About itsme®
How it works
itsme® allows to securely identify end-users digitally with validated attributes.
Through Signicat, you can implement itsme® in your application and provide your end-users with the possibility to identify and/or authenticate themselves through their trusted bank environment.
Itsme® uses multi-factor authentication and each itsme® action requires consent from the end-user. These features allow the end-user to decide what data to share and with whom.
Geographic coverage
itsme® is an eIDAS-notified identity provider in Belgium. Although the scheme originated in Belgium, it is now available in the following countries:
- Belgium
- Estonia
- France
- Ireland
- Italy
- Luxembourg
- Portugal
- The Netherlands
itsme® has millions of users in the Belgium market. In other countries, adoption of itsme® is limited but increasing steadily.
For an overview of countries and ID documents supported by itsme®, visit the official coverage page at https://www.itsme-id.com/en-BE/coverage.
Process flow
The following steps represent an example of an itsme® flow:
- The end-user visits your website and proceeds to onboard/authenticate through itsme®.
- Your backend sends a request to the Signicat platform to trigger an itsme® process for the end-user.
- The end-user is redirected to itsme® where they must provide their mobile phone number in the itsme® UI. On a mobile device, end-users view directly the itsme® app without the need to provide their mobile number.
- In the itsme® mobile app, the end-user must consent to sharing their data. After consenting, the end-user is redirected back to your website.
- Signicat then retrieves a confirmation of a successful transaction and returns the attributes to you.
The following video shows an example of an identity verification flow with itsme®:
itsme® demo
Note that itsme® offers separate services to address different digital use cases. This means that for each itsme® service:
- The end-user follows a distinct UX flow.
- You need to tailor your request to Signicat.
- The end-user data you can receive in return varies per itsme® service.
itsme® services
The itsme® scheme supports different use cases, designed to address different identity verification scenarios. These correspond to services. Signicat supports the following itsme® services:
- Authentication: Allows you to authenticate returning end-users. Use this to log in your end-users already registered with your platform.
- Identification: Allows you to identify and onboard new end-users, access their verified data and sign documents with Advanced Electronic Signature (AES).
- Signing: Allows you to sign documents electronically with Qualified Electronic Signature (QES) (this is an advanced configuration only available on request).
You control which service to use to verify the end-user's identity by defining attributes in your request to Signicat. You specify attributes as parameters in the authorisation request. Learn more in the Attributes reference documentation.
Note that every service leads to a distinct UX flow for the end-users and requests different personal information.
Level of Assurance (LoA)
The European Union (EU) officially recognised itsme® as a reliable means of identification at a high Level of Assurance. Therefore, connecting to itsme® through Signicat always leads to processed with High LoA.
User data
The itsme® Identification service provides the following user information (note that other itsme® services return less information):
- First name(s)
- Family name
- Sex
- Date of birth
- Email address*
- Phone number
- (Legal) address*
- Postal code*
- City*
- Country*
- Locale*
Additional protected information
To obtain additional data attributes, you must request them to an onboarding manager before you start integrating with Signicat. For example, access to the Belgian national identification number is subject to legal restrictions that require you to justify the purpose. Additional attributes you may request are:
- Place of birth
- eID card number (the eID card serial number)
- National identification number (in Belgium: "Rijksregisternummer")
- Nationality*
- Issuance locality*
- Validity of the eID card*
- eID picture* (portrait picture of the cardholder)
* itsme® does not guarantee the availability of these attributes for all end-users.
Data availability varies depending on the type of account you are using. These are:
- In a sandbox account, you can test your integration with all the available attributes.
- In a production account, certain attributes may be restricted by GDPR regulations or subject to specific legislation. In such cases, you must apply for additional authorisation.
For additional information, contact the Signicat onboarding team.
Subject ID and logins
The itsme® Authentication service only returns a unique ID (know as subject ID) for a specific end-user. To verify an end-user across recurring authentications, you need to match the new unique ID with the unique ID obtained from a previous itsme® identity verification process. Therefore, the subject ID acts as a way to log in the end-users when they return to your application.
For an overview of all attributes and claims for each itsme® service, read the Attributes reference documentation.
The national identity number (NIN) is only available for individuals with a document issued by the Belgian government.
Note that itsme® does not return the NIN for citizens of other countries. However, you can still retrieve information about their ID document, such as document number, expiration date and document type.
External links
Here is a list of useful references itsme® concepts: