FAQ
About “iAM Smart” Sandbox Programme
A2. The application forms and requirements are available here. For any question, please contact us via iamsmart@cyberport.hk
- Financial Sector
- Information and Communications Technology (“ICT”) Sector
- Telecommunications Sector
- Healthcare Sector
- Education Sector
- Culture Sector
- Sports Sector
- Tourism Sector
- Designated Non-Financial Businesses and Professions (DNFBPs) and Licensed Money Service Operators (MSOs) under AMLO and Licensed Money Lenders mentioned in the Guideline on Compliance of Anti-Money Laundering and Counter-Terrorist Financing Requirements for Licensed Money Lenders
- Accounting Sector
- Transport and Logistics Sector
- Charity Sector
- Property Management Sector
- Real Estate Sector
A4. Please feel free to contact us via iamsmart@cyberport.hk to discuss.
A5. Please feel free to contact us via iamsmart@cyberport.hk. If you have joined the Sandbox Programme, please raise your question through our Helpdesk platform
A6. Please contact us via iamsmart@cyberport.hk or call our hotline (852)3166 3978.
“iAM Smart”
A1. “iAM Smart” is a free account that can be used by all Hong Kong Identity Card holders aged 11 or above. It allows users to perform authentication through personal mobile phones and log in for using the online services of different government departments and commercial organisations. Details can be found on “iAM Smart” thematic page.
A2. Both permanent and non-permanent Hong Kong residents of age 11 or above and possessing valid Hong Kong Identity Cards are eligible for registration of “iAM Smart”.
A3. “iAM Smart” account is available in two versions, namely “iAM Smart” and “iAM Smart+”. The “iAM Smart” version has authentication, “e-ME” form-filling and personalised notifications functions, while the “iAM Smart+” version has the digital signing function in addition as well:
(1) Authentication – Users will have a single digital identity that enables simple and secure login to various government and commercial online services. It brings convenience to people’s daily life by avoiding to manage different user names and passwords.
(2) “e-ME” Form Filling – Users can store their personalised data (such as name, gender, Hong Kong Identity Card number, date of birth, residential address, contact phone number, and billing address) in their “iAM Smart” account, and enjoy the convenience brought about by auto form-filling and avoid filling in the same data for different applications. Billing address from utility companies / organisations can also serve as address proof for various online applications.
(3) Personalised Notifications – Users can choose to receive personalised notifications from various government online services to keep up with service updates, expiry alerts and latest information.
(4) Digital Signing – Users can use “iAM Smart+” to perform digital signing in accordance with the Electronic Transactions Ordinance (Chapter 553 of the Laws of Hong Kong) to process legal documents and procedures online.
A4. “iAM Smart” account is available in two versions, namely “iAM Smart” and “iAM Smart+”. The “iAM Smart” version has authentication, form-filling and personalized notifications functions, while the “iAM Smart+” version has the digital signing function in addition.
For more information about “iAM Smart” and “iAM Smart+”, please click here.
A5. Yes, “iAM Smart” supports both new and old Smart Identity Cards for registration.
A6. To download and use “iAM Smart” Mobile App, the mobile phone must be equipped with biometric authentication. For iOS mobile phone, it should support Face ID or Touch ID. For Android mobile phone, it should run with Android 8.0 or above and supports Fingerprint authentication.
For the best experience using “iAM Smart”, it is recommended to use devices with more recent mobile phone system versions such as iOS 13.0 or above or Android 10.0 or above.
Please note that each mobile phone can only be used to bind with one “iAM Smart” account.
A7. A user can update the “e-ME” profile in the “iAM Smart” Mobile App on voluntary basis via his/her own mobile device. Data fields inputted by user in the “e-ME” profile is not verified by “iAM Smart”. Yet, the user can retrieve the billing address information from the utility companies / organisations through “e-ME”.
