Simple SAKEM procedure: on-line registration followed by out-of-band verification of identity.
The on-line registration appears to the end-user as filling a computer form that is sent to the issuing organization. Actually, this transmission also encompasses the generation of a cryptographic key and/or a secret (e.g. a password) that is shared between the client system or device and the issuing organization. Technical security mechanisms quietly act behind the screen to prevent any eavesdroping and other attacks during the on-line registration phase.
The out-of-band verification of identity may use a personal visit to a branch location, a telephone conversation with a properly trained customer service representative, or a paper form sent to the issuing organization. The general concept is to use an alternate channel to double check the origin of an electronic transmission, which is by itself very difficult to ascertain.
It is only when the verification of identity is complete that the cryptographic key and/or a secret becomes fully operational for the purpose of the requested service. (In the interim period, the issuing organization might chose to provide limited access rights to its new client as in a promotional enrolment rebate campaign).
In addition to being simple, the SAKEM procedure is built to provide integrity between its on-line portion and the verification of identity. This integrity represents positive client authentication, and it is carried forward by the issuing organization if it preserves the secrecy of its customers' authentication keys.