itsme offers a secure and easy means of electronic identification that allows end-users to digitally log in to and register for business and government services, confirm transactions, and sign documents. The scheme is run by Belgian Mobile ID (BMID), a consortium of Belgian banks and mobile network operators.
- Trusted identities verified by Belgian Mobile ID
- Supports PIN and fingerprint, as well as binding of the app to a SIM card
- End-users can monitor which data is shared and with whom
- Supports both Advanced Electronic Signatures (AES) and Qualified Electronic Signatures (QES)
Individuals over 18 years old that are in possession of a Belgian mobile phone number and Belgian eID can obtain an itsme account to use with an iOS or Android phone. In order to pair the itsme app with an identity, the end-user needs to go through a registration process. The bulk of end-users will do so by authenticating towards one of the participating banks. Once the itsme app has been paired with an identity, Signicat supports itsme for identity verification, authentication, and confirmation of transactions (in combination with Signicat’s signing solution).
Integrating with itsme through Signicat
Web integration with itsme is done via the same API as Signicat’s other ID methods. See “Get Started With Authentication“ for more information. Through the single point of integration, one will get access to Signicat’s wide portfolio of integrated ID methods, not only itsme, but also other services like identity paper verification and lookups.
Signicat supports both SAML and OpenID Connect (OIDC) protocols for integration with itsme.
In the case of OIDC, the Authorization Code flow is used. The flow typically begins with the end-user clicking a button on a service provider’s website or in an app, e.g. to log in to an account or to register for a newsletter. The end-user is then redirected to Signicat’s authentication portal interface. Signicat further redirects the end-user to the interface of the itsme Authorization endpoint. Depending on whether the end-user action was initiated from a website or an app, this will be either a web page or a webview. The parameters of the redirect URL contain all the necessary information for itsme to perform authentication and authorization, such as:
- the service the end-user is trying to use
- the end-user’s identity data attributes, as requested by the service provider
- the userCode (if the provider has previously retrieved it)
The end-user is then redirected to the itsme environment, and identification is performed by itsme.
The itsme identity information that was requested by the service provider is now shown to the end-user, who is prompted to prove their identity and approve the sharing of their identity data by providing their fingerprint or PIN.
On successful identification by the end-user, itsme sends an Authorization Code to the Signicat backend. Signicat can then:
- send a request to the Token endpoint to retrieve the Access Token and the ID Token. The ID Token contains the userCode that can be used to match for the end-user from previous sessions, and
- send a request to the UserInfo endpoint providing the Access Token and the ID Token, to retrieve end-user identity data that the end-user has authorized for retrieval.
The end-user is then notified that the request was successfully performed and Signicat sends a callback to the service provider with the requested information.
itsme can be used for end-user registration for services, with sharing of personal details.
When using itsme to register for a service, an itsme identity can provide the following information:
- Last name
- Given name(s)
- Date of birth
- Legal address of principal residence
- E-mail address
- Phone number
To be able to sign up for a service, you can identify yourself using your itsme identity. The itsme app will let you know which personal details the service requires for registration, and an account with the service provider will be created without the need to manually enter any personal information.
An example of an OpenID Connect (OIDC) response when itsme is used for registration can be found here.
An example of a SAML 1.1 response when itsme is used for registration can be found here.
When the end-user has completed the registration process with the service provider, itsme can be used for authentication by verifying an existing end-user’s identity in order to log in to a service.
To be able to log in to your account on a service provider’s website, such as a bank, you have to authenticate to prove your identity. itsme can be used for authentication, the same way it can be used for registering as a new customer.
itsme can be used for end-user identification when identification is needed to confirm a transaction carried out over the internet, either through an app or a website, or in combination with Signicat’s signing solution. This process produces an Advanced Electronic Signature (AES).
When using itsme to confirm a transaction or approve and sign a document, an itsme identity provides the following information:
– Last name
– Given name(s)
For more information on how to integrate with Signicat’s signing solution, see Get Started With Signing.
A possible use case is the approval of a payment transaction or the signing of a document.
When the Confirm use case is used with Signicat Sign, the signing result will be a PAdES (PDF Advanced Electronic Signature) consisting of one or more signed documents (XAdES, implemented as LTV-SDO). An example of a PAdES as a signing result can be found here.
itsme can be used in signing flows in order to facilitate Qualified Electronic Signatures (QES) through the Signicat Sign API. From an end-user perspective, the signing flow is similar to the Advanced Electronic Signature (AES) signing flow in the Confirm use case, however technically there is a difference.
In the QES flow, a document hash is sent to and signed by itsme. This is required in order to process Qualified Electronic Signatures. Sending and retrieving the hash is facilitated by Signicat. The only technical requirement in order to use qualified signatures in the signing flow is that you will need to specify ‘itsme QES’ as a signing method. Signicat will then apply that signing method for your signing order.
When the Sign use case is used with Signicat Sign, the signing result will be a PAdES (PDF Advanced Electronic Signature) consisting of one or more signed documents (XAdES, implemented as LTV-SDO). An example of a PAdES as a signing result can be found here.
Technical details on the Sign API can be found here.
How to get started with itsme
If you want to start using itsme through Signicat, get in touch with us and our sales team will guide you through the process.
Signicat’s test environment preprod.signicat.com is available 24×7, and may be used during your development and test phase.
After you are registered as a service provider on the itsme platform, you will receive a client_id and a client_secret to authenticate your application. For test purposes, you can follow the instructions listed here.
- Information about Belgian Mobile ID (BMID): https://www.belgianmobileid.be/en
- Information about itsme: https://www.itsme.be
- itsme Relying Party guidelines and other policy documents: https://www.itsme.be/en/legal/document-repository
- itsme branding guidelines: https://brand.belgianmobileid.be/d/V8JsvxIYy349