A8. You can select the “transfer account to another mobile” function in the “iAM Smart” mobile app of the existing phone to transfer the “iAM Smart” or “iAM Smart+” account to another phone. Upon successful transfer, the “iAM Smart” or “iAM Smart+” account where it was originally installed will be deleted.
A9. A range of commonly used government, public and private online services are accessible through the “iAM Smart” platform. For details, please click here.
A10. The “iAM Smart” Mobile App supports three languages: English, Traditional Chinese and Simplified Chinese.
A11. Users can use the biometric functions (such as facial, fingerprint identification, etc.) provided by their personal mobile phones to authenticate their identity and log in the online services using “iAM Smart” safely and conveniently. Such biometric data will only be stored in users’ personal mobile phones, and will not be stored in the “iAM Smart” system.
Adoption of “iAM Smart” in online service
A1. Please refer to the use cases of the “iAM Smart” enabled online services at our website https://iamsmart.cyberport.hk/iam-smart/#use-case. To explore more use cases that are applicable to your business, please contact us for further discussion.
A4. Please complete the ITE Application Form to start the development of your online services for integration with “iAM Smart”. While you are preparing to submit the application, please visit Implementation Preparation to observe relevant tasks which should be completed before you can start the testing in ITE.
A5. You may download the documents at our Document & Forms page, please join the Sandbox Programme to access the documents.
A.6 Please refer to https://iamsmart.cyberport.hk/adopt-now/#phase3 and https://iamsmart.cyberport.hk/implementation-preparation/ for production preparation.
A7. The “iAM Smart” API Services are currently provided for free, but the Government reserves the right to charge for using the “iAM Smart” API Services in future.
Technical Consideration
A1. Currently, no SDK is available for “iAM Smart” development.
A2. Online Services can integrate with “iAM Smart” for both web and mobile app.
A3. The backend of online services and “iAM Smart” system backend will communicate and respond according to corresponding actions in online service mobile app and “iAM Smart” Mobile App. “iAM Smart” Mobile App will redirect the users to the online service mobile app by using the URL scheme registered in “iAM Smart” system before. You may download the iAM Smart Developer Guide here for details.
A4. The turn-around time of the whole authentication process depends on the user action via the “iAM Smart” Mobile App, either scanning the QR code or pressing a button to confirm login.
The timeout setting of callback API is 18 minutes; therefore, online service could treat the request as failed if it does not get callback response within 18 minutes.
A5. For details, please refer Developer Guide Section 3.6 for more information.
A6. There are different account status for “iAM Smart” account, for example “suspended” and “de-registered”.
Request for authentication will be unsuccessful under some account status, and no information about the account status will be passed to online service.
About “iAM Smart” Sandbox Programme
A1. Digital Policy Office (“DPO”) collaborates with Cyberport to implement the “iAM Smart” Sandbox Programme (Sandbox) for public and private organisations to access simulated API and integrated testing environments to build proof-of-concepts using “iAM Smart”. “iAM Smart” technical documentation and free training courses are provided to Sandbox participants to facilitate “iAM Smart” adoption development.
A2. The application forms and requirements are available here. For any question, please contact us via iamsmart@cyberport.hk
A3. Currently, the Sandbox Programme is open to the following sectors:
- Financial Sector
- Information and Communications Technology (“ICT”) Sector
- Telecommunications Sector
- Healthcare Sector
- Education Sector
- Culture Sector
- Sports Sector
- Tourism Sector
- Designated Non-Financial Businesses and Professions (DNFBPs) and Licensed Money Service Operators (MSOs) under AMLO and Licensed Money Lenders mentioned in the Guideline on Compliance of Anti-Money Laundering and Counter-Terrorist Financing Requirements for Licensed Money Lenders
- Accounting Sector
- Transport and Logistics Sector
- Charity Sector
- Property Management Sector
- Real Estate Sector
- Legal Sector
- Public Sector
Public organisations are also welcome to join.
If your organisation does not belong to the above sectors, please contact us via https://iamsmart.cyberport.hk/contact-us/.
