Request Data Verification

Service providers have the option to ask BindID to collect and verify user information, such as their mobile phone number and email. The first time any service provider requests verification of a specific identifier, BindID will collect the user identifier and verify it using a one-time code (OTP). For example, the user's phone number will be verified by sending an OTP code by SMS. Once an identifier has been verified, it won't be verified again.

You can request data verification using the acr_values request parameter when calling /authorize_ciba (e.g., ts.bindid.iac.email for email and ts.bindid.iac.phone_number for phone). If data has been verified, it will be indicated in the ACR claim of the ID Token (see ID Token Claims).

Note: If data verification is requested but the corresponding scopes are not passed, the data will be collected and verified (if it wasn't already), but this data won't be returned in the ID token. What's more, if scopes are requested for data that was never collected, this data will not be returned.