ID Authentication Services


ID Authentication is built as an independent service that can be seeded with data for authentication by any system, including MOSIP. In the current design, we can have multiple IDA modules running from a single issuer.

The ID Authentication (IDA) module of MOSIP consists of the following services:

  1. Authentication Services

  2. OTP Service

  3. Internal Services

Authentication Services

The services mentioned below are used by Authentication or e-KYC Partners.

  • Authentication Service: used to authenticate an individual's UIN/VID using one or more authentication types.

  • KYC Authentication Service: used to request e-KYC for an individual's UIN/VID using one or more authentication types.

OTP Request Service

OTP Request Service is used by Authentication/e-KYC Partners to generate OTP for an individual's UIN/VID. The generated OTP is stored in IDA DB for validation during OTP Authentication.

Internal Services

  1. Internal Authentication Service - The authentication service used by internal MOSIP modules such as Resident Service, Registration Processor and Registration Client to authenticate individuals.

  2. Internal OTP Service - used by Resident Service to generate OTP for an Individual for performing OTP Authentication.

  3. Authentication Transaction History Service - used by Resident Service to retrieve a paginated list of authentication and OTP Request transactions for an individual.

Credential issuance callback

  • ID Authentication uses the credential data of the individuals for performing authentication.

  • This credential is requested by ID Repository upon any UIN insertion/update or VID creation.

  • The credential is created by Credential Service uploaded to Datashare service and the Datashare URL is sent to ID-Authentication using WebSub message.

  • WebSub invokes the credential-issuance callback in ID Authentication where the credential data is downloaded from Datashare and then stored in IDA DB.

Key generation

ID Authentication needs the below keys to be generated during the deployment for usage in Authentication Service.

  1. IDA IDENTITY_CACHE(K18) symmetric key to encrypt and decrypt the Zero-knowledge 10K random keys

  2. IDA ROOT master key(K15)), IDA module master key(K16), IDA-SIGN master key

  3. Base keys CRED_SERVICE(K22), IDA-FIR(K21), INTERNAL(K19), PARTNER(K20)

Authentication client demo app

This is a reference application to demonstrate how authentication and KYC can be performed by Authentication Partners.

Refer to the repository for more details.

Below is the sample authentication demo UI image.

Authentication Error Eventing

The ID Authentication service now offers an Authentication Error Eventing feature. When an authentication related error occurs, a message will prompt to the user to retry after a few minutes. In the meantime, Kafka event will be triggered to publish the data to the designated topic, allowing subscribers to receive a message for further processing.

This feature can be utilized for different use cases such as on demand template extraction, report generations, to identify any fraudulent occurrence etc.

One such use case is on demand template extraction. In an instance where a user has successfully registered and obtained a valid UIN/VID but encounters an error during authentication due to unavailability of the entered UIN/VID in the IDA DB, this feature comes into play. This issue tends to occur particularly during periods of high registration and UIN generation volumes, where additional time is needed for data transmission from the ID Repo to the IDA DB. This authentication error eventing feature will help in capturing the errors related to this issue and event will be created. subscribers can capture this event and process them accordingly to enable the template extraction to proceed with the authentication/verification process.

This feature is designed to be a plugin feature in IDA, which can be configured based on the requirement. To enable the feature below property should be marked as True:


Once this property is enabled, related kafka property setup should be installed to utilize the feature.

For further guidance on this feature, you can refer here

Subscribers who will be subscribing to the event should be onboarded as authentication partners. To on board subscribers below steps needed to be followed:

Steps to onboard the subscribers:

  1. Create a policygroup by the name mpolicygroup-default-tempextraction

  2. The policy should be configured to not allow any authentication to be carryout but the partner except reading the kafka event. To attain this, allowedAuthTypes should be marked as null

For example:

{"authTokenType":"partner","allowedKycAttributes":[{"attributeName":"fullName"},{"attributeName":"gender"}, {"attributeName":"residenceStatus"},{"attributeName":"dateOfBirth"},{"attributeName":"photo"}],"kycLanguages":["ara","eng"],"allowedAuthTypes":[]}

  1. Publish the policygroup and policy

  2. Refer this link to onboard the subscribers as authentication partners. The name of the partner should be mpartner-default-tempextraction

Note: This feature is exclusively available in ID Authentication version only. To configure the latest version of IDA and access this new feature, please refer to this link here


Refer to ID Authentication Configuration Guide.

Developer Guide

To know more about the developer setups, read:


Refer API Documentation.

Source code

Github repo.

Last updated

Copyright © 2021 MOSIP. This work is licensed under a Creative Commons Attribution (CC-BY-4.0) International License unless otherwise noted.