Technical Details for "iAM Smart"
DPO provides three sets of Application Program Interfaces (APIs) for commercial organisations and public bodies to adopt "iAM Smart" in their online services. DPO makes reference to OAuth 2.0 for authentication and authorisation amongst "iAM Smart" user, online service and "iAM Smart" system.
The DPO provides "iAM Smart Personal Code" to enable the public to present their partial personal data in the form of a QR code without the need for checking user's identity documents, thus strengthening privacy protection. Please click here to learn more about what personal information is contained in the "iAM Smart Personal Code".
Workflow:
- User to access online service website and to start the login by using "iAM Smart" process
- Online service to redirect user to a webpage that is hosted in "iAM Smart" System
- User to use "iAM Smart" Mobile App to scan the QR code on the webpage
- "iAM Smart" System to redirect user to online service with "Authorisation Code" included
- Online service to pass the "Authorisation Code" to "iAM Smart" System
- "iAM Smart" System to return the "Access token" which includes user's tokenised account identifier* and online service to use tokenised account identifier to perform user matching at local user database
*Tokenised account identifier is a unique identifier of "iAM Smart" user assigned by "iAM Smart" System for a particular online service. Different online service will be assigned with different values of tokenised account identifier for the same "iAM Smart" user, it will strengthen the privacy protection of users.
Workflow:
- User to access web form and start the form filling by "iAM Smart" process (if user is not authenticated, perform step 2-6 of "Authentication" process to obtain tokenised account identifier*)
- Online service to invite the user to authorise the form filling request in the "iAM Smart" Mobile App and pass the tokenised account identifier and form filling request to "iAM Smart" System
- User to use "iAM Smart" Mobile App and authorise "iAM Smart" System to pass information# to online service
- "iAM Smart" System to pass user selected information to online service
- Online service to use the information for form filling
* Tokenised account identifier is a unique identifier of "iAM Smart" user assigned by "iAM Smart" System for a particular online service. Different online service will be assigned with different values of tokenised account identifier for the same "iAM Smart" user, it will strengthen the privacy protection of users.
# An option will be provided for "iAM Smart" users to set up the user profile with personal data for form filling.
# An option will be provided for "iAM Smart" users to set up the user profile with personal data for form filling.
Workflow:
- User to start the digital signing by "iAM Smart" process (if user is not authenticated, perform step 2-6 of "Authentication" process to obtain tokenised account identifier*)
- Online service to pass the hash value generated from the web form to be signed along with the user's tokenised account identifier to "iAM Smart" System
- Online service to show an identification code and invite the user to authorise digital signing in the "iAM Smart" Mobile App
- After ensuring the identification code shown on the "iAM Smart" Mobile App and the online service webpage are the same, user to authorise the digital signing action
- "iAM Smart" System to perform digital signing and return the signed hash and user's iAM Smart-Cert# with public key to online service.
- Online service to confirm the digital signing and display result to user
* Tokenised account identifier is a unique identifier of "iAM Smart" user assigned by "iAM Smart" System for a particular online service. Different online service will be assigned with different values of tokenised account identifier for the same "iAM Smart" user, it will strengthen the privacy protection of users.
# iAM Smart-Cert issued by Recognized Certification Authority for "iAM Smart" user.
# iAM Smart-Cert issued by Recognized Certification Authority for "iAM Smart" user.
Workflow:
- User to access the Personal Code function after logging in the "iAM Smart" mobile app.
- To digitally sign and generate the Personal Code via the "iAM Smart" System.
- Third-party verifier to use the "iAM Smart" mobile app or third-party scanner to scan the Personal Code. The information collected from the Personal Code should be handled in strict adherence to relevant provisions of the Personal Data (Privacy) Ordinance (Cap. 486).
- Scanner to import the latest digital certificate from "iAM Smart" Sandbox Programme theme page.
- Scanner to validate the scanned QR code content by verifying the digital signature embedded in the QR code using the pre-installed certificate.
- Scanner to display or store the partial personal information of User.
Click here for the adoption of Personal Code