Attribute matching
The following guide offers a high-level overview of how an ID.me integration for attribute matching functions.
Design overview
Policy setup
a. ID.me provides a public key for the encryption of the JSON Web Encryption (JWE) token
b. Customer provides ID.me with the certificate used for signing which enables ID.me to validate the signature
The ID.me policy will be configured to:
- Require a JWE token on OAuth requests
- Accept certain attributes in the JWE
- Match on certain attributes in specific ways as defined by the customer
ID.me must receive a JWE in the request URL parameter within the initial ./oauth/authorize call”
If the JWE is invalid (e.g. missing, encryption, signature, payload), the user will be returned to the customer and presented with an error message
The user will be asked to consent to providing the customer with their:
- Name
- Date of birth
- Other data (depending on configuration)
JWE
Customers send matching attributes as a JWE object in the initial OAuth request.
Payload
Attribute keys in the payload are configured during integration setup. The payload contains the attribute keys and values (in JSON) that will be used for matching.
Creation
The JWE will be created by:
When decrypted, the JWE will contain a JWS with a valid signature that can be verified by the public certificate provided by the customer.
The above contains the following JSON payload:
Decoding the JWE/JWS using code or another tool will show the parameters used in this example.
Attribute matching logic
ID.me uses two well-established algorithms which are used by applications to compare two strings for matching purposes.
Jaro-Winkler
The Jaro-Winkler distance algorithm to compare text values, such as names, and determine whether they are likely a match.
How it works
-
Compares two strings and measures similarity based on matching characters and order
-
Gives more weight to characters at the start of the string (useful for names where typos or variations occur)
-
Returns a score between 0 (no similarity) and 1 (exact match)
Our matching rules
-
Score > 0.8 → treated as a match
-
Score < 0.8 → treated as a mismatch
Match scores can be configured per policy and attribute, so if you want to set a threshold higher or lower than the standard configuration, that can be supported
-
Jaro-Winkler score: 0.819 (81.9%)
-
Result: Match
NYSIIS
The NYSIIS algorithm (New York State Identification and Intelligence System) to match names that sound alike but may be spelled differently.
How it works
-
Converts a name into a phonetic code
-
Applies a set of transformation rules to letters and letter groups
-
Produces a simplified, standardized representation of the name’s pronunciation
Why it’s useful
-
Matches names that have multiple valid spellings
-
Handles variations due to spelling conventions or regional accents
-
Makes it easier to compare names based on sound instead of spelling
-
Both pairs are reduced to the same phonetic code
-
Result: Match