Access control
Use least privilege. Separate company configuration, helpdesk work, audit review, security response, privacy handling, and production approval when your policy requires it.
This guide is for authorized company administrators, helpdesk teams, security operators, and project owners. It explains the customer responsibilities that support a safe MYID deployment without exposing platform secrets or private infrastructure.
Last reviewed July 18, 2026
Use least privilege. Separate company configuration, helpdesk work, audit review, security response, privacy handling, and production approval when your policy requires it.
Enable only the mobile functions backed by a tested provider, approved permissions, a support owner, and a documented recovery path.
Keep service passwords, API tokens, private keys, OTP values, setup secrets, and authorization data in approved secret storage. Never place them in tickets, guides, screenshots, or source control.
Review connection tests, release results, audit events, performance measurements, known limits, and rollback readiness before approving a change.
Confirm a stable company identifier, display name, logo, support contact, identity source, user naming rules, approved mobile modules, privacy roles, retention instructions, and escalation owners.
Issue a setup QR code or company identifier only after live readiness tests pass. Reissue setup material when its secret or onboarding contract changes. Users should always confirm the company shown in the app.
Begin with authorized test users who can validate common success paths, policy denials, provider outages, slow responses, already completed actions, account lockout, device replacement, and helpdesk escalation.
Validate issuer information, client identity, required permissions, callback configuration, token claims, user mapping, timeout policy, and a complete test user sign in.
Validate protected connectivity, certificate trust, search scope, account mapping, read and write permissions, password behavior, profile updates, and both locked and already unlocked test accounts.
Validate recipient lookup, destination masking, sender identity, OTP expiration, attempt limits, delivery results, failure handling, and safe audit redaction.
Validate authorization, user mapping, incident scope, risk evidence, activity access, lockout source parsing, freshness, and the behavior shown when the provider is unavailable.
Confirm that device and training identifiers map to the signed in user. Missing or unconfigured data should not become a false user failure.
Test device registration, delivery, protected routing after authentication, revoked devices, company changes, duplicate delivery, and unavailable destination content.
Audit records can include correlation, duration, sanitized request and response evidence, byte length, hash, truncation status, and capture mode when the transport makes them available. Binary, oversized, redacted, partial, or unavailable content must be identified honestly.
Never describe a partial or summarized value as an exact wire copy.
Tenant access must be derived from an approved signed identity and must never rely on a company identifier supplied by the caller. Direct access depends on issued credentials, expiration, revocation, and tested tenant authorization.
Until customer access is enabled for a deployment, request an approved tenant scoped export through the MYID platform team.
Approved mobile telemetry can summarize timing, outcome, normalized operation, platform, app version, build, and frame quality. It should not require passwords, OTP values, request bodies, profile contents, push tokens, or service credentials.
Review company lookup, sign in, device verification, OTP delivery, and failure rate separately so one slow dependency does not hide inside a combined number.
Review total duration, joined refreshes, live checkpoints, degraded sections, provider delay, repeated downloads, accepted samples, and dropped samples.
Use typical and slower experience percentiles together. Averages alone can hide a serious regression for a smaller group of users.
Review frame time and jank by platform, version, and build. Compare the release with its approved baseline and representative devices.
Confirm that an approved monitoring system is collecting durable measurements before relying on trends across a server restart.
Keep user entered values, credentials, full request content, and stable device secrets out of performance samples.
| Area | Required evidence |
|---|---|
| Company setup | Correct branding, support path, company lookup, current setup material, and intended capability policy. |
| Authentication | Successful sign in, required verification, expiry, cancellation, retry limits, trusted device behavior, and biometric resume. |
| Identity actions | Profile, password, MFA, directory status, unlock, recovery, activity, and device tests for every enabled function. |
| Security experience | User scoped incidents, pending evidence, risk state, notification routing, response choices, and automatic protection policy. |
| Synchronization | Accurate freshness, local startup, manual refresh, background work, degraded providers, photo cache, and company isolation. |
| Audit | W7 fields, correlation, sanitized capture, completeness status, tenant isolation, retention, export, and support access. |
| Performance | Representative baseline, slower experience percentile, failure rate, frame quality, provider breakdown, monitoring ingestion, and alert owners. |
| Operations | Helpdesk guide, escalation owners, privacy process, security contact, release record, artifact integrity, rollback rehearsal, and known limits. |