Best Practice
Here we try to provide practical tips and best practices to help you create create a secure, efficient, and user-friendly onboarding and verification process.
User Experience (UX) Best Practices
- Pre-verification checklist
Many users begin verification without preparation, causing unnecessary token expiration and requiring new token generation.
Display a clear checklist before redirecting to verification:- Required documents.
- Supported document types.
- Expected verification duration.
- Device camera check
Before redirecting, inform user that a camera will be required for verification.
Onboarding Best Practices
If your integration redirects users to iDenfy’s branded flow (not using whitelabel), display a brief message explaining that:
- Verification is processed by iDenfy, explicitly state that a trusted third-party provider will securely process personal data.
- Data is handled according to GDPR, CCPA, and other relevant privacy regulations.
- Without this notice, users may be confused about why they are suddenly sharing sensitive information with a third-party provider.
Security Best Practices
Token Management
-
Backend-only token generation
- Generate all verification tokens in your backend.
- Never expose token generation endpoints or API secrets in the frontend.
- Prevent end users from altering token data in requests.
-
Restrict token creation frequency
- Limit how often tokens can be generated for the same user.
- Helps prevent abuse and saves verification credits.
Session & Token generation
-
Session expiry handling
- Prompt users to restart verification or option to regenerate a token if expired.
-
Auto & Manual review handling
- If using manual review, and redirecting after auto review, keep in mind, that
final
results might changed.
- If using manual review, and redirecting after auto review, keep in mind, that
Security:
-
Secure storage of API keys
- Store keys in environment variables or a secret manager.
- Rotate keys periodically and revoke immediately if compromised.
-
Rate limiting & abuse prevention
- Add throttling to prevent brute-force verification attempts.
- Monitor token creation and usage patterns.
-
Audit logs
Keep records of token creation, verification attempts, and session activity for security analysis and debugging.
Data Protection & Compliance Best Practices
-
Privacy law compliance
Ensure your integration complies with:- GDPR (EU data privacy).
- CCPA (California Consumer Privacy Act).
- Other relevant regional data protection regulations.
-
Consent and transparency
- Display clear consent screens before verification starts.
- Offer options to access or delete data in compliance with data subject rights.