Skip to main content

Best Practice

Here we try to provide practical tips and best practices to help you create create a secure, efficient, and user-friendly onboarding and verification process.

User Experience (UX) Best Practices

  • Pre-verification checklist
    Many users begin verification without preparation, causing unnecessary token expiration and requiring new token generation.
    Display a clear checklist before redirecting to verification:
    • Required documents.
    • Supported document types.
    • Expected verification duration.
  • Device camera check
    Before redirecting, inform user that a camera will be required for verification.

Onboarding Best Practices

If your integration redirects users to iDenfy’s branded flow (not using whitelabel), display a brief message explaining that:

  • Verification is processed by iDenfy, explicitly state that a trusted third-party provider will securely process personal data.
  • Data is handled according to GDPR, CCPA, and other relevant privacy regulations.
  • Without this notice, users may be confused about why they are suddenly sharing sensitive information with a third-party provider.

Security Best Practices

Token Management

  • Backend-only token generation

    • Generate all verification tokens in your backend.
    • Never expose token generation endpoints or API secrets in the frontend.
    • Prevent end users from altering token data in requests.

  • Restrict token creation frequency

    • Limit how often tokens can be generated for the same user.
    • Helps prevent abuse and saves verification credits.

Session & Token generation

  • Session expiry handling

    • Prompt users to restart verification or option to regenerate a token if expired.

  • Auto & Manual review handling

    • If using manual review, and redirecting after auto review, keep in mind, that final results might changed.

Security:

  • Secure storage of API keys

    • Store keys in environment variables or a secret manager.
    • Rotate keys periodically and revoke immediately if compromised.

  • Rate limiting & abuse prevention

    • Add throttling to prevent brute-force verification attempts.
    • Monitor token creation and usage patterns.

  • Audit logs
    Keep records of token creation, verification attempts, and session activity for security analysis and debugging.

Data Protection & Compliance Best Practices

  • Privacy law compliance
    Ensure your integration complies with:

    • GDPR (EU data privacy).
    • CCPA (California Consumer Privacy Act).
    • Other relevant regional data protection regulations.

  • Consent and transparency

    • Display clear consent screens before verification starts.
    • Offer options to access or delete data in compliance with data subject rights.