- What is being decommissioned? And what are the differences between the HID contacts and authentication services?
- How will partner organizations be affected by these changes?
- Can I continue using HID until the decommissioning date in Jan. 2021?
- What will happen to profiles on HID?
- Will profiles lose their verification?
- What will happen to my Global Manager role?
- As Global Manager, should I continue to verify users?
- As Global Manager, should I continue to tell partner organizations to register on HID?
- What will happen to contact lists with Mailchimp attached to them?
- What will happen to contact lists with Google Groups attached to them?
- Will the HID team continue providing support to HID users?
- What is verification and how do I get verified?
- How are my contact details on Humanitarian ID if I did not register?
- How do I remove my information from Humanitarian ID?
- Do I still use Virtual OSOCC?
- How can I tell if a user is verified?
- Why and how does Humanitarian ID verify users?
- What can unverified and verified users do?
- How to choose a secure password?
- How can I change my password?
- Why do I need to update my password every six months?
- What is two-factor authentication?
- How do I activate two-factor authentication?
- Can I switch off the two-factor authentication?
- Should I reply to emails asking for my personal information?
- How does Humanitarian ID keep my data secure?
- What features does Humanitarian ID have that help me control my information?
- Is my information secure?
- What will you do with my data?
- Who owns and runs Humanitarian ID?
- Who manages Humanitarian ID everywhere?
- Why not just use Google, Facebook or Twitter for central authentication?
- Can I sign into other sites with my Humanitarian ID?
- How do I integrate Humanitarian ID into my website?
- Can I build a feature for Humanitarian ID?
- On which websites can I use my Humanitarian ID to login?
What is being decommissioned? And what are the differences between the HID contacts and authentication services?
HID was built as a combination of two services, one semi-public database for contact management (the website) and a larger non-public database supporting the authentication (login) service. The login service is used across 18 OCHA and 12 partner platforms. The contact management aspect of HID will be decommissioned in Jan 2021. The authentication service will continue to be supported and will be upgraded during 2020. If you are the manager of a platform using the HID Authentication service we will be in touch with you in the coming weeks.
Logins: Nothing will change for organizations who use a HID login to access HPC.tools, GMS and all other integrated platforms.
Contacts: Organizations and field offices that use HID for contact or list management will no longer be able to do this after the platform is decommissioned in Jan 2021. We would recommend that between now and January 2021 partner organizations export all their required contact data from Humanitarian ID.
HID global managers and all users can continue using HID for contact management whilst the platform remains live, although there will no longer be updates or bug fixes during this time. We would recommend that between now and January 2021 you export all your required contact data from Humanitarian ID. You can export this in either csv or pdf format.
Profiles within the Humanitarian ID site will no longer be public from January 2021. They will continue to exist in a private database that will store information necessary for the authentication (login) service. All users will be able to access their own account information within this private database, while the whole database will be accessible only to administrators. All users with an HID account will continue to be able to use their account to login to the integrated platforms.
As Humanitarian ID moves to a non-public database, profile verification will become an automatic process based on email domains. Any profiles that have a trusted organization email address attached to them will automatically remain verified, profiles that use public emails such as HOTMAIL or GMAIL will no longer be verified.
Your role will remain active until the HID platform is decommissioned in Jan 2021 and you will be able to keep performing all tasks as usual.
You can continue verifying users manually until HID contacts service is decommissioned in Jan 2021, however in the future profile verification will become an automated function based on email domains only. This will reduce the time required from global managers and support staff to maintain the platform.
Only if they need an HID account to access one of the integrated platforms.
Existing Mailchimp lists and contacts within them will remain unaffected. After Jan 2021 users will not be able to subscribe to Mailchimp lists via Humanitarian ID. From that point new subscriptions will have to be managed through the Mailchimp provided subscription forms.
Existing Google Groups and contacts within them will remain unaffected. After Jan 2021 users will no longer be able to subscribe to Google Groups via HID. New subscriptions will then have to be managed through the Google Group provided subscription methods. If you need assistance with managing your Google Groups, please reach out to us at email@example.com. We will keep providing G Suite accounts (which include email addresses and Google Groups) to OCHA field offices and clusters.
Yes. Until the decommissioning of the platform we will continue to provide regular support to users. Users can continue to reach the support team at firstname.lastname@example.org. Support specific to the authentication service will continue beyond Jan 2021.
