2. Registration and User Identity Validation

4 main processes – all separate – exist when a website uses HCP-ID to Authenticate and Authorize access to its users.

  1. Registration
    HCP-ID Profile creation (which can happen in the scope or not of a given website)

  2. Identity Verification
    HCP-ID Profile validation, where Cognipharma will validate the user’s data in multiple ways to verify his/her identity

  3. Authentication
    Login and session creation on a Website that the user is trying to access
    • Subprocess 3.1 Website Registration and Terms and Condition acceptance for a specific Website
  4. Authorization
    Validation whether an existing, verified, and authenticated user is Authorized to access a website, given the website’s business rules defined by the customer.

Identity Verification and Account Activation

Cognipharma will, in its discretion, and using a mix of automated and manual processes verify the basis of the submitted information, to validate, to the possible extent, the veracity of the user’s identity and submitted profile information. From that moment on, if the validation succeeds, the Identity is verified, and the account information is considered valid.

This process does not imply that this user/account has access to any website. It only ensures it is a valid person and their data has been validated. Access / authorization to access each website is provided when users perform a Login to a given website, and their verified account information matches the rules defined to access such.

 

The diagrams below provide an overview of the steps in each process.

At any given time, a Person may register for a Cognipharma HCP-ID. He may start this process coming from a customer’s website, or from any other unrelated channel.

In another given point in time, a user may login to a customer’s website. As long as he has a valid, verified account and knows his password, he can Authenticate himself.

But then he needs to accept the terms of such website, to accept sharing his Cognipharma HCP-ID profile data with the website, and match the Website specific Authorization rules to be accepted to login.

Bear in mind the following concept, usually misunderstood given the difference between a “single purpose website registration/authentication/authorization” system, and a generic, centralized Authentication solution:

  • Registration is Global to all customers/tenants, and provides HCPs with an Identity / Profile (very similar to a Google or Apple account).
    • It is not a registration on a specific website.
    • Identity verification is performed on this global user, periodically, but independently of a given website.

  • Authentication is not Authorization – A user may Authenticate himself (“login”/”sign in” with his user and password) and not be Authorized to access a given website, because:
    • He has not accepted the terms of the website, or such consent has expired
    • He has not accepted to share the minimum amount of profile data with the website
    • He does not match any of the rules that allow him to access the website (e.g. required profession, email domain, manual authorization, etc).