Identity Verification ensures interaction between you and your users are kept private, and that a bad actor can't impersonate your users.
Do I need Identity Verification?
In short, if you setup the user identification and sending critical information to Userguiding you should set up and enforce Identity Verification.
Note: If you only use UserGuiding for website visitors who don’t login, you don’t need Identity Verification. It only applies to users, for whom you have identifiers like email address or user_id.
What is a user impersonation attack?
On workspaces without Identity Verification it’s possible for a bad actor to impersonate a user. This means a bad actor could see a user’s historical conversations, appear to your teammates as that user and deceive them into taking actions on that user’s account.
For example, without Identity Verification, someone can interact with your UserGuiding materials and spoof the identity of another user, by providing a known identifier like their email address or user_id. This allows an attacker to pose as a real user to your teammates, giving access to previous interactions and potentially sensitive data.
How does Identity Verification protect my account?
With Identity Verification, you generate a unique user hash for each of your users based on their email address or user_id and your account's identity verification secret (reach to our support team). Your integration will generate and send these hashes along with every UserGuiding request allowing us to trust that the user request truly came from you.
Here’s how your UserGuiding requests are protected from impersonation when you properly enable Identity Verification for your workspace.
Identity Verification prevents cross-user impersonation on your workspace because without access to your secret, a third party attempting to spoof a user's identifier to UserGuiding will be unable to send UserGuiding a valid user hash for that user.
Once Identity Verification is enforced, the UserGuiding container will not load or accept requests for your logged-in users without a valid user hash.
Does Identity Verification affect the user experience?
With Identity Verification correctly set up, there is no impact to your customers. Users will experience the UserGuiding as normal. There is no extra action required from them to authenticate themselves or use UserGuiding materials.
Why don’t you have one secret for all platforms?
We made a unique secret for each platform so it would be easier to rotate each one or enable Identity Verification on each platform independently.
How do I generate a unique hash per platform when I use the same backend for all users?
You shouldn’t generate the hash and store it in your database. You should instead generate it and dynamically send it when identifying the user to UserGuiding. This will mean that when you change secrets or the user is using a different platform, you’ll have the correct hash being sent.
If you store the hash and send it, you’d have to do a mass regeneration upon any changes to your secret which would create friction for you.
How to setup identity verification?
1. Contact UserGuiding team to learn your account secret
Our team will activate this feature for you and share your 16-digits account secret.
2. Generate user_hash value on your back-end
Below you can find a Python script to create user_hash for your users. You can include user_hash in a login response.
def make_digest(user_id, key = USERGUIDING_ACCOUNT_SECRET_KEY):
return hmac.new(
bytes(key, encoding="utf-8"),
bytes(str(user_id), encoding="utf-8"),
digestmod=hashlib.sha256,
).hexdigest()
3. Identify user with user_hash
userGuiding.identify(
user_id,
{
email: "[email protected]",
user_hash: "user#hash#value"
}
)