Description

Human Identity Authentication Service

The Human Identity Authentication Service, as part of the Human Identity Hub, is the central authority for all human subscriber authentication. It validates subscriber identities and issues authentication assertions to relying parties and service providers registered in the Machine Identity Hub for Human-to-Machine authentication.

Supported Authenticators

The Service supports both internal and external authenticators. Every authenticator must be explicitly enabled and configured; none are active by default.

Internal Authenticators

• Password

• Email

• Phone

• Passkeys

• TOTP

External Authenticators

• Social IdPs: Apple, Facebook, Google, Microsoft

• Government IdPs: eHerkenning, DigiD, European Login

• Enterprise IdPs: Microsoft Entra ID, Google Workspace, Okta

Enrollment and Authenticator Binding

Accounts and authenticators can be established in four ways:

• Pre-Enrolment – provisioned in advance, either administratively or through integration with external systems.

• Self-Registration – subscribers create accounts directly in the Human Identity Hub and register authenticators during enrollment.

• Account Linking – additional authenticators, including external IdPs, may be linked after enrollment.

• Just-in-Time Registration – accounts may be created automatically at the first use of an external IdP.

Account Recovery

The Service supports account recovery in two modes:

• Manual Recovery – the credential service provider resets authenticators after validating the subscriber through a support ticket process.

• Automated Recovery – will be introduced once it can be delivered securely and reliably.

Session Management

The Service maintains authenticated sessions to preserve assurance between authentications. Sessions may require re-authentication after defined periods or inactivity. Logout events can be propagated by relying parties and service providers.