Identity as a Service overview
This documentation is intended for any Subscribing organisation or service that intends to become a relying party or service provider that uses the Mydex Identity as a Service (IDaaS) to replace their existing username and password services, or to add Mydex into their supported Identity Providers.
Background
Mydex is an ISO27001 certified company and acts as an identity service provider in two specific capacities:
- On behalf of Subscribing organisations who are seeking to get out of the management of usernames and passwords and embrace a secure federated identity service model. These Subscribing organisations can make use of OpenIDConnect to achieve registration and a single-sign-on experience for members.
- On behalf of its members (individuals) by providing a privacy protecting reusable MydexID they can use across the internet to gain access to services that support open protocols. The aim is to put an end to the proliferation of multiple usernames and passwords issued by all sorts of organisations with all of the attending risks and issues around management of these.
- The MydexID supports the industry standard identity protocol known as OpenIDConnect. This means our members can use it wherever this standard is supported.
- The MydexID is privacy protecting because all activity undertaken with a MydexID is recorded in the members personal data store and not shared with anyone unless the individual specifically chooses to share it via a trusted connection across the Mydex Trust Framework.
- The MydexID also ensures the individual/member controls what data is shared with third parties and provides them with the ability to revoke access directly themselves at anytime.
- This self-sovereign MydexID is the individual's for life. They control where and when it is used and can attach whatever information they wish to it to support online transactions.
The key differentiation is that the MydexID is centred on the individual, self-sovereign and can be used in any context of their life for personal, business and civic engagement. The MydexID ensures that the individual remains in control of their digital identity at all times.
Mydex, as a community interest company, provides services to individuals free of charge at all times, which means the MydexID and underpinning personal data store is available, free of charge, for life.
Linked to the member's MydexID is their Personal Data Store (PDS) which is stored in the Mydex Safe Secure Cloud under our ISO27001 certified personal cloud storage. Like the MydexID, it is also free for life and provides a lifetime of personal data and event storage under the member's control.
The reason that a PDS is coupled with a MydexID is that it ensures the member remains in control of their identity attributes, as well as ensuring that any events such as logging in and logging out of applications with the MydexID gets recorded in their PDS in the Identity Services and Activity logs, for audit trail capabilities.
Subscribing organisations pay an initial connection fee per service connected to our identity services and a pay-as-you-go connection fee per individual they connect with. Ongoing support fees are calculated as a percentage of the total connection fees paid annually on anniversary.
Overview of IDaaS features
The Mydex IDaaS API supports a number of features as follows:
- Registration services
- Authentication services, including support for single sign on / sign out
- Password reset and change. Requesting a password reset can happen via the Login form on the Login & Consent App, using either a valid MydexID or e-mail address linked to that MydexID. Reset instructions are sent to the e-mail address associated with the MydexID.
- Personal usage logging and tracking of login/logout events for the individual in their own Personal Data Store (PDS)
- Multi-factor authentication (MFA) and recovery codes across a range of device types and technologies
- Ability for subscribers to mandate that MFA must be enabled in order for the member to make use of their service
- Ability to map third party Identity Providers to the member's MydexID to support connectivity to their PDS via other IDPs than MydexID alone
- Ability to map anonymous identifiers to the MydexID so as to anonymously participate in services without the subscriber needing to know any personal information about the member, including their MydexID
- Can be integrated with Mydex PDS for storage of profiles and preferences, and to access other personal data held by the citizen in their PDS
Mydex currently supports the following protocols that power the Identity Services platform:
- OpenIDConnect profiles for authentication wherever an OpenID is supported