Providers may assume one or more of four roles:
- eHerkenning broker. This role is completely dedicated to services. It is the interface through which a service 'talks' with the eHerkenning network. The service asks the network for an identification (a Chamber of Commerce reference) through the broker. The online user is then redirected to his or her authentication provider of choice.
- Mandate register. This register stores all authorisations of a person on behalf of a business. The authorisations can only be created and maintained by an authorised person of that particular business. In the case of small businesses, this is usually the owner.
- Authentication service. This role makes the authentication tokens available in the network in real time.
- Token issuer. The issuers provide authentication tokens (texting, OTP, certificates, user name/password) to public servants, businesses and their users and consumers.
This 4-party model connects existing means of authentication or keys (e.g. cards, mobile phones, tokens, passwords) to eService Providers. The user is registered in the Mandate register and, through the Authentication service, a reliable and fast verification of this user can be accomplished.
The roles of 'token issuer', 'authorisation register' and 'authentication service' can be executed by multiple commercial parties. All parties are to connect to each other. Therefore, both the public service and the business only need a contract and connection to a single provider of their choice.
Four-party model for identity services
Note: The roles of 'token issuer', 'mandate register' and 'authentication service' are all related to service provision towards the user ('Company and user' in the scheme) and are seen as one role when we use the term 'four-party model'.