- What is being decommissioned? And what are the differences between the HID contacts and authentication services?
- How will partner organizations be affected by these changes?
- Can I continue using HID until the decommissioning date in Jan. 2021?
- What will happen to profiles on HID?
- Will profiles lose their verification?
- What will happen to my Global Manager role?
- As Global Manager, should I continue to verify users?
- As Global Manager, should I continue to tell partner organizations to register on HID?
- What will happen to contact lists with Mailchimp attached to them?
- What will happen to contact lists with Google Groups attached to them?
- Will the HID team continue providing support to HID users?
- Can I invite people to join?
- Can anyone find my information?
- Is there a way to create my own contact lists?
- What is verification and how do I get verified?
- What measures has HID put in place for insecure environments?
- My organization is missing. How can it be added?
- Can the system check me out automatically?
- How are my contact details on Humanitarian ID if I did not register?
- How do I remove my information from Humanitarian ID?
- Will this mean even more email?
- What are services in Humanitarian ID?
- Do I still use Virtual OSOCC?
- How can I tell if a user is verified?
- Why does Humanitarian ID verify users?
- How does Humanitarian ID verify users?
- Can I request to get verified?
- How to remain verified?
- What can unverified and verified users do?
- How to choose a secure password?
- How can I change my password?
- Why do I need to update my password every six months?
- What is two-factor authentication?
- How do I activate two-factor authentication?
- Can I switch off the two-factor authentication?
- Should I reply to emails asking for my personal information?
- How does Humanitarian ID keep my data secure?
- What features does Humanitarian ID have that help me control my information?
- Is my information secure?
- What will you do with my data?
- Who owns and runs Humanitarian ID?
- Who manages Humanitarian ID everywhere?
- Is there an app in the Apple App store or Google Play store?
- Why not just use Google, Facebook or Twitter for central authentication?
- Can I sign into other sites with my Humanitarian ID?
- How do I integrate Humanitarian ID into my website?
- Can I build a feature for Humanitarian ID?
- On which websites can I use my Humanitarian ID to login?
What is being decommissioned? And what are the differences between the HID contacts and authentication services?
HID was built as a combination of two services, one semi-public database for contact management (the website) and a larger non-public database supporting the authentication (login) service. The login service is used across 18 OCHA and 12 partner platforms. The contact management aspect of HID will be decommissioned in Jan 2021. The authentication service will continue to be supported and will be upgraded during 2020. If you are the manager of a platform using the HID Authentication service we will be in touch with you in the coming weeks.
Logins: Nothing will change for organizations who use a HID login to access HPC.tools, GMS and all other integrated platforms.
Contacts: Organizations and field offices that use HID for contact or list management will no longer be able to do this after the platform is decommissioned in Jan 2021. We would recommend that between now and January 2021 partner organizations export all their required contact data from Humanitarian ID.
HID global managers and all users can continue using HID for contact management whilst the platform remains live, although there will no longer be updates or bug fixes during this time. We would recommend that between now and January 2021 you export all your required contact data from Humanitarian ID. You can export this in either csv or pdf format.
Profiles within the Humanitarian ID site will no longer be public from January 2021. They will continue to exist in a private database that will store information necessary for the authentication (login) service. All users will be able to access their own account information within this private database, while the whole database will be accessible only to administrators. All users with an HID account will continue to be able to use their account to login to the integrated platforms.
As Humanitarian ID moves to a non-public database, profile verification will become an automatic process based on email domains. Any profiles that have a trusted organization email address attached to them will automatically remain verified, profiles that use public emails such as HOTMAIL or GMAIL will no longer be verified.
Your role will remain active until the HID platform is decommissioned in Jan 2021 and you will be able to keep performing all tasks as usual.
You can continue verifying users manually until HID contacts service is decommissioned in Jan 2021, however in the future profile verification will become an automated function based on email domains only. This will reduce the time required from global managers and support staff to maintain the platform.
Only if they need an HID account to access one of the integrated platforms.
Existing MailChimp lists and contacts within them will remain unaffected. After Jan 2021 users will not be able to subscribe to MailChimp lists via Humanitarian ID. From that point new subscriptions will have to be managed through the MailChimp provided subscription forms.
