Identity Verification ensures interaction between you and your users are kept private, and that a bad actor can't impersonate your users.
Do I need Identity Verification?
In short, if you setup the user identification and sending critical information to Userguiding you should set up and enforce Identity Verification.
What is a user impersonation attack?
On workspaces without Identity Verification it’s possible for a bad actor to impersonate a user. This means a bad actor could see a user’s historical conversations, appear to your teammates as that user and deceive them into taking actions on that user’s account.
For example, without Identity Verification, someone can interact with your UserGuiding materials and spoof the identity of another user, by providing a known identifier like their email address or user_id. This allows an attacker to pose as a real user to your teammates, giving access to previous interactions and potentially sensitive data.
How does Identity Verification protect my account?
With Identity Verification, you generate a unique user hash for each of your users based on their email address or user_id and your account's identity verification secret (reach to our support team). Your integration will generate and send these hashes along with every UserGuiding request allowing us to trust that the user request truly came from you.
Here’s how your UserGuiding requests are protected from impersonation when you properly enable Identity Verification for your workspace.
Identity Verification prevents cross-user impersonation on your workspace because without access to your secret, a third party attempting to spoof a user's identifier to UserGuiding will be unable to send UserGuiding a valid user hash for that user.
Does Identity Verification affect the user experience?
With Identity Verification correctly set up, there is no impact to your customers. Users will experience the UserGuiding as normal. There is no extra action required from them to authenticate themselves or use UserGuiding materials.
Why don’t you have one secret for all platforms?
We made a unique secret for each platform so it would be easier to rotate each one or enable Identity Verification on each platform independently.
How do I generate a unique hash per platform when I use the same backend for all users?
You shouldn’t generate the hash and store it in your database. You should instead generate it and dynamically send it when identifying the user to UserGuiding. This will mean that when you change secrets or the user is using a different platform, you’ll have the correct hash being sent.
If you store the hash and send it, you’d have to do a mass regeneration upon any changes to your secret which would create friction for you.
How to setup identity verification?
user_hash value on your back-end:
Below you can find a Python script to create
user_hash for your users. You can include
user_hash in a login response.
def make_digest(user_id, key = USERGUIDING_ACCOUNT_SECRET_KEY):
2. Identify user with
email: "[email protected]",