentication in our MobileID API reference documentation for further details.

Consent signature

Similar to the authorisation operation, however, we return a signed JWT of the transaction. This JWT can be stored and used to prove that the transaction occurred and was authorised by the user.

See Signature in our MobileID API reference documentation for further details.

# Device operation endpoints

Each device operation has three endpoints:

  • Start an operation
  • Get status of an operation
  • Cancel an operation

# Device operation steps

Each device operation consists of three steps:

  1. Initiate operation
    All operations are initiated by making a request to our MobileID REST APIs.
    See our MobileID API documentation for detailed descriptions of the different MobileID operations.

  2. Carry out operation on device
    Once an operation has been initiated, it is carried out from within your application, using our SDK. Most of our SDK APIs consist of a start and a finish operation. For more documentation on the SDKs, contact us at: support@signicat.com.

  3. Finalise operation
    When the operation is completed on the device and our service has verified the operation, we will send a callback notification to your server with the result of the operation.

# Integration flow diagrams

The sequence diagrams below provide an overview of the operations that make up the integration process.

# Device management operations

  Get device information
  Deactivate a device
  Lock and unlock a device

See device management operations in our MobileID API reference documentation for further details.


The device management operations are API calls that allow you to manage all devices in your MobileID identity store, and therefore do not require any device interaction.

# Try it out

Last updated: 11/04/2024 07:47 UTC