A4. Please feel free to contact us via iamsmart@cyberport.hk to discuss.
A5. Please feel free to contact us via iamsmart@cyberport.hk. If you have joined the Sandbox Programme, please raise your question through our Helpdesk platform
A6. Please contact us via iamsmart@cyberport.hk or call our hotline (852)3166 3800.
“iAM Smart”
A1. “iAM Smart” is a free account that can be used by all Hong Kong Identity Card holders aged 11 or above. It allows users to perform authentication through personal mobile phones and log in for using the online services of different government departments and commercial organisations. Details can be found on “iAM Smart” thematic page.
A2. Both permanent and non-permanent Hong Kong residents of age 11 or above and possessing valid Hong Kong Identity Cards are eligible for registration of “iAM Smart”.
A3. “iAM Smart” account is available in two versions, namely “iAM Smart” and “iAM Smart+”. The “iAM Smart” version has authentication, “e-ME” form-filling and personalised notifications functions, while the “iAM Smart+” version has the digital signing function in addition as well:
(1) Authentication – Users will have a single digital identity that enables simple and secure login to various government and commercial online services. It brings convenience to people’s daily life by avoiding to manage different user names and passwords.
(2) “e-ME” Form Filling – Users can store their personalised data (such as name, gender, Hong Kong Identity Card number, date of birth, residential address, contact phone number, and billing address) in their “iAM Smart” account, and enjoy the convenience brought about by auto form-filling and avoid filling in the same data for different applications. Billing address from utility companies / organisations can also serve as address proof for various online applications.
(3) Personalised Notifications – Users can choose to receive personalised notifications from various government online services to keep up with service updates, expiry alerts and latest information.
(4) Digital Signing – Users can use “iAM Smart+” to perform digital signing in accordance with the Electronic Transactions Ordinance (Chapter 553 of the Laws of Hong Kong) to process legal documents and procedures online.
A4. “iAM Smart” account is available in two versions, namely “iAM Smart” and “iAM Smart+”. The “iAM Smart” version has authentication, form-filling and personalized notifications functions, while the “iAM Smart+” version has the digital signing function in addition.
For more information about “iAM Smart” and “iAM Smart+”, please click here.
A5. Yes, “iAM Smart” supports both new and old Smart Identity Cards for registration.
A6. To download and use “iAM Smart” Mobile App, the mobile phone must be equipped with biometric authentication. For iOS mobile phone, it should support Face ID or Touch ID. For Android mobile phone, it should run with Android 8.0 or above and supports Fingerprint authentication.
For the best experience using “iAM Smart”, it is recommended to use devices with more recent mobile phone system versions such as iOS 13.0 or above or Android 10.0 or above.
Please note that each mobile phone can only be used to bind with one “iAM Smart” account.
A7. A user can update the “e-ME” profile in the “iAM Smart” Mobile App on voluntary basis via his/her own mobile device. Data fields inputted by user in the “e-ME” profile is not verified by “iAM Smart”. Yet, the user can retrieve the billing address information from the utility companies / organisations through “e-ME”.
A8. You can select the “transfer account to another mobile” function in the “iAM Smart” mobile app of the existing phone to transfer the “iAM Smart” or “iAM Smart+” account to another phone. Upon successful transfer, the “iAM Smart” or “iAM Smart+” account where it was originally installed will be deleted.
A9. A range of commonly used government, public and private online services are accessible through the “iAM Smart” platform. For details, please click here.
A10. The “iAM Smart” Mobile App supports three languages: English, Traditional Chinese and Simplified Chinese.
A11. Users can use the biometric functions (such as facial, fingerprint identification, etc.) provided by their personal mobile phones to authenticate their identity and log in the online services using “iAM Smart” safely and conveniently. Such biometric data will only be stored in users’ personal mobile phones, and will not be stored in the “iAM Smart” system.
