Account Profile

A user may visit his or her account profile to perform the following actions:

  • Change his or her email address or change his or her username to an email address
  • Change his or her password
  • Add or modify his or her first name, last name, or middle initial
  • Choose a new security question and answer it
  • Deactivate his or her account
  • Enable or disable two-factor authentication on his or her account

Your application must link to a user's NYC.ID profile. The link should be included in the application header.

! IMPORTANT: If a user authenticates via a social media provider, and does not have a linked NYC.gov account, the user will only have access to the Password and Name tabs.
NOTE: In some instances, a user may be required to have a name—first, last, etc. In this event, when configuring user access, your application may direct the user to the Name tab. This works similarly to the Email Validation process when a user has an un-validated email address. Search can be used to get the user's current name.

Integrating Account Profile

Your application should send the user to this relative URL to update his or her account profile:

GET /account/user/profile.htm

For additional functionality, you can include the following optional parameters.

Parameter Name Parameter Description
tab Controls which tab is active. Possible values are email, name, password, questions, or deactivate.
returnOnSave When "returnOnSave" is true, clicking the Save Changes button on the Password or Name tabs will save the user's password or name, respectively, and return the user to your application without displaying a confirmation message. This value is ignored when "target" is not specified.
target

The URI (encoded in Base64) that the user is sent to after completing an account profile process.

The "target" query string parameter must have a domain name of doitt.nycnet, nyc.gov, nycid.nycnet, csc.nycnet, cloudapp.net, hpd.nycnet, nycgovparks.org, finance.nycnet, hpdnyc.org, cs.nycnet, gcomsoft.com, records.nycnet, dcas.nycnet, dhs.nycnet, redcapcloud.com, cityofnewyork.us, dynamics.com, dynamics365portals.us, getinfo.nyc, fdnycloud.org, microsoftonline.com, mkscloud.com, samaritan.com, ivalua.us, sbs.nycnet, communityneeds.nyc, ukrosoft.com.ua, appgeo.com, azurewebsites.net, or gigya.com. Please contact nycidintegration@doitt.nyc.gov to add your domain name to the list of valid domains.
lang A language code. Learn about Internationalization and Localization for a list of supported language codes. Defaults to en.
spName Your application's SAML Service Provider (SP) Metadata name, found in the NYC.ID Console. This value is used to override the Application Brand Banner computed from the "target" parameter. Learn more about Application Brand Banner Logic
! IMPORTANT: If the user is not logged in, this parameter will not be passed to the Login page.
! IMPORTANT: If the "target" parameter isn't specified or is invalid, NYC.ID will send the user to NYC.gov

When a user visits the Account Profile page,

  1. if the user is not logged in, the user is redirected to the Login page.
  2. A user selects one of the following tabs:
    1. email address
    2. password
    3. name (default)
    4. security questions
    5. deactivate

 

Changing Username/Email Address

A user can change his or her email address or change his or her username to an email address. When a user selects the Email Address tab:

  1. the user enters a new email address, confirms it, enters his or her current password, and clicks the Save Changes button.
    ! IMPORTANT: The user's email address is not yet changed.
  2. NYC.ID:
    1. sends the user an email, which contains a link that the user must click activate the new email address, and
    2. displays a message, which explains that an email was sent and tells the user to check his or her email.
    NOTE: The change email link expires in 72 hours.
  3. After the user clicks the link, if the user is not logged in, he or she will be prompted to log in. Then, NYC.ID instructs the user to close his or her browser.


Changing Password

A user can change his or her password. When he or she selects the Password tab:

  1. A user enters his or her current password.
  2. The user enters a new password and confirms it.
  3. The user clicks the Save Changes button.
! IMPORTANT: If a user authenticates via a federated identity provider, and does not have a linked NYC.gov account, the user will not need to specify his or her current password.

 

Changing Name

A user can change his or her name. When the user selects the Name tab:

  1. The user enters his or her first name, middle initial, or last name.
  2. The user clicks the Save Changes button.

 

Changing Security Question and Answer

A user can change his or her security question, and answer it. When the user selects the Security Questions tab:

  1. The user selects one question and answers it.
  2. The user enters his or her password.
  3. The user clicks the Save Changes button.

 

Deactivating Account

A user can deactivate his or her account. When the user selects the Deactivate tab:

  1. The user clicks the Deactivate button.
  2. NYC.ID displays a dialog, warning the user that he or she will be logged out after clicking the Deactivate My Account button.
  3. The user may choose to:
    1. deactivate his or her account by clicking the Deactivate My Account button, or
    2. cancel account deactivation by clicking the Cancel button.
! IMPORTANT: After account deactivation, the user will be unable to log in to any NYC.ID-integrated application. To reactivate his or her account, the user must reset his or her password via email.

 

Enabling or Disabling Two-Factor Authentication

A user can enable or disable two-factor authentication his or her account. When the user selects the Two-Factor Authentication tab, if two-factor authentication is disabled:

  1. The user enters his or her password.
  2. The user clicks the Enable button.
  3. NYC.ID displays a dialog, warning the user that on next login, he or she will be prompted to secure his or her account with a phone number.
  4. The user may choose to:
    1. enable two-factor authentication by clicking on the Enable button, or
    2. cancel two-factor authentication by clicking on the Cancel button.

When the user selects the Two-Factor Authentication tab, if two-factor authentication is enabled:

  1. The user enters his or her password.
  2. The user may choose to:
    1. disable two-factor authentication by clicking on the Disable button, or
    2. remove the device associated with two-factor authentication by clicking on the Remove Device button.

Multi Factor Authentication adds an extra layer of security to the authentication flow. In NYC.ID the MFA is user based and enforced by integrated application. MFA method depends on Risk-Based Authentication (RBA) rules configured in Gigya (SAP) and currently set to phone (voice message/SMS) or authenticator app.

Limitations:

  1. Limitations when code is received via SMS
    • There is a 10 second wait between consecutive requests for an SMS code per phone number.
    • Up to five SMS code requests are allowed per phone number in a 5 minute window.
    • After five SMS requests that do not complete (no successful verification), there is a 5 minute cool-down period (no SMS can be sent from this account). Failed attempts only count for SMS send code.
  2. Remember this device is set to 1 day.
    ! IMPORTANT:User will not be asked for TFA again for 1 min, if they logout and log back in straight away TFA will generally be skipped as this is within the time frame regardless of if the device was remembered or not.