What is identity verification?
Identity verification ensures that none of your users can impersonate other users. In other words, it ensures the Who part of CommandBar targeting is legit. You may not care much about users impersonating other users, and that might be fine. In many situations, it doesn’t matter much (and any user who knows how to impersonate another user probably is using your product in an adversarial scenario). But there are certain scenarios in which identity verification is required for CommandBar to enable certain features.
Our identity verification approach works by using a server-side-generated HMAC (generated using a shared secret) to tell your frontend who the logged-in user is.
We recommend turning on identity verification for maximum security. It requires a developer, but should only take a few minutes and the added security is well worth the effort.
When should I enable identity verification?
If you want to add protection for your documentation (”Make docs private” setting), you must enable identity verification with HMAC. This setting only allows users authenticated with CommandBar to view your documentation, which is useful in cases where your docs aren’t public or contain sensitive information.
All other CommandBar features are available whether you have identity verification enabled, but identity verification offers an additional level of security which can be useful in certain cases. For example, it can offer additional protection if you have CommandBar state that is security-critical, or critical to your application.
Identity verification provides another layer of security in front of your users’ CommandBar state. If you have a nudge that is only shown to certain users, for example, that you want to keep private, identity verification make sense to enable.
How do I turn on identity verification?
You can add identity verification by following the instructions at Dashboard -> Profile -> Identity Verification.