Documentation

Security

Signify iD is built with security as a core principle. Learn about our security features and best practices for your integration.

Security Overview

Zero Trust Architecture

Every request is authenticated and authorized, regardless of origin.

Secure Token Handling

Tokens are encrypted at rest and in transit with AES-256.

Session Isolation

Sessions are isolated per device with fingerprinting.

Audit Logging

Complete audit trail of all security-relevant events.

Session Security

Sessions are the foundation of authenticated access. Signify iD implements multiple layers of protection:

Device Fingerprinting

Each session is bound to a device fingerprint. Attempts to use a session from a different device are blocked.

IP Tracking

Session IP addresses are monitored. Unusual location changes trigger security alerts.

Automatic Expiry

Sessions expire after configurable idle and absolute timeouts. Default: 30 min idle, 24 hours absolute.

Remote Revocation

Administrators can revoke any session instantly from the dashboard.

Token Handling

Proper token handling is crucial for security. Follow these guidelines:

Never expose secrets

Client Secrets and access tokens should never appear in client-side code, browser network requests, or logs.

Access Token Best Practices

typescript
1// ✅ DO: Store access tokens in memory only
2let accessToken: string | null = null;
3
4// ✅ DO: Use short-lived tokens
5const TOKEN_EXPIRY = 15 * 60 * 1000; // 15 minutes
6
7// ✅ DO: Refresh before expiry
8const refreshBeforeExpiry = async () => {
9  const expiresIn = getTokenExpiry(accessToken);
10  if (expiresIn < 60) { // Less than 1 minute
11    accessToken = await refreshToken();
12  }
13};
14
15// ❌ DON'T: Store in localStorage
16localStorage.setItem('accessToken', token); // UNSAFE!
17
18// ❌ DON'T: Include in URLs
19`/api/data?token=${accessToken}` // UNSAFE!

Refresh Token Best Practices

typescript
1// ✅ DO: Store in HTTP-only cookies
2res.cookie('refresh_token', token, {
3  httpOnly: true,
4  secure: true,
5  sameSite: 'strict',
6  maxAge: 7 * 24 * 60 * 60 * 1000, // 7 days
7});
8
9// ✅ DO: Rotate on use
10const newTokens = await exchangeRefreshToken(oldRefreshToken);
11// Old refresh token is now invalid
12
13// ❌ DON'T: Store in JavaScript-accessible storage
14sessionStorage.setItem('refreshToken', token); // UNSAFE!

Multi-Factor Authentication

Signify iD supports TOTP-based multi-factor authentication using authenticator apps like Google Authenticator, Authy, or 1Password.

MFA Flow

  1. 1User enables MFA in their security settings
  2. 2Signify iD generates a secret and displays QR code
  3. 3User scans QR code with authenticator app
  4. 4User enters 6-digit code to verify setup
  5. 5Future logins require code after password

Encourage MFA adoption

Consider requiring MFA for users with elevated permissions or access to sensitive data.

Integration Security Checklist

Use this checklist to ensure your integration is secure:

Client Secret is stored in environment variables, not code
HTTPS is used for all API communication
OAuth state parameter is validated on callback
Access tokens are stored in memory, not localStorage
Refresh tokens are stored in HTTP-only cookies
Token refresh happens before expiry
Session timeouts are configured appropriately
MFA is available or required for sensitive operations
Audit logs are monitored for suspicious activity
CORS is configured to allow only trusted origins

Security Reporting

Found a vulnerability?

If you discover a security vulnerability in Signify iD, please report it responsibly to security@signifyid.com. We appreciate your help in keeping our platform secure.