Can I login to more than one account of each site?
Yes – when RapID-SL sees that you have more than one credential on your phone for the site, it lets you choose the one you want.
What happens if I lose my phone?
At present, it is important that you keep a record of your original password, or that you are able to request an administrator reset from the sites you register with. You can also have the app on more than one phone of course! Then you can login again and re-register with your new phone. We do intend to introduce a secure, managed recovery service in the near future to make this even simpler.
Can I still login if the RapID service goes down?
Yes – the RapID Service is only used for creating you user credentials when you enrol. At the point of authentication, all messages are purely between the app and the WordPress site.
Can I un-authorize a phone from my accounts?
Yes – just login to your account, edit your WordPress profile and you can remove enrolled phones from your account. The site administrator can also do this on your behalf.
Installation and Configuration – WordPress Plugin
Why do I need to set a site name in RapID Settings?
This is the name that will appear in the ‘Sites’ list in the app. It’s best to keep it short but meaningful.
Where do I get the trusted certificate and server credential files?
To get these files, you need to sign up for a RapID service account, which entitles you to a number of free credentials. Once you have registered, you can download these files, which are unique to your account. At present, the main site administrator needs to install the RapID Connect app as well to manage your RapID account. Subscribers of course don’t need to do this.
The WordPress plugin will not activate – it complains about a parse error on Rapid.php line 5
This is caused by running an old version of PHP on your hosting site. You must have at least PHP version 5.5 to support RapID SL.
PHP 5.6 or newer is recommended (as version 5.5 is no longer an officially supported version and therefore at risk from unpatched security vulnerabilities.
I cannot import my Server PFX file
This can be caused by an incorrect PFX file password, but will also appear if your host does not have OpenSSL support installed correctly. When this happens, the RapID Service Certificate will be shown as OK, but the service key will report as ‘Missing’.
Security and Privacy
Does RapID-SL store my passwords?
No – RapID-SL uses cryptographic keys instead of your passwords. A different private key is generated on your phone for each account you have, and a certificate is created for you by the RapID service, with a random, anonymous identifier. This identifier is linked to your WordPress account. When you login, the app cryptographically signs a random challenge from the website, which then validates the signature and logs the session in as the corresponding user account.
Does RapID-SL collect and share any personal information?
If you wish, you may set your name, email address, a name for your phone and some other details in the ‘Info’ tab of the app. This information is stored on your phone to be used when you register with a WordPress site. The information to be transmitted is shown on your screen before you agree to send it, so you are in full control. You personal information is not shared with the RapID service itself or any other 3rd party. It is quite possible to use RapID-SL without filling in any personal information.
Can my login authorization be replayed?
Each login operation is a one-time function. The same authentication cannot be re-used. Each logon challenge is generated randomly and has a short expiration. Once used, it is invalidated.