User Onboarding
š§ Who is a "User" in Ditto ID?
In Ditto ID, a user is an individual who is registered with the enterprise system and interacts with Ditto ID through a mobile or web application. Each user is uniquely identified by a user ID (typically an enterprise-defined login ID or username).
A user in Ditto ID is tightly bound to:
- A mobile device (trusted endpoint)
- A secure identity (based on biometrics, password, PIN, or pattern)
- A session managed securely through the Ditto ID SDK and backend services
š„ User Onboarding in Ditto ID
User onboarding in Ditto ID is a two-phase process:
š Phase 1: User Enrollment
Enrollment is the process of creating the user identity in the Ditto ID system. It can be initiated in two ways:
š ļø Backend Enrollment (Admin-led)
| Step | Description |
|---|---|
| User ID Creation | Enterprise system provisions user (LDAP, CRM, API) |
| Credential Setup | Optional setup of PIN/password |
| Policy Mapping | Device count, LDA options, KYC type are assigned |
š Self-Enrollment (User-led via SDK)
| Step | Description |
|---|---|
| User launches app | App starts SDK and calls initialize() |
| User enters details | App collects email, phone, or custom ID |
| App calls enroll API | Triggers backend workflow to provision user |
| SDK handles onboarding | SDK proceeds with activation flow after enrollment is successful |
š Outcome: User is now registered but still needs to activate the device.
š¤ Agent-based Enrollment (Trusted Device or Agent App)
In this mode, the enrollment is handled via a trusted device or agent that is already authenticated in the Ditto ID ecosystem.
| Step | Description |
|---|---|
| Agent logs in | Agent device is authenticated via Ditto ID SDK |
| User data is entered | Agent collects userās basic details (name, phone, email, ID, etc.) |
Agent calls enrollUser API | Sends request to Ditto ID backend to register user via secure session |
| Activation instructions shown | Device activation details (code, OTP, link) are shared with the new user |
š Outcome: User is registered and receives activation information to onboard on their own device.
š Phase 2: User Activation
Activation is the SDK-driven flow where the device is trusted and the user identity is verified using a challenge-response mechanism.
š Supported Onboarding Challenges
During activation, the SDK may issue one or more of the following challenges:
| Challenge Type | Triggered Event | Follow-up Action |
|---|---|---|
| OTP verification | getActivationCode | App collects OTP ā setActivationCode() |
| KYC workflow | onHandleCustomChallenge | App captures ID & selfie |
| Biometric consent | getUserConsentForLDA | App calls setUserConsentForLDA() |
| Credential setup | getPassword | App collects password ā setPassword() |
š Outcome: On successful completion of challenges, the SDK emits onDeviceActivated.
š Re-Activation / Multi-Device Support
- Users can repeat activation on new devices.
- Enrollment is one-time.
- SDK enforces admin-configured policies on device trust, reuse, and limits.
š¦ Onboarding States
The onboarding state determines whether users must go through an interactive onboarding workflow. This is configured via the Gateway Manager under user profile settings.
| State | Description |
|---|---|
ONBOARDED | Users must complete the full onboarding challenge flow. After onboarding, they must proceed through the User Activation process. |
CREATED | Users bypass the onboarding workflow and can directly initiate the User Activation process. Useful for pre-verified or admin-imported users. |
Tip: Choose the onboarding state and method based on your user experience goals and compliance requirements.
š Summary Table
| Aspect | Enrollment | Activation |
|---|---|---|
| Who initiates | Admin or SDK (self-enrollment) | SDK (triggered by initialize()) |
| Main goal | Register user in Ditto ID system | Bind user to secure device |
| Challenge involved? | Optional KYC or OTP | Yes ā varies by enterprise policy |
| Handled by | Backend API or mobile SDK | SDK + App UI + Backend orchestration |
Updated 4 months ago