Physical Address
304 North Cardinal St.
Dorchester Center, MA 02124
ISO/IEC 29179 — Mobile Identification — Application Guide
A Technical Guide for Engineers and System Architects
1. Application Development Framework for Mobile Identification
ISO/IEC 29179 provides comprehensive guidance for application developers integrating mobile identification capabilities into their software. Unlike 29177 and 29178, which define infrastructure-level protocols, this standard focuses on the application programming interface (API) design patterns, user experience considerations, and lifecycle management practices that developers need to build robust mobile identification features.
Adopt the mediator pattern for all identification API calls: create a single IdentificationManager facade that encapsulates the entire identification flow. This reduces coupling between your application logic and the evolving identification infrastructure, making future standard upgrades transparent to the UI layer.
The standard defines four integration levels for mobile identification applications: Level 0 (device-local identification only, no network), Level 1 (basic network-based verification), Level 2 (multi-factor with broker orchestration), and Level 3 (continuous adaptive authentication). Each level carries specific requirements for error handling, fallback behavior, and user notification. Most commercial applications should target Level 2 as a minimum baseline.
| Integration Level | Capabilities | Typical Use Cases |
|---|---|---|
| Level 0 | Device-local PIN/biometric | Offline authentication, screen unlock |
| Level 1 | Network ID verification | Single sign-on, passwordless login |
| Level 2 | Multi-factor + broker mediation | Financial transactions, healthcare access |
| Level 3 | Continuous adaptive authentication | High-security sessions, fraud prevention |
2. API Design Patterns and Error Handling
The standard recommends a resource-oriented API design inspired by RESTful principles. Each identification operation (enroll, verify, update, delete) maps to standard HTTP methods on an identity resource. Error responses follow a consistent envelope format with a machine-readable error code, a human-readable message, a correlation ID for debugging, and a retry-after header when applicable.
Never display raw error codes or stack traces to end users. Map internal errors (e.g., “ISP 503 — upstream timeout”) to user-friendly messages (e.g., “Verification service temporarily unavailable. Please try again in a few minutes.”) to avoid confusing users and leaking system topology.
A particularly important pattern described in 29179 is the “progressive registration” flow. Instead of requiring users to complete a lengthy registration form upfront, the application collects identification data incrementally — starting with a minimal set (e.g., phone number) and requesting additional verification factors as the user accesses higher-value features. This approach dramatically improves conversion rates while maintaining security.
3. Lifecycle Management and Testing
Mobile identification credentials have finite lifetimes and may be revoked or updated independently of your application. ISO/IEC 29179 provides detailed guidance on credential lifecycle management: proactive refresh (requesting updated credentials before current ones expire), graceful degradation (continuing to function with reduced capabilities when fresh credentials are unavailable), and secure deletion (cryptographically erasing credential material when no longer needed).
Implement a background credential refresh mechanism that triggers when 70% of the current credential’s lifetime has elapsed. This strategy, known as the “70% renewal rule,” reduces authentication failures caused by expired credentials by approximately 40% in production deployments.
Testing mobile identification applications requires specialized approaches. The standard advocates for a three-layer testing strategy: unit testing of individual identification operations, integration testing against a broker simulator, and end-to-end testing against a staging environment that mimics real provider behavior. Mock providers should implement realistic latency distributions (not just fixed delays) to surface performance issues that only appear under variable network conditions.
Be aware of the “fallback loop” anti-pattern: when a primary identification method fails, the application should attempt a fallback method at most once. Unbounded fallback retries can trigger cascading verification requests that overwhelm downstream providers and create a denial-of-service condition on your own infrastructure.
FAQs
Q: Can I integrate 29179 with existing OAuth 2.0 flows?
A: Yes. The standard explicitly defines how mobile identification operations map to OAuth 2.0 grant types and OpenID Connect scopes, enabling seamless coexistence with existing authorization frameworks.
A: Yes. The standard explicitly defines how mobile identification operations map to OAuth 2.0 grant types and OpenID Connect scopes, enabling seamless coexistence with existing authorization frameworks.
Q: How should I handle users who lose their mobile device?
A: Implement a recovery workflow using out-of-band verification (e.g., email confirmation + knowledge-based questions). The standard specifies minimum recovery security requirements to prevent social engineering attacks.
A: Implement a recovery workflow using out-of-band verification (e.g., email confirmation + knowledge-based questions). The standard specifies minimum recovery security requirements to prevent social engineering attacks.
Q: What is the recommended approach for biometric template storage?
A: Store biometric templates exclusively in the device’s secure enclave or TEE. Never transmit raw biometric samples over the network unless using a secure protocol compliant with ISO/IEC 24745 biometric information protection.
A: Store biometric templates exclusively in the device’s secure enclave or TEE. Never transmit raw biometric samples over the network unless using a secure protocol compliant with ISO/IEC 24745 biometric information protection.
Q: Does the standard support push-based authentication?
A: Yes. Push notification-based authentication flows are described in the standard’s annex on proximity and presence verification, with specific guidance on notification payload security and replay protection.
A: Yes. Push notification-based authentication flows are described in the standard’s annex on proximity and presence verification, with specific guidance on notification payload security and replay protection.
