Security

Digital ID implements multiple layers of security to protect your organisation's data and employee identities.

Security Features

Cryptographically Secure Tokens

All QR and NFC tokens are generated using cryptographically secure random number generation (64-character hex strings). Tokens are unique and cannot be predicted or guessed.

Time-Limited Access

QR and NFC tokens expire after 5 minutes, preventing replay attacks. Even if a token is intercepted, it becomes useless after expiration. Cards also have expiration dates set by administrators.

Immediate Revocation

ID cards can be revoked instantly by administrators if compromised, lost, or when an employee leaves. Revoked cards cannot be verified, even with valid tokens.

Multi-Layer Validation

Every verification goes through multiple checks:

  • Token validity
  • Expiration status
  • Card revocation status
  • Employee active status
  • Organisation membership

Complete Audit Trail

Every verification attempt is logged with full details including timestamp, verification method, result, and failure reason. Perfect for compliance and security audits.

Strong Password Requirements

User accounts require passwords with minimum 8 characters, including uppercase, lowercase, numbers, and special characters. Passwords are hashed using industry-standard algorithms.

Role-Based Access Control

Multi-level access control with Superadmin, Organisation Admin, and Staff roles. Each organisation's data is completely isolated from others.

SQL Injection Prevention

All database queries use prepared statements, preventing SQL injection attacks. User input is always validated and sanitised before processing.

XSS Protection

All user-generated content is escaped using htmlspecialchars() to prevent cross-site scripting (XSS) attacks.

CSRF Protection

All forms are protected against Cross-Site Request Forgery (CSRF) attacks using secure tokens that are validated on every submission.

Email Verification

Users must verify their email address before their account is activated, preventing unauthorised account creation and ensuring valid contact information.

Multi-Tenant Isolation

Each organisation's data is completely isolated. Users can only access data from their own organisation, enforced at the database and application level.

Security Best Practices

For Administrators

  • Revoke ID cards immediately when employees leave
  • Regularly review verification logs
  • Monitor for suspicious activity
  • Keep administrator accounts secure
  • Use strong, unique passwords

For Users

  • Use strong, unique passwords
  • Never share your login credentials
  • Report suspicious activity immediately
  • Keep your device secure
  • Log out when finished

Data Privacy

Digital ID is designed with privacy in mind:

  • Only necessary information is displayed during verification
  • Personal contact details are not shown on public verification
  • Organisation data is completely isolated
  • Audit logs are accessible only to administrators

Compliance

Digital ID helps organisations meet compliance requirements:

  • Complete audit trails for all verification attempts
  • Secure data storage and transmission
  • Access control and user management
  • Data portability (export functionality)