3 steps to enforce your Intercom integration security

Intercom is a fantastic tool for customer relationship, and a cornerstone of our support and onboarding process.

We at SalesTim know you care about how your personal information is used and shared, and we take your privacy seriously by implementing the most rigorous practices for our third-party integrations.

Discover 3 easy to implement steps to enforce security on your Intercom integration.

Step Action Check
1 Require two-factor authentication Intercom 2FA badge
2 Whitelist your domains Intercom verified domains badge
3 Enable identity verification Intercom identity verification badge


1. Require two-factor authentication

Intercom 2FA badge

If you select the two-factor authentication… option, each time you login you will need to enter your password and provide a unique code.

How to set it up?

Choose the ‘Require two-factor authentication’ option and click ‘Save’:

Intercom 2FA

Download the Microsoft Authenticator App…
You’ll be asked to scan a QR code on your screen:

Intercom QR Code

When you log in the next time, you’ll need to add your password and then a code generated from your authentication app on your smart phone.

Important: When you set up 2FA you’ll be given the option to generate recovery codes. We recommend generating recovery codes to avoid potentially being locked out of your account. You’ll also need a recovery code to disable 2FA (for example, if you’re switching phones).

Learn more about Intercom 2FA…


2. Whitelist your domains

Intercom verified domains badge

We created a whitelist of specific SalesTim domains that the Intercom Messenger can be seen on.

Benefit: The Intercom Messenger will only appear on these domains (therefore it won’t appear in unintended locations).

How to set it up?

Just add your domains to the whitelist from your messenger settings:

Intercom domain whitelisting

Learn more about Intercom domain whitelisting…


3. Enable identity verification

Intercom identity verification badge

Benefit: Identity Verification helps us to make sure that conversations between you and us are kept private and that one user can’t impersonate another.

Identity Verification works by using a server side generated HMAC (hash based message authentication code), using SHA256, implemented using the Node Crypto API.

Then, everywhere that you load user data and have a window.intercomSettings code snippet, add a new attribute called user_hash and assign the HMAC code for the logged-in user to it:

window.intercomSettings = {
  app_id: "APP_ID",
  user_id: "USER_ID",
  user_hash: "INSERT_HMAC_VALUE_HERE"
}

How to set it up?

Just turn it on from your workspace settings and follow the instructions for your app:

Intercom identity verification

Learn more about Intercom identity verification…


To go further

Intercom brings to the table a lot of options to enforce your security, therefore these 3 easy to implement steps are just the beginning of an epic journey.

Here are a few other areas of investment that we’re currently working on that may interest you, so stay tuned for later posts.

a. Create a test workspace

Set up a test workspace of Intercom in your development / staging environment to be sure it’s working correctly before putting it live.

Intercom test workspace

Benefits:

  • Enforce isolation between your test and production environments
  • Be sure it’s working correctly before putting it live

Learn more about Intercom test workspace…

b. GDPR

In addition to security, and even if Intercom complies with GDPR, you’ll have to work on an automated process to link your GDPR process with Intercom and other third-party services…


Founder @ SalesTim. Entrepreneur, Learner, Speaker, Geek & Microsoft Teams / Office 365 MVP.