Although MIRACL Trust implements a general purpose email verification it is no one-size-fits-all solution. That is why any verification flow can be implemented using the pluggable verification mechanism exposed by the MIRACL Trust platform.
Here are some options for verification flows.
Manual invitation creation
Sometimes online verification is not possible. In those cases, a manual flow can be implemented. The idea in this kind of flows is that a person or a group of people are responsible for the verification of users. When a user wants to be enroled they need to identify in front of those people. After successful identification, the user is issued some kind of one-time code that they can use to establish the enrolment on a device of their choosing. This code can be transferred to the user using trusted messenger, alternative email address, QR Code printed on paper, etc.
This kind of flow is suitable in many cases.
Internal use-case for a company. The HR team is responsible for the verification.
Bank use-case. Customers need to present identification to a bank assistant in the office of the bank. The assistant issues a verification code.
Online platform which requires in-person identification.
Institutions that can verify people on the phone. The user can call to be verified based on some secret questions. The user is issued a code that they can use an online system to enrol.
Many applications nowadays use the mobile phone number as an ID for a customer. Phone numbers can easily be verified using code sent via SMS.
- Code expiration
Although in many flows there can be a considerable amount of time between verification and enrolment, it is always a good idea to have a reasonable expiration for the verification code.
- Code invalidation
Consider invalidating codes after they are used. In some cases, this may not be practical but it is worth the security benefits to consider it.
- There are possible attacks against verification flows using phone numbers like SIM Swap.