Home > Visitor Identity verification
Categories: Featured Article
(Last Updated On: September 21, 2020)
Visitor Identity Verification is advanced security and identity protection for businesses who communicate with authenticated users (signed into an application, portal or other backend system). This feature is available for Enterprise clients. Please come and speak to us if you would like to upgrade.
Clients want to ensure that the person they are chatting with is, in fact, the same person who signed into their systems. Once implemented, this feature will provide a simple indicator to agents that the user identity has been verified. This gives agents confidence to discuss account details, order history or other information with the visitor.
Our visitor identity is even stronger and more sophisticated than most other competitors on the market. We use unique one-time and/or timestamp expiration tokens to ensure that every conversation is verified and not subject to “playback” hack techniques.
In order to do this, your website or app will provide an encrypted HMAC signature for any known user attempting to use chat, along with that user’s identity. On the server side, SnapEngage will use a secure, secret key to likewise generate an encrypted signature. If the two signatures match – we will display a visual indicator in the Hub to the agent so that they know the identity has been verified. If the signatures do not match, there is some problem or the data has been tampered with – and SnapEngage will display a warning to the agent that the user identity has not been verified.
This feature will need to be enabled by a SnapEngage administrator under Settings
There will be a new setting to turn on Identity Verification, and configure some details that will allow for security identity verification. The administrator will need to supply the secret token used to encrypt the user identity and compare it to the encrypted HMAC that will be passed to SnapEngage by the client’s website or app.
On the Admin Dashboard, under Settings, head over to the Options tab.
Check the box called Visitor Identity Verification
Choose the verification secret, and set a time to invalidate the signature.
If the visitor’s timestamp has expired, the agent will see a grey tooltip on the Hub (1), if it has been validated correctly they will see a blue tooltip with a blue tick (2), if it has been tampered with, they will see a red dot with an exclamation mark (3).
The signature is created by concatenating the content that you want to verify + the nonce + the timestamp, and then hashing it using the secret that you set up on the admin dashboard.
You can find the technical documentation here.
Published September 16, 2020