Existing Google Groups and contacts within them will remain unaffected. After Jan 2021 users will no longer be able to subscribe to Google Groups via HID. New subscriptions will then have to be managed through the Google Group provided subscription methods. If you need assistance with managing your Google Groups, please reach out to us at firstname.lastname@example.org . We will keep providing G Suite accounts (which include email addresses and google groups) to OCHA field offices and clusters.
Yes. Until the decommissioning of the platform we will continue to provide regular support to users. Users can continue to reach the support team at email@example.com . Support specific to the authentication service will continue beyond Jan 2021.
Yes, of course. Obviously we ask that they are involved in humanitarian response or would be during a humanitarian crises. Simply send them a message with a link to our website – https://humanitarian.id – and encourage them to register and check in.
Your profile is publicly discoverable, but you control what information you share. The availability of your crisis-specific details depends on the given situation. Some emergencies will have a public contact list. Others will be “secured” where only verified users can access the contact lists. Besides that, some contact lists may be curated by one of our Information Management Officers and be only visible to users that got accepted by the list owner or even need an invitation to be displayed. We take security seriously and will help you to stay on the cautious side. Also see: Questions about security and data privacy
We recognize that you will want to create your own contact lists and not only filter a country list by for example an organization or location. Create a list, give it whatever name you want, and start adding contacts. You can then share the list (URL) or save or print it as a PDF.
We verify Humanitarian ID users in order to make the platform as relevant, useful, and reliable as possible. Verified users can access the whole range of possibilities Humanitarian ID offers. If you want to know more see our section on: Questions about verification
You can find security related questions in the section: Questions about security and data privacy
Humanitarian ID works closely with the HumanitarianResponse.info project including leveraging their list of organizations. In order to get a new organization added, submit a simple form on their website. Additions will be available within 24-48 hours. Click here to enter your organization's details.
We will send you unobtrusive notifications of when we think that you may have left the emergency. You can also add your departure date upon check-in to a list. This way you will receive a notification reminding you to check out. We have conducted an early investigation of the use of automatic geolocation, but found that up to 30% of UNOCHA offices appear in the wrong geographic location given their use of satellite connectivity for Internet. Therefore, we want to make sure we get our approach right and do not make you ever feel that we are pestering you.
Since Humanitarian ID is used to manage contact lists, managers and editors are able to manually add unregistered users to a specific contact list. This action sends an email (if provided) to you suggesting you register for Humanitarian ID and thereby manage your own contact details on lists.
There are different scenarios which we expect that you may want to remove information from Humanitarian ID.
- You want to be removed from a contact list and have a registered Humanitarian ID account. In this scenario, log into Humanitarian ID and 'Check out' of the respective contact list. This action removes your details from that contact list.
- You were added to a contact list, but do not have a Humanitarian ID account. In this scenario, you were added to the contact list by a trusted administrator as they believed that it was imperative you be part of the list. The best approach here is to accept the invitation that you received by email, claim your general Humanitarian ID account, setup your profile and then modify your details on the respective contact list (or check-out to remove yourself). By claiming your account, you will be able to control your details on humanitarian contact lists.
- You have a registered Humanitarian ID account that you would like completely removed from the system. In that case, we ask that you send us an email at firstname.lastname@example.org . We will take action and confirm when the removal is complete. You can also delete your account by clicking on your name and hit 'Preferences', under the section 'Settings' you'll find an option to delete your account.
During a crisis, we know that you already receive what feels like too many emails. Although you will continue to receive emails, we expect that when people use Humanitarian ID, they will be able to find the right people to contact thereby reducing the times you receive unnecessary emails. We implemented features that allow you to subscribe and unsubscribe from crises-related email groups. This will give you more power over what emails you subscribed to and are of value to you.
Humanitarian ID lists can be linked to a Google Group or a Mailchimp that provide access to quick and valuable information to everyone who is in the list. If a service is attached to a list you will be asked if you want to subscribe to that service - you can also do so later on if you are not sure yet. To unsubscribe from a service you need exactly three clicks:
- Go to your Dashboard
- On the right side under 'Subscriptions' all your services are listed. Click on the three points next to the service you want to unsubscribe from.
- Hit 'Unsubscribe'
The Virtual OSOCC is intended to help early responders to collaborate and share information. Teams can specify if they plan or actually deploy. It is not intended to manage contact lists or give you control over your details in the contact list. Therefore, if you are responding to a humanitarian crisis, we encourage you to check-in on Humanitarian ID and make use of the Virtual OSOCC to share and find relevant response information (e.g. UNDAC activities, links to key documents, etc.)
