Security & How It Works
Understanding the security features and verification methods that protect your digital identity. Learn how our multi-layered approach ensures your organisation's data remains secure.
Explore Features
How Digital ID Works
A simple five-step process from employee profile creation to secure verification
1
Employee Profile Creation
Organisation administrators create employee profiles with unique employee reference numbers. Each employee is linked to their user account and organisation.
2
Digital ID Card Generation
When an employee views their ID card, the system automatically generates secure, time-limited tokens for QR code and NFC verification. Each card has an expiration date.
3
Verification Methods
Identity can be verified through three methods: Visual (photo and details), QR Code (scan for online verification), or NFC (tap for contactless verification).
4
Secure Token Validation
When a QR code or NFC tag is scanned, the system validates the token, checks expiration, verifies the card is active, and confirms the employee status before displaying verification results.
5
Audit Trail Recording
Every verification attempt is logged with timestamp, method, result, and reason (if failed). This creates a complete audit trail for compliance and security monitoring.
Verification Methods
Three ways to verify employee identity, each suited to different scenarios
Visual Verification
How it works: Display the digital ID card and compare the photo and employee details with the person presenting it.
Use case: Quick identity checks, face-to-face verification, service user verification.
Security level: Basic - relies on visual comparison and photo matching.
QR Code Verification
How it works: Scan the QR code on the ID card using any QR scanner or the verification page. The system validates the token and displays verification results.
Use case: Online verification, remote checks, automated systems, service providers.
Security level: High - time-limited token (5 minutes), cryptographically secure, logged.
NFC Verification
How it works: Activate NFC on the device, then tap to write the verification token to an NFC tag or use NFC-enabled verification systems.
Use case: Contactless verification, door access systems, automated checkpoints.
Security level: High - time-limited token (5 minutes), contactless, logged.
Core Security Features
Multi-layered security measures that protect your organisation's data and employee identities
Cryptographic Security
All QR and NFC tokens are generated using cryptographically secure random number generation (64-character hex strings). Tokens are unique and cannot be predicted or guessed, ensuring that even if someone intercepts a token, they cannot generate new ones.
Time-Limited Access
QR and NFC tokens expire after 5 minutes, preventing replay attacks. Even if a token is intercepted, it becomes useless after expiration. Cards also have expiration dates that can be set by administrators.
Immediate Revocation
ID cards can be revoked instantly by administrators if compromised, lost, or when an employee leaves. Revoked cards cannot be verified, even with valid tokens, ensuring immediate security control.
Multi-Layer Validation
Every verification goes through multiple checks before approval:
- Token validity and format verification
- Expiration status check
- Card revocation status
- Employee active status
- Organisation membership verification
Complete Audit Trail
Every verification attempt is logged with full details including timestamp, verification method, result, IP address, and failure reason. Perfect for compliance and security audits.
Role-Based Access Control
Multi-level access control with Superadmin, Organisation Admin, and Staff roles. Each organisation's data is completely isolated from others, enforced at both database and application levels.
Application Security
Industry-standard security practices protect against common threats
Strong Password Requirements
User accounts require passwords with minimum 8 characters, including uppercase, lowercase, numbers, and special characters. Passwords are hashed using industry-standard algorithms.
SQL Injection Prevention
All database queries use prepared statements, preventing SQL injection attacks. User input is always validated and sanitised before processing.
XSS Protection
All user-generated content is escaped using htmlspecialchars() to prevent cross-site scripting (XSS) attacks.
CSRF Protection
All forms are protected against Cross-Site Request Forgery (CSRF) attacks using secure tokens that are validated on every submission.
Email Verification
Users must verify their email address before their account is activated, preventing unauthorised account creation and ensuring valid contact information.
Multi-Tenant Isolation
Each organisation's data is completely isolated. Users can only access data from their own organisation, enforced at the database and application level.
How We Compare
Understanding the difference between consumer and enterprise digital ID systems
Enterprise vs. Consumer Digital ID Systems
Our Digital ID system is designed specifically for organisational employee verification, which has different security requirements than consumer identity systems (like government-issued digital IDs).
| Feature | Consumer Digital ID | Our Enterprise System |
|---|---|---|
| Storage | Local device (user's phone) | Organisation's secure database |
| Access Control | Device-level security (user's phone may have biometrics) | Strong password + role-based access control |
| Audit Trail | No (privacy-focused) | Yes (compliance requirement) |
| Token Expiry | Not applicable | 5 minutes (prevents replay attacks) |
| Verification | User presents ID | Third party verifies employee |
| Management | User controls | Organisation administrators |
| Use Case | Personal identity (like driver's license) | Employee verification (like company ID badge) |
Why the difference?
Consumer digital ID systems prioritise user privacy and control, while enterprise systems prioritise organisational control, compliance, and auditability. Our approach aligns with industry-standard employee verification systems used by organisations worldwide.
Security Best Practices
Recommendations for maintaining security in your organisation
Regular Token Refresh
QR and NFC tokens automatically refresh every 5 minutes, ensuring old tokens cannot be reused even if intercepted. This prevents replay attacks and maintains security.
Immediate Revocation
Revoke ID cards immediately when employees leave or if cards are compromised. Revocation takes effect instantly, preventing any further verification attempts.
Monitor Audit Logs
Regularly review verification logs to identify suspicious activity or unauthorised access attempts. The admin interface provides filtering and export capabilities for easy analysis.
Strong Passwords
Ensure all users have strong, unique passwords. The system enforces password complexity requirements, but administrators should encourage good password practices.
Regular Updates
Keep the system updated with the latest security patches and improvements. Regular updates ensure you benefit from the latest security enhancements.
Access Control
Limit administrative access to trusted personnel only. Use role-based access control effectively to ensure users only have access to the features they need.
Questions About Security?
If you have questions about our security features or need assistance with security configuration, please contact your organisation administrator or reach out to our support team.