Adoption of “iAM Smart” in online service
A1. Please refer to the use cases of the “iAM Smart” enabled online services at our website https://iamsmart.cyberport.hk/iam-smart/#use-case. To explore more use cases that are applicable to your business, please contact us for further discussion.
A4. Please complete the ITE Application Form to start the development of your online services for integration with “iAM Smart”. While you are preparing to submit the application, please visit Implementation Preparation to observe relevant tasks which should be completed before you can start the testing in ITE.
A5. You may download the documents at our Document & Forms page, please join the Sandbox Programme to access the documents.
A.6 Please refer to https://iamsmart.cyberport.hk/adopt-now/#phase3 and https://iamsmart.cyberport.hk/implementation-preparation/ for production preparation.
A7. The “iAM Smart” API Services are currently provided for free, but the Government reserves the right to charge for using the “iAM Smart” API Services in future.
A8. The online services adopting “iAM Smart” are required to perform security checklist review and privacy impact assessment every 2 years after the production run of the online services.
API Functions and Features
A1. The iAM Smart API provides functions for user authentication, form filling, digital signing, re-authentication, Direct Login, and Bulk Digital Signing.
(Reference: iAM_Smart_Developer_Guide_v2.2.2: 1.1.1)
A2. See Section 1.1.2 of the iAM Smart Developer Guide for a description of the different account versions and user profiles.
(Reference: iAM_Smart_Developer_Guide_v2.2.2: 1.1.2)
A3. Direct Login allows iAM Smart users to log in to Online Services from the Service Catalogue in a simple and swift manner.
(Reference: iAM_Smart_Developer_Guide_v2.2.2: 1.1.10, 3.10)
A4. Bulk Digital Signing allows users to sign multiple documents at once.
(Reference: iAM_Smart_Developer_Guide_v2.2.2: 1.1.1, 1.1.12)
A5. Anonymous signing refers to digital signing without requiring service login.
(Reference: iAM_Smart_Developer_Guide_v2.2.2: 1.2.7)
Authentication
A1. The iAM Smart Developer Guide outlines several authentication scenarios, including authentication from different devices and the same device, for both online service websites and apps.
(Reference: iAM_Smart_Developer_Guide_v2.2.2: 3.4)
A2. Section 3.4.5 of the iAM Smart Developer Guide describes the workflow for verifying CCIC users.
(Reference: iAM_Smart_Developer_Guide_v2.2.2: 1.1.9, 3.4.5)
Form Filling
A1. Section 3.5 of the iAM Smart Developer Guide describes the workflows for form filling after successful authentication, covering different device scenarios for websites and apps.
(Reference: iAM_Smart_Developer_Guide_v2.2.2: 3.5)
A2. Anonymous Form Filling allows users to fill out forms without logging in.
(Reference: iAM_Smart_Developer_Guide_v2.2.2: 3.6)
Digital Signing
A1. Section 3.7 of the iAM Smart Developer Guide details the workflows for digital signing with service login, including scenarios for different devices and apps.
(Reference: iAM_Smart_Developer_Guide_v2.2.2: 3.7)
A2. Section 3.8 of the iAM Smart Developer Guide explains the workflows for digital signing without service login (anonymous digital signing).
(Reference: iAM_Smart_Developer_Guide_v2.2.2: 3.8)
Re-authentication
A1. Re-authentication may be required to ensure continued security.
(Reference: iAM_Smart_Developer_Guide_v2.2.2: 1.1.8)
A2. Section 3.9 of the iAM Smart Developer Guide outlines the workflows for re-authentication with service login.
(Reference: iAM_Smart_Developer_Guide_v2.2.2: 3.9)
Direct Login & Direct Access
A1. Section 3.10 of the iAM Smart Developer Guide describes various Direct Login scenarios, including those for online service websites and apps.
(Reference: iAM_Smart_Developer_Guide_v2.2.2: 3.10)
A2. Refer to Section 1.1.2 of the iAM Smart Developer Guide for the supported browser list for Direct Login v2.
