How it works

Otentik trust network

We can’t prevent someone with resolve to counterfeit a good, forge a document or even generate a 2D barcode with a compliant Visible Digital Seal structure. We can make sure validation will fail for all these cases. Our governance is centered around a trust framework and a root trust list that ensure the information is both authentic and legitimate.


The Otentik network brings authenticity by providing confidence on the origin (trusted issuer) and the integrity of the information (tamper detection). In technical terms, the network only carries electronically signed information from signature certificate that have a high Identity Assurance Level (IAL). For this, we rely on a vetted network of Trust Service Providers (TSP) world-wide that uphold the highest certifications in electronic identity management (ex.: eIDAS, WebTrust for CA, etc).


Although electronically signed information confirms the identify of the signer and the integrity of the data, it is not enough in today’s complex world. Our network also brings confidence in the legitimacy of the issuer for the information being signed (ie: we make sure the issuer has the moral, regulatory or legal right to certify the information). This is why a prescription signed by a doctor in good standing could be valid, yet a university diploma signed by the same doctor would fail validation. Our network of Trusted Service Providers are also responsible to verify the legitimacy of the issuer for specific use cases, investigating at the local level when necessary.

Trust anchor

The Otentik network acts as a trusted root that federates the various VDS technologies. The root trust service list (TSL) aims federate the trust service lists of the various implementations of 2D-Doc trust lists and the Otentik VDS trust list, in accordance with the AFNOR Z42-105 (September 2020), ISO 22385 (February 2023) and ISO 22376 (August-September 2023) standards.

Otentik Visible Digital Seal (VDS) technology

Just like the Otentik trust network is architected to support multiple VDS technologies, the Otentik VDS is architected to support just about any use case.

To deliver this value, the security and the integrity of VDS and the network’s building blocks are critical; therefore, each VDS and each building block is electronically signed and verified at each transaction to ensure a full chain of trust.

Use case centric approach

We believe business needs and use cases are strongly coupled; as such, Otentik’s VDS starts at the use case. The experts that define a use case have a powerful technology to make their requirements a reality. They can define key data to include in the schema, data format rules and business policies to validate the VDS, processes to confirm that an issuer is legitimately authorized to sign a use case, and even define the presentation layer to provide a consistent visual representation between the various Otentik code readers and across devices. Use cases are then translated into a machine-readable format (a.k.a. an XML descriptor) so the issuers and the VDS readers can process the information seamlessly, while complying with the policies set in the use case, even when these policies get updated.

Lots of information in a small 2D barcode (or RFID tag)

Most goods and documents can only afford to allocate a small area for a VDS, and RFID tags with large persistent storage are expensive. For this reason, the Otentik VDS is architected to optimize data size. For example, its signature uses Elliptic Curve Cryptography (ECC) instead of RSA cryptography (56 bytes instead of 256). It includes a 6 bytes reference to the signing certificate instead of embedding a multi-kilobytes certificate. It supports a rich yet very compact MessagePack data structure and can even use C40 string encoding on any barcode technology if UTF-8 is deemed not compact enough.

Chain of trust and policy validation

Every building block on the network is electronically signed, and the chain of trust is verified up to a root of trust defined in a Trust Service List (TSL), managed and signed by the Otentik network: VDS, descriptors, signing certificates, certificate revocation status, TSL, etc. In addition to the chain of trust, each VDS gets validated against the policies defined in the use case. These could include restrictions on the VDS validity period, authorized symbologies, requirements for external certified timestamps, accepted cryptographic key length, and many others.

Supports numerous barcode technologies and RFID

An Otentik VDS can be embedded in most 2D barcode technologies, from Datamatrix to QR code, PDF417 and even proprietary 2D barcodes. It can also be stored in RFID tags that have persistent storage. A VDS can be as small as 72 bytes, and as large as the barcode or RFID storage will allow.

All this efficiency and security is done while complying with our foundational principles of authenticity, legitimacy, longevity, privacy-by-design and online/offline support.

User experience

We have architected the Otentik network to deliver trust. The Otentik VDS goes a step further by providing a consistent user experience across VDS readers and devices.

Aim. Click. Trust.

It is as easy and natural as taking a picture: VDS are validated using a mobile or web application. The output will be consistent across all devices to increase confidence.

For commercial and industrial use cases, organizations can also leverage their existing systems equipped with 2D barcode or RFID readers.