A checkmark next to a user’s name or profile picture indicates that they are verified.
We verify HID users in order to make the platform as relevant, useful, and reliable as possible. The verification process consists of a combination of manual and automated measures to ensure that Humanitarian ID users are individuals that belong to the humanitarian community.
Verification is determined based on organizational affiliation. If you add (and validate) an email address that belongs to domain already trusted (example @un.org) your profile will be automatically verified. HID automates the verification for organizations that meet certain criteria, including participating in HPC processes, or being IASC members.
If you are not yet verified, please send an email to email@example.com. Make sure to add (and validate) an official email address that belongs to your organization (example @your-organization.org) first.
If you use a primary email (login email) that belongs to one of the trusted domains, your verification will not expire. Otherwise the verification expires after one year. A week before it expires, we send you a reminder email, simply update your profile information and answer back to us and thus keep the verification. If you do not reply to the email in one week the verification mark will be removed, along with the privileges. You can get in touch with us via firstname.lastname@example.org to be re-verified.
Verification is not required to access most of the HID partner platforms.
On Humanitarian ID, while unverified users have access to most features and services, verified users can do more. See details below.
|Features/Services||Unverified Users||Verified Users|
|Create and manage your profile||✅||✅|
|Check in and out of lists (or ask to be checked in)||✅||✅|
|Create, manage, delete your own lists||✅||✅|
|Add and remove people to your lists||✅||✅|
|View open lists||✅||✅|
|Export lists in .pdf format||✅||✅|
|Search people by email address||✅|
|View restricted lists||✅|
|Export all lists in .csv format||✅|
|Synchronize contact lists with Google spreadsheets||✅|
|Access to Wider/Ericsson wifi services in the field during emergencies||✅|
- Pick a strong password and do not give your password to someone you don't know and trust.
- Never reply to emails asking for your password.
- Make sure your email account is secure.
- Log out of Humanitarian ID when you use a computer or phone you share with other people.
- Be careful when you authorize any third-party app.
- Make the new password significantly different from other previous passwords.
- Use a sentence or phrase converted into a string of initials, numbers and symbols.
- Use non-standard word uppercasing and spelling like “uPPercasing” and “spelllllllling”.
- Don’t use common passwords like “password” “iloveyou” or “12345678”.
- Add non-obvious numbers and symbols (note: using "$" for "s" or "0" for "o" is fairly common and likely not enough of a security measure).
To change your password, simply click on the following link: https://humanitarian.id/password Alternatively, go to your profile on Humanitarian ID, click on your name, then "Preference" and "Change Password".
Updating your password every six months is a security measure. This is one of the security measures Humanitarian ID implements to comply with the UN Office of Information Communication Technology (OICT) regulations. You can avoid a forced password reset by opting for an even safer option of password security - two-factor authentication, see: What is two-factor authentication?
Two-factor authentication (2FA) is an additional security feature that allows you to make your account even safer. Here’s how it works: After you enter your password to log into Humanitarian ID (the first step), you can generate a time-limited code on your mobile phone, which you will need to enter (the second step). Unless someone knows your password and also has physical access to your phone, your account is secure.
What you need to do to enable this feature:
Go to Humanitarian ID, click on your name on the top-right corner and hit Preferences, you can then select two-factor authentication under ‘Additional Security’
After you activate two-factor verification on this page you will see a QR-code that you need to scan with your authenticator app or you do the set-up manually.
You’ll then be sent a code to your mobile authenticator app.
After you successfully activated two-factor authentication Humanitarian ID provides you with a set of recovery codes that will allow you to access your account also if you lost your phone. Please download these codes to a safe place!
You can remove the two-factor authentication feature at any point, by going to your Preferences - ‘Additional Security’ and clicking on ‘Deactivate’. However, we encourage our users to use two-factor authentication for additional account safety and to avoid resetting their password every six months!
Humanitarian ID will never ask for your password in emails, so never reply to any email asking for personal information, even if it claims to be from Humanitarian ID or UNOCHA. If you're not sure the email is from Humanitarian ID, check out How to recognize phishing email messages or links. It has tips to help you determine if an email is from a legitimate source.
