Best Practices for Using Our HMAC
Sometimes you need to have a detailed conversation with a customer, and to do that, you’d like an added security feature to ensure your customer is who they say they are. Our HMAC should be used within your existing security measures to match a visitor’s hash. As you read the article, decide if HMAC is right for you. You may also ask questions directly at firstname.lastname@example.org.
In this article:
- Commonly Asked HMAC Questions
- Implementing Our HMAC
Do I need to use HMAC?
Not all customers need to use Acquire’s HMAC. If you’re using the platform to converse with visitors, processing payments through one of our integrations (such as Shopify), or conducting cobrowsing, audio, and video calls, you shouldn’t need HMAC.
HMAC will also not be useful if your website does not have login functionality, or if visitors do not need to log in to use most of your site.
What added benefit does HMAC provide?
Let’s say you have an authorized and unauthorized version of your website. You only want to share important details about users logged in to an authenticated portion of your site. But how do you know that a user is logged in to your authorized site when you converse with them over Acquire?
With Acquire’s HMAC, you create a SHA-256 cryptographic hash for a given secret key and input. Acquire will match the input and the hash to confirm that the user is indeed verified, giving you one more layer of assurance. Please note that HMAC does not provide end to end security; HMAC should be a piece of your security implementation in addition to other protocols.
How do I set HMAC up on my site?
Reach out to your account team or email@example.com to discuss how to use HMAC verification in your system. You will need access to your server-side (backend application) and client-side (frontend application) code to implement this.
How do I find my HMAC secret key?
We provide the key in Settings > Installation & Setup > User Authentication. This key should not be exposed (such as through a screenshot).
What happens when a visitor is HMAC verified?
When a visitor logs into your site, we match their ID to verify they are who they say they are in Acquire. Once this process is complete, you’ll see a checkmark next to their profile.
A green checkmark will appear next to a visitor’s name in their profile and chats to show that they’re HMAC verified.
Which hash function does Acquire’s HMAC use?
Acquire uses industry standard SHA-256.
May I change the visitor’s email after they’ve been verified?
Yes, but after the push, that visitor will no longer be listed as verified. To verify them, you will need to redo the verification process.
Implementing our HMAC
There are many ways to implement HMAC verification with Acquire. This section provides a high-level overview of how Acquire’s HMAC works and how to integrate it with your website.
Generating the HMAC Value in Backend Application
In your backend application, you’ll want to generate an HMAC value using the SHA-256 hash function and your Acquire HMAC secret key on a visitor’s email address.
After a visitor logs in to your website, their email address should be passed to Acquire. There should be a communication channel between your backend app and frontend app which sends your visitor’s email address. If the email address is not captured in Acquire’s visitor profile section, you will not be able to complete the verification process.
Note: This is pseudo-code. You will need to create a function using the inputs below. These inputs should not be exposed.
// hash function
// user's email
// secret key (keep safe!)
Once the visitor is logged in, their information will go through the hashing process.
Implement this snippet in your frontend application.
The visitor will now be verified in Acquire.
Reach out to firstname.lastname@example.org for further HMAC questions.