Two-Factor Identity Authentication Service (FinID) and E-sign

FinID Two-Factor Authentication of Identity

FinID – two-factor identity authentication service is presented as an independent API that provides a full cycle of customer identity authentication as a single service (SAAS).

The service of two-factor authentication of identity within the framework of one request realizes complex realization of measures on authentication of identity, which includes:

• biometric verification:

– checking for liveness, detecting possible use of identity spoofing means by the user (e.g., photos, videos, masks, deepfake technologies, etc.);
– checking the photo image obtained from the liveness-checking session against the reference photo image from state sources.

• SMS verification

-by sending to the user a one-time (one-time) code to the phone number specified in the request;
-collection of consents for processing of personal data.

As a result of the provided Service, NPCK JSC shall provide the process participant with the result of successful/unsuccessful authentication and, in case of successful verification process as well as the user’s personal data.

E-sign cloud electronic digital signature management service

E-sign Management Service is a service of the COID that provides services for signing electronic documents using cloud EDS, as well as other functions including:

issuance/reissuance and revocation of cloud EDS registration certificate for individuals;
verifying the authenticity of the digital signature of the signed electronic document;
provision and viewing of the list of signed documents.

Processing of requests and generation of DECP keys upon request of the cloud EDS management service, as well as their storage in the HSM module is provided by the Hardware and Software Complex of the Certification Authority of JSC NPC, in accordance with the Policy of Application of Registration Certificates and the Regulations of the Certification Authority.

In accordance with the Rules of creation, use and storage of private keys of electronic digital signature in the certification center (approved by the order of the Minister of Digital Development, Innovation and Aerospace Industry of the Republic of Kazakhstan from October 27, 2020 № 405/HҚ) access to the private key is carried out by the owner remotely through at least two factors of authentication, one of which is biometric. In this regard, access to the private key of the cloud EDS is carried out remotely with mandatory authentication of the owner through the service of two-factor authentication of the identity of the COID.

Technical specification

To connect and work with the COID, the necessary information is provided in the technical specification at the link: Getting Started | Documentation (npck.kz)

Brief instruction on connection

Peculiarities of connection to the services of two-factor identity authentication:

1) connection of the Participants to the services of COID is carried out by registration of the Participant’s application on the Portal (cabinet.npck.kz) and selection by the Participant of the appropriate service for connection;

2) authorization of the parties in the information exchange is performed by credentials (clientID/clientSecret) generated for each Participant’s application;

3) credentials are unique for each Participant’s application registered on the Portal;

4) credentials are unified when connecting one Participant’s application registered on the Portal to different services of the COID;

5) from the moment of registration of the Participant’s application and its connection to the corresponding COID service on the Portal, the Participant acquires the right to use the COID service;

6) the fact of the Participant’s connection to the COID service(s) is displayed on the Portal on the Participant’s application information page;

7) in order to use the COID service, the Participant sends a request to the Operator.

8) The Participant’s requests processed by the COID service are recorded from the moment the Participant’s application is connected to the COID service.

In order to connect to the OIDC services, a legal entity that meets the requirements set forth in the Rules shall submit to the Operator an application for accession in the form set forth in the relevant Service Agreement.

The legal entity shall sign the accession application and attach the following documents to it:

1) certificate/ certificate of state registration/ re-registration of the legal entity;

2) protocol (decision) of the authorized body of the legal entity and order on appointment of the first manager;

3) certificate of value added tax registration;

4) the charter of the legal entity;

5) power of attorney confirming the powers of the applicant (if the Application is signed by a person other than the first manager);

6) certificate of registration in the register of NB RK or ARRDF (if available);

7) license issued by the ARDF (if available);

8) license issued by the MFCA Committee for Regulation of Financial Services (if available).

Application for joining the Agreement on provision of two-factor authentication services shall be submitted in person or by registered mail to the following address: Almaty, Koktem microdistrict 3, building 21. The documents attached to the application shall be submitted in copies. It is allowed to transfer the signed application on joining the Service Agreement by means of electronic document management system in accordance with the current legislation of the Republic of Kazakhstan.