Humanitarian ID is protected with multiple layers of security, including leading encryption technology like HTTPS and Transport Layer Security. We have ensured that Humanitarian ID cannot be scanned by search engines. So, your contact details will not show up in public searches. We have made it difficult for an individual user to copy a large number of emails from Humanitarian ID. Only Humanitarian ID managers and trusted partners (verified users) do have advanced abilities to export such information. All Humanitarian ID users have implicitly committed to abide by our Code of Conduct. And, finally, should you experience or suspect any abuse, kindly report it to email@example.com and we will investigate it promptly.
As an individual you can decide yourself how much information you put into your profile. No field is mandatory - though obviously to make the best use out of Humanitarian ID, you provide as much information as you feel comfortable with. In addition, you do have the option to share certain information (like your email address or your phone number) with specific people only - this feature is called “My Connections”. If you want to create lists yourself, you can do so, deciding yourself on who should be able to see and/or join your self-created contact list (Youtube Tutorial). Lastly, some lists are ‘locked’ and only visible to users who have been verified by our administrators (i.e. OCHA’s and clusters’ information management officers). If you are not a verified user yet, contact your local information management officer or contact us at firstname.lastname@example.org.
More technical security measures we have taken:
- User authentication takes place via OpenID Connect, which provides a secure way for an authentication service to confirm a successful user sign in action to client applications.
- Client applications (e.g. HumanitarianResponse.info) sign all requests to the Node.js web services (using client IDs and secrets issued by service).
- User-to-service, user-to-client application, client application-to-service, and service-to-service connections are encrypted using SSL.
- API keys and secrets can be expired and reissued.
- Users are protected against CSRF attacks on the authentication service using the Node.js package hapi/crumb.
- Users are protected against CSRF attacks on the HumanitarianResponse.info site and Humanitarian ID app using Drupal’s form system and AngularJS’s XSRF-TOKEN approach.
- Users can enable Multi-Factor-Authentication as an additional layer of security.
This information is also downloadable in pdf.
We promise that we will:
- take all precautions and actions possible to ensure that your data forever remains safe and secure. In more dangerous crises, we will apply additional security and only allow users who are verified by an administrator to access contact information;
- never share your data with people outside Humanitarian ID if you not explicitly consent (e.g. partner websites using our authentication service, see point 7). When authorized, all profile information (including name, group, phone number, email address, photo, and any location or additional information that you provide) is visible to other people on Humanitarian ID;
- never share your password;
- never publish any data that you do not explicitly provide;
- never sell your data;
- encrypt all connections through the use of SSL. This security will apply to User-to-service, user-to-client application, client application-to-service, and service-to-service connections;
- require your authorization to third-party websites to access HID on your behalf to enable authentication on their website;
The Humanitarian ID solution has been created and is maintained by the United Nations Office for the Coordination of Humanitarian Affairs (UNOCHA). OCHA freely provides the solution to the humanitarian community. The full Terms of Service for Humanitarian ID users can be found here.
The system currently has three levels of management:
- Global administration which is managed by UNOCHA in Geneva, Switzerland and New York City, USA.
- Country-level administration which is managed by UNOCHA in the respective country. If UNOCHA is not present, trusted partners can take on this role.
- Country-level editors are key, trusted members within humanitarian clusters/sectors who have the ability to edit user profiles and check-out responders who have left (but not checked-out themselves).
We also provide an organization-level management role where focal points can modify any checked-in responders related to their respective organization.
We saw two major problems with using the dominant (privately-owned) authentication services: 1) they are privately owned and we had no control over the data you would provide them, and 2) not everyone uses one of these given platforms. We wanted to provide a completely independent, non-commercial solution that has you at the heart - not a private company. Plus, we are concerned about how your data is used.
The Humanitarian ID authentication mechanism is already the authentication mechanism for the Grant Management System (GMS), ReliefWeb, HumanitarianResponse.info, HPC Projects Module, Humanitarian InSight, the IASC website and over 20 other platforms from cluster websites to further partners in the humanitarian community. We will be adding more websites on a constant basis, you can find our partners here. Also you're able to access the Emergency Telecom Cluster (ETC) Wireless LAN in Disaster and Emergency Response (Wider) communication system which gives you free access to internet if you are a verified user in Humanitarian ID!
In our Developers section you'll find the latest Documentation on authentication and our API as well as our Github wiki. Once you had a first look, send us an email and we will be in touch: email@example.com.
Yes! Humanitarian ID has been “open” from the very beginning. If you would like to contribute a feature (or extend) the solution, feel free to get in touch at firstname.lastname@example.org.