Best Practices

The following are best practices for NYC.ID integration:

• We recommend that your application does not authorize users with a username, because:
• your users can't use email-based forgot password functionality, and
• you will have no email address through which to contact a user, and
• if the user can't log in and can't remember his or her security questions, DoITT cannot reset the user's password.
• We recommend, for security purposes, that your application include the "dateTime" parameter when invoking all NYC.ID Web services. Learn about Authenticating Requests.
• We recommend, for security purposes, that your SAML Service Provide (SP) require encrypted SAML Assertions.
• We recommend, for security purposes, that your application's session timeout be 30 minutes or less.
• We recommend, for security purposes, that your application instructs users to close their Web browser after logging out.
• If your application is configured to allow users to login via federated identity providers, it should not include a link to the Create Account page. Doing so may cause a user to assume he or she needs to create a NYC.ID account to access your application. Learn about Authentication.
• We recommend that your developers understand or have experience with SAML or OAuth and Web services.