We verify Humanitarian ID users in order to make the platform as relevant, useful, and reliable as possible. If you want to know more see our section on: Questions about verification
Since Humanitarian ID used to manage contact lists, managers and editors were able to manually add unregistered users to a specific contact list. This action sends an email (if provided) to you suggesting you register for Humanitarian ID and thereby manage your own contact details.
To delete your account click on your name in the header of the homepage and click 'Preferences', under the section 'Settings' you'll find an option to delete your account. You can also send us an email at email@example.com confirming that you would like your account to be removed.
The Virtual OSOCC is intended to help early responders to collaborate and share information. Teams can specify if they plan or actually deploy. It is not intended to manage contact lists or give you control over your details in the contact list. Therefore, if you are responding to a humanitarian crisis, we encourage you to check-in on Humanitarian ID and make use of the Virtual OSOCC to share and find relevant response information (e.g. UNDAC activities, links to key documents, etc.)
A checkmark next to a user’s name or profile picture indicates that they are verified.
We verify HID users in order to make the platform as relevant, useful, and reliable as possible. Verification is determined based on organizational affiliation. If you add (and confirm) an email address that belongs to a trusted domain (example @un.org) your profile will be automatically verified.
Verification is not required to access most of the HID partner platforms.
On Humanitarian ID, while unverified users have access to most features and services, verified users can do more. See details below.
|Features/Services||Unverified Users||Verified Users|
|Create and manage your profile||✅||✅|
|Check in and out of lists (or ask to be checked in)||✅||✅|
|Create, manage, delete your own lists||✅||✅|
|Add and remove people to your lists||✅||✅|
|View open lists||✅||✅|
|Export lists in .pdf format||✅||✅|
|Search people by email address||✅|
|View restricted lists||✅|
|Export all lists in .csv format||✅|
|Synchronize contact lists with Google spreadsheets||✅|
|Access to Wider/Ericsson wifi services in the field during emergencies||✅|
- Pick a strong password and do not give your password to someone you don't know and trust.
- Never reply to emails asking for your password.
- Make sure your email account is secure.
- Log out of Humanitarian ID when you use a computer or phone you share with other people.
- Be careful when you authorize any third-party app.
- Make the new password significantly different from other previous passwords.
- Use a sentence or phrase converted into a string of initials, numbers and symbols.
- Use non-standard word uppercasing and spelling like “uPPercasing” and “spelllllllling”.
- Don’t use common passwords like “password” “iloveyou” or “12345678”.
- Add non-obvious numbers and symbols (note: using "$" for "s" or "0" for "o" is fairly common and likely not enough of a security measure).
To change your password, simply click on the following link: https://humanitarian.id/password Alternatively, go to your profile on Humanitarian ID, click on your name, then "Preference" and "Change Password".
Updating your password every six months is a security measure. This is one of the security measures Humanitarian ID implements to comply with the UN Office of Information Communication Technology (OICT) regulations. You can avoid a forced password reset by opting for an even safer option of password security - two-factor authentication, see: What is two-factor authentication?
Two-factor authentication (2FA) is an additional security feature that allows you to make your account even safer. Here’s how it works: After you enter your password to log into Humanitarian ID (the first step), you can generate a time-limited code on your mobile phone, which you will need to enter (the second step). Unless someone knows your password and also has physical access to your phone, your account is secure.
What you need to do to enable this feature:
Go to Humanitarian ID, click on your name on the top-right corner and hit Preferences, you can then select two-factor authentication under ‘Additional Security’
After you activate two-factor verification on this page you will see a QR-code that you need to scan with your authenticator app or you do the set-up manually.
You’ll then be sent a code to your mobile authenticator app.
After you successfully activated two-factor authentication Humanitarian ID provides you with a set of recovery codes that will allow you to access your account also if you lost your phone. Please download these codes to a safe place!
You can remove the two-factor authentication feature at any point, by going to your Preferences - ‘Additional Security’ and clicking on ‘Deactivate’. However, we encourage our users to use two-factor authentication for additional account safety and to avoid resetting their password every six months!
Humanitarian ID will never ask for your password in emails, so never reply to any email asking for personal information, even if it claims to be from Humanitarian ID or UNOCHA. If you're not sure the email is from Humanitarian ID, check out How to recognize phishing email messages or links. It has tips to help you determine if an email is from a legitimate source.