(Reference: iAM_Smart_Developer_Guide_v2.2.2: 1.1.2)
Bulk Digital Signing
A1. Section 3.11 of the iAM Smart Developer Guide provides workflows for Bulk Digital Signing with service login for different device scenarios.
(Reference: iAM_Smart_Developer_Guide_v2.2.2: 3.11)
A2. Section 3.12 of the iAM Smart Developer Guide details the workflows for Bulk Digital Signing without service login (anonymous).
(Reference: iAM_Smart_Developer_Guide_v2.2.2: 3.12)
A3. Section 3.13 of the iAM Smart Developer Guide describes the workflows for the callback of Bulk Digital Signing results.
(Reference: iAM_Smart_Developer_Guide_v2.2.2: 3.13)
A4. Section 3.14 of the iAM Smart Developer Guide outlines the workflows for enquiring about Bulk Digital Signing results.
(Reference: iAM_Smart_Developer_Guide_v2.2.2: 3.14)
A5. Yes, Section 3.15 of the iAM Smart Developer Guide describes the workflows for canceling Bulk Digital Signing requests.
(Reference: iAM_Smart_Developer_Guide_v2.2.2: 3.15)
APIs
A1. The identification of an “iAM Smart” account to online service is represented in the form of a unique online service-specific identifier called “Tokenised ID”. Different online services will have different values of Tokenised ID for the same “iAM Smart” user. It helps to preserve the privacy of the “iAM Smart” user since different online services cannot correlate the same “iAM Smart” user to track his/her digital footprint by comparing the Tokenised ID they possessed.
A2. “iAM Smart” system will return an authorisation code to online service after “iAM Smart” user authorising the request making by online service (e.g. authentication). Online service can use the authorisation code to exchange an access token. Authorisation code can only be consumed for one time. Once it has been consumed or it cannot be consumed within 60 seconds after generation, then the authorisation code will no longer be valid.
A3. To ensure API request sending to “iAM Smart” system is authenticated and originated from the online service. Individual API key (aka clientSecret) will be generated for each online service. The online service is required to calculate keyed-hash message authentication code (HMAC-SHA256) for the API request body and include this signature in the API request when sending to “iAM Smart” system.
A4. Signature can be computed by using API key (aka clientSecret) to sign the concatenated string of clientID, signatureMethod, timestamp, nonce, and request body. Pseudo code for signature generation can be found at Section 6.2.1 of the iAM Smart API Specification.
A5. The timestamp is the request submission time expressed in the number of milliseconds since January 1, 1970 00:00:00 GMT. The value MUST be a positive integer and equal to or greater than the timestamp used in previous requests.
A6. Please use “application/json” as the Content-Type.
A7. Apart from Transport Layer Security (TLS) encryption, data encryption in application layer is in place to further protect the data in transit. CEK is a symmetric key used for encrypting API request / response between online service and “iAM Smart” system.
A8. AES-256 symmetric encryption will be adopted for encrypting API data.
A9. Two API parameters “issueAt” and “expiresIn” will be returned along with the CEK when online service makes request to “iAM Smart” system. Online service can use these two parameters to deduce the validity of the CEK.
A10. Same CEK will be returned if it is not expired. Online service can call the revokeKey API to revoke the existing CEK and call the getKey API for requesting new CEK.
A11. Each online service is required to provide a digital certificate when registering at “iAM Smart” system. KEK is a public key extracted from the digital certificate for encrypting CEK before returning to the online service. The encrypted CEK can be decrypted by using the private key of the certificate.
A12. The callback URL should be a Fully Qualified Domain Name (FQDN). Exact URL should be registered at “iAM Smart” system. Callback URL should not contain any wildcard character.
Technical Consideration
A1. Currently, no SDK is available for “iAM Smart” development.
A2. Online Services can integrate with “iAM Smart” for both web and mobile app.
