RapID Secure Login FAQs

Operation

My subscribers may have accounts on several WordPress sites that use the RapID-SL plugin. Can they use the RapID-SL app to log in to these sites?

Yes - when the RapID Secure Login app scans a site's QR code, it automatically authenticates them with the credential that relates to that specific site.

Some of my subscribers may have more than one account on my WordPress site. Can they use the RapID-SL app to log in?

Yes - when the RapID Secure Login app sees that there is more than one credential for the site on the mobile device, it lets them choose the one to use.

Is it possible to have the RapID-SL app on more than one device to log in securely to one account on my WordPress site? E.g. A phone and a tablet.

Yes - go to the WordPress site's My Profile page and use the RapID icon there to collect another credential for their second device.

What happens if a subscriber loses their phone?

Their account is secure: the credential on the device cannot be used by another person because it is protected by their fingerprint or PIN.

Once they have obtained a replacement phone, they will need to log on to your site to collect a new credential from the My Profile page.
If they already have another device with the RapID Secure Login app and access to the site, they can log in with that. Otherwise, they will need to log in with their old password if your site supports it.

Note that you can disable passwords on your WordPress site. If you choose to do this, it becomes advisable for your subscribers to set up an alternative device to cover this scenario and avoid the need to set up a new account on your site.

What should a subscriber do if they forget their PIN or lock out their PIN on the RapID-SL app?

For security reasons, we do not support PIN reset. The user must therefore request a new credential as though the device were lost.

Can the RapID service be used to wipe off the data on subscriber devices, in case the device is reported as lost?

This is not a function of the RapID service – third party commercial offerings are available for this.

Can a mobile device with a RapID-SL credential allowing access to my site be blocked?

Yes - your subscriber can do this themselves by logging in to their account, editing their WordPress profile and removing a specific enrolled device from their account.

As the site administrator, you can also do this from the WordPress dashboard.

Can my subscribers still log in if the RapID service goes down?

Yes - the RapID Service is only used for creating a credential when a subscriber enrolls. At the point of authentication, all messages are purely between the RapID Secure Login app and your WordPress site.

Installation and Configuration - WordPress Plugin

Why do I need to set a site name in RapID Settings?

This is the name that will be seen in the 'Sites' list in the RapID Secure Login app. It's best to keep it short but meaningful.

The WordPress plugin will not activate - it complains about a parse error on Rapid.php line 5

This is caused by running an old version of PHP on your hosting site. You must have at least PHP version 5.5 to support RapID. PHP 5.6 or newer is recommended (as version 5.5 is no longer an officially supported version and therefore at risk from unpatched security vulnerabilities.

Parsing and saving of certificate files failed. What should I do?

The RapID Secure Login plugin uses openssl to parse certificates. This requires a configuration file (openssl.cnf) to be present. You can either supply your own version of this file or rename sample-openssl.cnf in the certs directory to openssl.cnf.

Security and Privacy

No - the RapID Secure Login app uses cryptographic keys instead of your passwords. A different private key is generated on the phone for each account, and a certificate is created by the RapID service, with a random anonymous identifier. This identifier is linked to your WordPress account. When you login, the app cryptographically signs a random challenge from the website, which then validates the signature and logs the corresponding user in.

Each login operation is a one-time function. The same authentication cannot be re-used. Each logon challenge is generated randomly and has a short expiration. Once used, it is invalidated.

The app uses a combination of operating system features of the mobile device along with additional security measures that we have added. This ensures that the keys can only be accessed after the user has successfully provided the second factor (either a PIN or a fingerprint).

RapID Account Administration

You gave me some free licenses when I signed up. How do I purchase additional licenses?

When you register a site, we issue free licenses to get you started. You can log on to the RapID Portal using the RapID Secure Login app and the credential that you use for your WordPress site. This will take you to the RapID dashboard where you can purchase additional licenses.

Will you notify me when I'm running low on licenses?

Yes. When you are running low on licenses, we will send daily emails to all the primary contacts for your RapID account. By purchasing additional licenses you can ensure that your subscribers are able to obtain the credentials they need to access your website.

What is a primary contact?

The person who installed and configured the RapID Secure Login WordPress plugin is a primary contact for the RapID account associated with that site. They can log on to the RapID Portal and add further administrators with up to three being marked as primary contacts.

We recommend that you visit the RapID Portal and set up at least two primary contacts for your website. Doing this allows you to be self-sufficient regarding credential replacements should you lose your mobile device with the RapID credential.

How do I replace a lost credential for the RapID portal?

Go to the Credential Replacement page of the RapID portal and follow the instructions on screen to replace your RapID portal credential.

Where can I find more information?

You can find more information on the RapID forum