What is Identity Verification?
Penny-Merelle avatar
Written by Penny-Merelle
Updated over a week ago

Identity Verification ensures conversations between you and your users are kept private, and that a bad actor can't impersonate your users. If you have a Messenger integration with logged in users, we strongly recommend you use Identity Verification.

Do I need Identity Verification?

In short, if you have a logged-in Messenger integration, you should set up and enforce Identity Verification.

If you only use Intercom for website visitors who don’t login, you don’t need Identity Verification. It only applies to users, for whom you have identifiers like email address or user_id.

For more information please see: How do visitors, leads and users work in Intercom?

What is a user impersonation attack?

On workspaces without Identity Verification it’s possible for a bad actor to impersonate a user. This means a bad actor could see a user’s historical conversations, appear to your teammates as that user and deceive them into taking actions on that user’s account.

For example, without Identity Verification, someone can interact with your Intercom Messenger and spoof the identity of another user, by providing a known identifier like their email address or user_id. This allows an attacker to pose as a real user to your teammates, giving access to previous conversations and potentially sensitive data.

How does Identity Verification protect my workspace?

With Identity Verification, you generate a unique user hash for each of your users based on their email address or user_id and your workspaces’s identity verification secret (available from your Intercom security settings). Your integration will generate and send these hashes along with every Messenger request allowing us to trust that the user request truly came from you.

Here’s how your web Messenger requests are protected from impersonation when you properly enable Identity Verification for your workspace.

Identity Verification prevents cross-user impersonation on your workspace because without access to your secret, a third party attempting to spoof a user's identifier to Intercom will be unable to send Intercom a valid user hash for that user.

Once Identity Verification is enforced, the Intercom Messenger will not load or accept requests for your logged-in users without a valid user hash.

Does Identity Verification affect the user experience?

With Identity Verification correctly set up, there is no impact to your customers. Users and Leads will experience the Messenger as normal. There is no extra action required from them to authenticate themselves or use the Messenger.

What’s the difference between Leads and Users?

Intercom makes a clear distinction between:

  • Visitors - unknown customers to your site who aren’t logged in and don’t have a conversation history with you,

  • Leads - customers who start a conversation with you or reply to a message. They are identified by names like “Charcoal Umbrella from Paris” and receive an Intercom cookie to remember their conversation history,

  • Users - customers who sign up to your product and log into an existing account. You usually identify these by email address or user ID

For more information please see: How do visitors, leads and users work in Intercom?

Do I need to set up Identity Verification for visitors?

When Intercom is installed for website visitors who don’t login, you don’t need Identity Verification. It only applies to users, for whom you have identifiers like email address or user_id.

In other words, when you enable identity verification for your workspace, Intercom will only expect a user_hash when the Messenger is loaded for a user. However, when the Messenger is loaded for a logged-out visitor/lead, a user_hash is not required.

Why don’t you have one secret for all platforms?

We made a unique secret for each platform so it would be easier to rotate each one or enable Identity Verification on each platform independently.

How do I generate a unique hash per platform when I use the same backend for all users?

You shouldn’t generate the hash and store it in your database. You should instead generate it and dynamically send it when identifying the user to Intercom. This will mean that when you change secrets or the user is using a different platform, you’ll have the correct hash being sent.

If you store the hash and send it, you’d have to do a mass regeneration upon any changes to your secret which would create friction for you.

If you installed Intercom with the rails gem, you don't need to generate a hash on your server and pass it back into us along with the user data. The gem handles the generation of the hash as long as the steps regarding the secret are followed as outlined in the UI.

Does Identity Verification protect both user_id and email address values?

No, Identity Verification requires you to create a unique hash using the secret and either the user’s user_id or email address. If you send user_ids with your Messenger requests, you have to create the hash using this identifier. If you don’t send user_ids, you generate it with the email address field.

What are all the domains under 'Active Integrations with logged-in Users'? I don’t recognize them.

These are the domains from which we have received a User request with your workspace ID. It may include extra domains if you installed Intercom on other domains for testing. If it contains domains you don’t recognize, we recommend adding a Trusted Domains List.

It’s not possible to remove domains from this list at present but if you can see a domain here, it means we received a ping from it at some point so it’s good to make sure you have correctly set up your integration there so you don’t break the Messenger for some of your users.

Find out how to set up and enable Identity Verification for web and mobile.


Need more help? Get support from our Community Forum
Find answers and get help from Intercom Support and Community Experts

Did this answer your question?