What's the RealMe assertion service?
RealMe assertion service
RealMe® assertion service provides the means for a customer to prove personal information online. At present, we offer verified identity (name, date and place of birth, gender) and verified residential address. The service is often referred to as RealMe verified identity as this is usually the most essential set of personal data.
Organisation benefits include:
- no need to incorporate an in-person or third party capability for verifying personal information for use online
- high strength attribute verification is guaranteed by real-time access to the authoritative source record
- provide customers with a verify once - use online many time experience
The RealMe assertion service is available to organisations in the wider government sector and to approved organisations in the private sector such as financial institutions.
If your organisation wants to maximise use of the online channel and needs strong proof of your customer's identity and other personal details before services can be provided, then the RealMe assertion service may be a good fit. See the RealMe website about business use(external link) for more information on the assertion service.
Combining RealMe login service and RealMe assertion service
For most online services, the customer will authenticate many times, but only verify their identity, address or other attributes once at registration or perhaps at infrequent intervals when circumstances change. An assertion of customer's attributes must take place in a managed session to protect the personal information being shared.
For private sector organisations, that cannot use RealMe login, the customer requires a RealMe verified identity for authentication to succeed.
For government agencies, the login and assertion flows can be combined to provide a more seamless user experience. There are two options for configuration:
| Description | Assert only | Assert and Always Login |
| User can create a RealMe login | No | Yes |
| MFA required? | Yes | Service specifies1 |
| User can authenticate without a verified identity | No | Yes |
| Federated Login Tag(FLT) returned | No | Yes |
| Verified attributes including Federated Login Tag (FIT) returned | Yes | Yes, if available2 |
| Displays RealMe error page | As per config | No |
Notes:
- The service specifies whether MFA is required in their authentication request. Regardless of the authentication strength specified, MFA will always be required if a user's verified attributes are being shared.
- Verified attributes are not shared when:
- the user is not verified
- the user does not consent
- the user has previously provided an "enduring" consent and the service is configured to not receive verified attributes for returning users.
Assert only: the customer must have a RealMe verified identity (and will therefore have a login) as the AuthnRequest will fail if the user is not verified. If the user is not verified the online service should direct them to an alternative verification process. This flow only returns the verified attributes, it does not return the FLT. When the customer shares their verified attributes they log in with moderate strength.
Assert and always log in - the customer must have a RealMe login but may not have a verified identity. If they do have a RealMe login but no verified identity, the customer will still be authenticated. If the customer does not have a RealMe login they can create a RealMe login. The online service then handles the verification of the customer either by encouraging them to apply for a RealMe verified identity or triggering their own alternate verification process. Until the customer's identity is verified the agency service can limit the functions the customer can perform. The online service may choose to authenticate the user at low or moderate strength however, whenever the customer shares their verified attributes, they are authenticated at moderate strength.