What authentication methods does COVID-ID support for individual users?

Individual users primarily authenticate to the COVID-ID mobile application using an email and password combination, enhanced by multi-factor authentication (MFA) and optional biometric authentication (fingerprint/facial recognition) on supported devices.

How do organizations authenticate to the COVID-ID web portal?

Organizations use specific administrative credentials to access the COVID-ID web portal. This access is secured with mandatory multi-factor authentication (MFA) and is governed by role-based access control (RBAC) to manage permissions.

Is multi-factor authentication (MFA) required for COVID-ID?

Yes, multi-factor authentication (MFA) is a critical security feature and is either strongly recommended or mandatory for both individual user accounts in the mobile app and all administrative accounts in the organizational web portal.

How do I set up my credentials for the COVID-ID mobile app?

You register directly within the mobile application by providing an email and creating a password. You will then be prompted to verify your email and set up MFA, such as a phone number for one-time passcodes.

Does COVID-ID offer public APIs for developers to integrate with?

Information on public APIs or SDKs for direct developer integration is not readily available on COVID-ID's website. The platform primarily serves end-users via a mobile app and organizations through a web portal.

What are the key security best practices for COVID-ID users?

Key security best practices include using strong, unique passwords, enabling MFA, keeping your device secure and app updated, being vigilant against phishing attempts, and logging out when not using the app.

What security measures should organizations take when using COVID-ID?

Organizations should enforce strong password policies, implement mandatory MFA, follow the principle of least privilege, conduct regular security audits, secure workstations, provide employee training, and have an incident response plan.

COVID-ID Authentication: Methods, Setup, and Security (2026)

COVID-ID authentication primarily secures access for end-users via its mobile application and for organizations through a web portal. It focuses on robust identity verification to protect sensitive health data, employing methods like multi-factor authentication (MFA) to ensure authorized access to vaccination and testing records.

Authentication overview

COVID-ID provides a system for managing COVID-19 vaccination and test results, aimed at both individual users through a mobile application and organizations via a dedicated web portal. The authentication mechanisms are designed to safeguard sensitive health information, aligning with healthcare data security standards. Access control is critical due to the personal nature of the data involved, necessitating strong identity verification processes.

For end-users, authentication typically involves verifying individual identity to access personal health records within the mobile application. Organizations, such as healthcare providers or public health agencies, authenticate to the web portal to manage and verify records, often requiring administrative credentials and adherence to internal security policies. The system's design prioritizes preventing unauthorized access to health data, which is a fundamental requirement for any healthcare management platform.

While the COVID-ID system primarily supports direct user and organizational access, information regarding extensive public APIs or SDKs for direct developer integration is not prominently featured on their publicly available resources. Therefore, this document focuses on the authentication methods available for direct users and organizations as described by COVID-ID's operational model.

Supported authentication methods

COVID-ID employs various authentication methods tailored to its user base: individual mobile users and organizational web portal administrators. The primary goal is to provide a secure, yet accessible, means of verifying identity before granting access to health records. Multi-factor authentication (MFA) is a critical component across most access points to enhance security beyond simple password protection.

User Authentication (Mobile Application)

Email/Password Login: Standard username (email) and password combination for initial access.
Multi-Factor Authentication (MFA): Typically involves a second verification step, such as a one-time passcode (OTP) sent to a registered mobile number or email, or biometric verification (fingerprint, facial recognition) if supported by the device. This provides an additional layer of security against unauthorized access, a common practice in protecting sensitive information online as detailed by the FIDO Alliance's guidance on MFA.
Biometric Authentication: For devices supporting it, users may enable fingerprint or facial recognition as a convenient and secure way to re-authenticate after initial login, without repeatedly entering credentials.

Organizational Authentication (Web Portal)

Organizational Credentials: Access to the COVID-ID web portal for organizations requires administrative credentials, often tied to specific roles and permissions within the organization.
Multi-Factor Authentication (MFA): Mandatory for organizational portal access, similar to user MFA, providing an extra layer of security for administrators managing potentially large datasets of health information.
Role-Based Access Control (RBAC): While not strictly an authentication method, RBAC works in conjunction with authentication to ensure that authenticated users only access the data and functions pertinent to their assigned roles within the organization, such as data entry, verification, or reporting. This is a critical security principle for enterprise systems, as described in Microsoft's documentation on identity and access management.

The following table summarizes the primary authentication methods:

Method	When to Use	Security Level
Email/Password	Initial login for mobile app users	Standard
Multi-Factor Authentication (MFA)	All user and organizational logins	High (Recommended)
Biometric Authentication	Subsequent logins for mobile app users on supported devices	High (Device-dependent convenience)
Organizational Credentials	Web portal access for administrators	High (Combined with MFA/RBAC)

Getting your credentials

Obtaining and managing credentials for COVID-ID differs based on whether you are an individual user of the mobile application or an administrator for an organization utilizing the web portal.

For Individual Mobile Application Users:

Registration: Users typically create an account directly within the COVID-ID mobile application. This process involves providing an email address (which often serves as the username) and setting a password.
Email Verification: A verification email is usually sent to the registered address to confirm ownership and activate the account.
MFA Setup: During or immediately after registration, users are prompted to set up multi-factor authentication, such as linking a phone number for OTPs or enabling device-specific biometrics.
Password Recovery: If a password is forgotten, a self-service password reset option is available, typically involving an email-based recovery link or OTP verification.

