Request Data Verification

Service providers have the option to ask BindID to collect and verify user information, such as their mobile phone number and email. The first time any service provider requests verification of a specific identifier, BindID will collect the user identifier and verify it using a one-time code (OTP). For example, the user's phone number will be verified by sending an OTP code by SMS. Once an identifier has been verified, it won't be verified again.

You can request data verification using the verifications meta tag (see Request Authorization) or using the verifications parameter of the SDK authenticate() method (see API reference). The BindID SDK will add requested verifications to the OIDC authorization request as ACR values (e.g., ts.bindid.iac.email for email and ts.bindid.iac.phone_number for phone). If data has been verified, it will be indicated in the ACR claim of the ID Token (see ID Token Claims).

User information that is collected during a data verification flow can be requested using scopes (e.g., via meta tags). For example, the phone scope will return the user's phone number if it was collected during a prior verification.

Note: If data verification is requested but the corresponding scopes are not passed, the data will be collected and verified (if it wasn't already), but this data won't be returned in the ID token. What's more, if scopes are requested for data that was never collected, this data will not be returned.