A3. The backend of online services and “iAM Smart” system backend will communicate and respond according to corresponding actions in online service mobile app and “iAM Smart” Mobile App. “iAM Smart” Mobile App will redirect the users to the online service mobile app by using the URL scheme registered in “iAM Smart” system before. You may download the iAM Smart Developer Guide here for details.
A4. The turn-around time of the whole authentication process depends on the user action via the “iAM Smart” Mobile App, either scanning the QR code or pressing a button to confirm login.
The timeout setting of callback API is 18 minutes; therefore, online service could treat the request as failed if it does not get callback response within 18 minutes.
A5. For details, please refer Developer Guide Section 3.6 for more information.
A6. There are different account status for “iAM Smart” account, for example “suspended” and “de-registered”.
Request for authentication will be unsuccessful under some account status, and no information about the account status will be passed to online service.
A7. See Section 3.1 of the iAM Smart Developer Guide for the prerequisites.
(Reference: iAM_Smart_Developer_Guide_v2.2.2: 3.1)
A8. Section 3.2.1 of the iAM Smart Developer Guide explains the interaction flow.
(Reference: iAM_Smart_Developer_Guide_v2.2.2: 3.2.1)
A9. Section 3.2.2 of the iAM Smart Developer Guide describes the process of common API request and response parameters.
(Reference: iAM_Smart_Developer_Guide_v2.2.2: 3.2.2)
A10. Section 3.2.3 of the iAM Smart Developer Guide lists and explains common error codes.
(Reference: iAM_Smart_Developer_Guide_v2.2.2: 3.2.3)
A11. Section 3.3 of the iAM Smart Developer Guide provides details on API data encryption and decryption, including workflows and examples.
(Reference: iAM_Smart_Developer_Guide_v2.2.2: 3.3)
Development and Testing
A1. Online Service Creator.
A2. For iOS Testers, upon registration you will receive an invitation mail from Apple Testflight Programme, follow the instruction on the mail and you can download the app via Testflight.
For Android Testers, upon registration you can download the app on Google Play Store by searching “iAM Smart (Testing App)” with the registered Google Account. Currently it is not available for Huawei App Gallery.
A3. User needs to enable the following setting in the Firefox browser of the mobile phone.
- Tap the menu button
- Tap Settings
- Scroll down to the Advanced Section, next to Open links in apps use the slider button to turn this on.
A4. To update the App Link / Universal Link, please update the ITE Application Form and submit to iamsmart@cyberport.hk.
When the update is completed, you will see the updated App Link / Universal Link on the self-service portal.
A5. Please check if the SSL/TLS certificate is valid or not. The certificate chain should consist of the certificate, the intermediate certificate and the root certificate.
A6. Online Service should request a new CEK and try again.
A7. See Section 3.1 of the iAM Smart Developer Guide for the prerequisites.
(Reference: iAM_Smart_Developer_Guide_v2.2.2: 3.1)
A8. Section 3.2.1 of the iAM Smart Developer Guide explains the interaction flow.
(Reference: iAM_Smart_Developer_Guide_v2.2.2: 3.2.1)
A9. Section 3.2.2 of the iAM Smart Developer Guide describes the process of common API request and response parameters.
(Reference: iAM_Smart_Developer_Guide_v2.2.2: 3.2.2)
A10. Section 3.2.3 of the iAM Smart Developer Guide lists and explains common error codes.
(Reference: iAM_Smart_Developer_Guide_v2.2.2: 3.2.3)
A11. Section 3.3 of the iAM Smart Developer Guide provides details on API data encryption and decryption, including workflows and examples.
(Reference: iAM_Smart_Developer_Guide_v2.2.2: 3.3)
Troubleshooting
A1. Refer to Appendix D of the iAM Smart Developer Guide for common pitfalls of App-to-App Direct Login v2.
(Reference: iAM_Smart_Developer_Guide_v2.2.2: Appendix D)