For Organizational Web Portal Administrators:

Organizational Onboarding: Access to the COVID-ID web portal is typically granted as part of an organization's onboarding process with COVID-ID. This usually involves an agreement and setup phase where designated administrators are identified.
Administrator Account Creation: COVID-ID or the organization's primary administrator will set up initial administrator accounts for the portal. This often involves an invitation process where administrators receive a link to set their initial password.
MFA Enforcement: MFA is mandatory for organizational portal access and is typically configured during the initial account setup.
Role Assignment: Administrators are assigned specific roles and permissions within the portal, dictating their level of access and capabilities.
Credential Management: Organizational administrators are responsible for managing their own passwords and MFA settings through the portal's account management section. Policies for password rotation and strength are often enforced.

For specific instructions or troubleshooting, organizations should refer to the direct documentation provided during their COVID-ID implementation or contact COVID-ID support, as outlined on the COVID-ID homepage.

Authenticated request example

Since COVID-ID primarily functions through a mobile application and a web portal with limited public API documentation, a direct API request example for third-party developers is not readily available. However, the underlying principles of an authenticated request remain consistent across secure digital platforms.

Conceptually, an authenticated request to a secure endpoint, if COVID-ID were to expose a public API using a common method like OAuth 2.0 (an industry standard for delegated authorization, as described by OAuth.net), would involve:

Obtaining an Access Token: After a user or application successfully authenticates (e.g., via username/password and MFA, or client credentials), an access token is issued. This token represents the authorization granted to access specific resources.
Including the Token in Requests: Subsequent requests to protected API endpoints would include this access token, typically in the Authorization header using the Bearer scheme.

Example using a hypothetical API endpoint and cURL:

curl -X GET \
  'https://api.covid-id.com/v1/user/health-records' \
  -H 'Authorization: Bearer YOUR_ACCESS_TOKEN_HERE'

In this hypothetical example:

YOUR_ACCESS_TOKEN_HERE would be the dynamically obtained access token.
The GET request would retrieve health records for the authenticated user.

For the existing COVID-ID mobile application and web portal, authentication is handled internally by the platform's client-side logic, abstracting these underlying HTTP requests from the end-user or administrator.

Security best practices

Adhering to security best practices is crucial when interacting with any system handling sensitive health data, such as COVID-ID. Both individual users and organizational administrators play a role in maintaining the integrity and confidentiality of this information.

For Individual Users:

Strong, Unique Passwords: Use complex passwords that are unique to your COVID-ID account. Avoid reusing passwords from other services. Password managers can help generate and store these securely.
Enable Multi-Factor Authentication (MFA): Always enable MFA for your COVID-ID account. This adds a critical layer of security, making it significantly harder for unauthorized individuals to access your account even if they obtain your password.
Keep Devices Secure: Ensure your mobile device where the COVID-ID app is installed is protected with a strong passcode, biometrics, and up-to-date security software.
Be Wary of Phishing: Be skeptical of unsolicited emails or messages asking for your COVID-ID credentials. Always verify the sender and URL before entering your login information. COVID-ID will not ask for your password via email.
Log Out When Not in Use: Especially on shared devices, always log out of your COVID-ID account when you are finished using it.
Regularly Update the App: Keep your COVID-ID mobile application updated to the latest version to benefit from security patches and improvements.

For Organizational Administrators:

Enforce Strong Password Policies: Mandate robust password requirements for all administrators accessing the COVID-ID web portal, including length, complexity, and regular rotation.
Implement Mandatory MFA: Ensure MFA is enforced for all administrative accounts. Consider hardware security keys or app-based authenticators for enhanced protection.
Principle of Least Privilege: Grant administrators only the minimum necessary permissions required for their specific roles. Regularly review and adjust these permissions as roles change.
Regular Security Audits: Conduct periodic security audits of access logs and user activities within the COVID-ID portal to detect any unusual or unauthorized behavior.
Secure Workstations: Ensure that all workstations used to access the COVID-ID portal are secured with strong passwords, up-to-date operating systems, antivirus software, and firewalls.
Employee Training: Provide ongoing security awareness training to all staff who interact with the COVID-ID system, focusing on phishing, social engineering, and data handling best practices.
Secure Network Access: Access the COVID-ID portal from secure, trusted networks. Avoid using public Wi-Fi for administrative tasks. Implement VPNs where appropriate.
Incident Response Plan: Have a clear incident response plan in place for potential security breaches, including steps for detection, containment, eradication, recovery, and post-incident analysis.

By following these best practices, both individual users and organizations can significantly reduce the risk of unauthorized access and protect the sensitive health data managed by COVID-ID.

COVID-ID Authentication: Methods, Setup, and Security (2026)

Authentication overview

Supported authentication methods

User Authentication (Mobile Application)

Organizational Authentication (Web Portal)

Getting your credentials

For Individual Mobile Application Users:

For Organizational Web Portal Administrators:

Authenticated request example

Security best practices

For Individual Users:

For Organizational Administrators:

Frequently asked questions

Reviews

Discussion

Written by