Humanitarian ID is protected with multiple layers of security, including leading encryption technology like HTTPS and Transport Layer Security. We have ensured that Humanitarian ID cannot be scanned by search engines. So, your contact details will not show up in public searches. We have made it difficult for an individual user to copy a large number of emails from Humanitarian ID. Only Humanitarian ID managers and trusted partners (verified users) do have advanced abilities to export such information. All Humanitarian ID users have implicitly committed to abide by our Code of Conduct. And, finally, should you experience or suspect any abuse, kindly report it to firstname.lastname@example.org and we will investigate it promptly.
As an individual you can decide yourself how much information you put into your profile. No field is mandatory - though obviously to make the best use out of Humanitarian ID, you provide as much information as you feel comfortable with. In addition, you do have the option to share certain information (like your email address or your phone number) with specific people only - this feature is called “My Connections”. If you want to create lists yourself, you can do so, deciding yourself on who should be able to see and/or join your self-created contact list (Youtube Tutorial). Lastly, some lists are ‘locked’ and only visible to users who have been verified by our administrators (i.e. OCHA’s and clusters’ information management officers). If you are not a verified user yet, contact your local information management officer or contact us at email@example.com.
More technical security measures we have taken:
- User authentication takes place via OpenID Connect, which provides a secure way for an authentication service to confirm a successful user sign in action to client applications.
- Client applications (e.g. HumanitarianResponse.info) sign all requests to the Node.js web services (using client IDs and secrets issued by service).
- User-to-service, user-to-client application, client application-to-service, and service-to-service connections are encrypted using SSL.
- API keys and secrets can be expired and reissued.
- Users are protected against CSRF attacks on the authentication service using the Node.js package hapi/crumb.
- Users are protected against CSRF attacks on the HumanitarianResponse.info site and Humanitarian ID app using Drupal’s form system and AngularJS’s XSRF-TOKEN approach.
- Users can enable Multi-Factor-Authentication as an additional layer of security.
This information is also downloadable in pdf.
We promise that we will:
- take all precautions and actions possible to ensure that your data forever remains safe and secure. In more dangerous crises, we will apply additional security and only allow users who are verified by an administrator to access contact information;
- never share your data with people outside Humanitarian ID if you not explicitly consent (e.g. partner websites using our authentication service, see point 7). When authorized, all profile information (including name, group, phone number, email address, photo, and any location or additional information that you provide) is visible to other people on Humanitarian ID;
- never share your password;
- never publish any data that you do not explicitly provide;
- never sell your data;
- encrypt all connections through the use of SSL. This security will apply to User-to-service, user-to-client application, client application-to-service, and service-to-service connections;
- require your authorization to third-party websites to access HID on your behalf to enable authentication on their website;
The Humanitarian ID solution has been created and is maintained by the United Nations Office for the Coordination of Humanitarian Affairs (UNOCHA). OCHA freely provides the solution to the humanitarian community. The full Terms of Service for Humanitarian ID users can be found here.
The system currently has three levels of management:
- Global administration which is managed by UNOCHA in Geneva, Switzerland and New York City, USA.
- Country-level administration which is managed by UNOCHA in the respective country. If UNOCHA is not present, trusted partners can take on this role.
- Country-level editors are key, trusted members within humanitarian clusters/sectors who have the ability to edit user profiles and check-out responders who have left (but not checked-out themselves).
We also provide an organization-level management role where focal points can modify any checked-in responders related to their respective organization.
We saw two major problems with using the dominant (privately-owned) authentication services: 1) they are privately owned and we had no control over the data you would provide them, and 2) not everyone uses one of these given platforms. We wanted to provide a completely independent, non-commercial solution that has you at the heart - not a private company. Plus, we are concerned about how your data is used.
The Humanitarian ID authentication mechanism is already the authentication mechanism for the Grant Management System (GMS), ReliefWeb, HumanitarianResponse.info, HPC Projects Module, Humanitarian InSight, the IASC website and over 20 other platforms from cluster websites to further partners in the humanitarian community. We will be adding more websites on a constant basis, you can find our partners here. Also you're able to access the Emergency Telecom Cluster (ETC) Wireless LAN in Disaster and Emergency Response (Wider) communication system which gives you free access to internet if you are a verified user in Humanitarian ID!
In our Developers section you'll find the latest Documentation on authentication and our API as well as our Github wiki. Once you had a first look, send us an email and we will be in touch: firstname.lastname@example.org.
Yes! Humanitarian ID has been “open” from the very beginning. If you would like to contribute a feature (or extend) the solution, feel free to get in touch at email@example.com.