Can WebAuthN be used to identify an individual? - webapi

I'm wondering whether WebAuthN APIs can be used to identify an individual. Do any of the following hold
Can the authenticator ever return info about the individual e.g. First name, email etc
Will the authenticator always give us the same ID back for Alice when she uses this device regardless of which website I'm requesting from?
Will different devices ever give back the same ID for the same user?

Can the authenticator ever return info about the individual e.g. First name, email etc
It can if you set personally-identifying information to the value of user.id in the options you pass to navigator.credentials.create(). Also referred to as the "user handle", the spec includes a section specifically about how this value is one way the API can leak personally-identifying information if you're not careful what value you set user.id to.
Will the authenticator always give us the same ID back for Alice when she uses this device regardless of which website I'm requesting from?
The authenticator will not give back the same ID on every website. Every successful invocation of navigator.credentials.create() generates a unique credential bound to the website, meaning every website would have to use the same value for Alice's internal user ID for this to even have a chance of happening. And for any given website the authenticator only gives back the value of user.id (as passed into navigator.credentials.create()) as userHandle in the response from navigator.credentials.get() when Alice logs into that site.
Will different devices ever give back the same ID for the same user?
Different registered authenticators would give back the same ID for Alice provided you specify the same value for user.id whenever Alice registers an authenticator.

Related

User's google calendar ID changes when primary email is updated

Essentially I've noticed that when a user's primary email is updated on their google account, their calendar ID will also change (e.g. ID will change from john#company.com to john_new#company.com).
This is a problem because I work on an application that relies on the calendar ID being a stable identifier for users. For example, lets say user A at a company schedules an event to their calendar through my application. We'll save metadata related to that event in our own database along with user A's calendar ID to denote that the event was scheduled to that calendar. This is important because we use this information to ensure that only users with write access to this calendar ID can edit this event from our application (important for security purposes).
Lets say user A gets their primary email updated, which causes their calendar ID to also change. Now, when I query the CalendarList endpoint to get a list of user A's calendars, I get back the new calendar ID, which makes my application think that user A should not have access to edit the event they just scheduled since that event was scheduled to a calendar ID that user A no longer has access to.
Is there a way around a problem like this? I can't find an endpoint that will return user A's "archived" calendar ID in addition to their new one. More deeply, I don't understand why their calendar ID changes as it feels like IDs should be stable identifiers...
In this case, by testing and working with the calendar API and Google Workspace it's a fact that the Calendar ID will always be the email address of the user account it’s associated with. I wish there was actual documentation but this is only from testing that I have verified this. There are other threads that explain the same, in this case with your situation you should modify your app in a way that the CalendarID is not based in a stable ID, as this depends on your email address.

NoSQL query of items,lists, Groups and Users using Firebase

Am looking at the data structure in this post and want to know how you would go about getting the emails of users who belong to a certain group when they could belong to several groups and the GroupID stored against that user is the current group they are participating in?
Do you store the email addresses with the userid under the "members" or, instead, for each member of the group, get that user's email address from the "users" document userid (this would mean iterating through the group/members collection and doing a query for each user. Not very efficient).
Am used to SQL so this is all new to me.
You should have a single node for each user
/users/UID/emails/
/users/UID/emailunread/
/users/UID/settings/
/users/UID/details/
/users/UID/payments/
So you can simply do a subscription for a singular node path this.myDatasubscription = this.DB.list('users/' + this.uid).snapshotChanges() ensuring changes like new emails or account settings will detected and rolled out in real time back to the app, so your are using angular/ng or something similar client side then your variables {{this.email_list}} should update real time with no page changes.
Take a look at this one.
error: Property 'getChildren' does not exist on type 'DataSnapshot'

How to fetch email marketing insights data from Marketo using API?

I am trying to fetch "Email Performance Report" from the platform
using API to analyze the KPI's like CTR etc by type of the email
(newsletter,email marketing etc).
I went through the documentation, however I didn't find endpoint from
which I can fetch the same.
Does anyone know if there is a way to get this information?
There is no endpoint to query reports directly. However, the good news is, that the “things” that make up an “Email Performance Report”, namely: email delivery, bounce, open and click are available to query via the API.
This means that you have to build the report yourself, but you can fetch the dataset to work on.
These “things” are called activity types (activity measured on a Lead) and can be fetched by querying against the Get Lead Activities endpoint, which is also mentioned as the Query in the API docs.
It sits at the GET /rest/v1/activities.json url and you have to pass a nextPageToken and the activityTypeIds as query parameters.
The nextPageToken indicates a datetime. Activities after that date will be returned by the call. To obtain one, you have to make a call to GET /rest/v1/activities/pagingtoken.json, where you have to specify the earliest datetime to retrieve activities from. See more about Paging Tokens.
To figure out the value of activityTypeIds, you first need to get the internal Ids of the activity types you are interested in. In order to do so, you have to query the GET /rest/v1/activities/types.json endpoint and look for the activity types with names like Send Email, Email Delivered, Email Bounced, Unsubscribe Email, Open Email and Click Email. (I don't know if these Ids are changing from instance to instance, but in ours these are from #6 to #11).
Once you have all of these bits at hand, you can make your request like that:
GET https://<INSTANCE_ID>.mktorest.com/rest/v1/activities.json?activityTypeIds=<TYPE_ID>&nextPageToken=<NEXTPAGE_TOKEN>&access_token=<ACCESS_TOKEN>
The result it gives is an array with items like below. Items can be filtered to specific email based on the primaryAttributeValue property and processed further accordingly.
{
"id":7370416,
"marketoGUID":"7170506",
"leadId":291305,
"activityDate":"2017-12-17T00:00:00Z",
"activityTypeId":11,// #11 = `Click Email`
"campaignId":1790,
"primaryAttributeValueId":1638,
"primaryAttributeValue":"EMAIL_NAME",// Name of the Email as seen in Marketo
"attributes":[
// …
]
}

Custom metric to track email opens

I am trying to track the number of email opens of a mailing.
This mailing is not personalised, so each receiver will get exactly the same email contents.
So far I have found out that I can add a tracking pixel in the mailing, which will send data to GA that a user opened the mail (images were loaded).
Example code:
<img src=”http://www.google-analytics.com/collect?v=1&tid=UA-XXXXXX-X
&cid=EmailOpenTest&t=event&ec=email&ea=open&el=EmailOpenTest
&cs=newsletter&cm=email&cn=Email&cm1=1″ />
'tid' will be our custom tracking ID.
This all works, as when this link is opened the total number of hits increases.
But my question relates to parameter 'cid'. For testing purposes, I have set this here to "EmailOpenTest". But this should be a random/unique ID per user actually. But as the mailing is not personalised, I wonder if it would be possible to track individual users?
Does this mean I have to include javascript in the mail? Would that even work in all email clients? Or are there other options?
All suggestions are welcome.
Assumption: you are using a mail client like Mail Chimp
Assign a unique id to every email on the email list. lets say this unique id is uid
Create a custom dimension in GA, lets name it as Client Mail Id with index say 1
Create the same pixel just like you have created above in the OP.
Add a custom Dimension in the hit as
http://www.google-analytics.com/collect?v=1&tid=UA-XXXXXX-X
&cid=EmailOpenTest&t=event&ec=email&ea=open&el=EmailOpenTest
&cs=newsletter&cm=email&cn=Email&cm1=1&cd1=uid
In place of uid, you actually need to pass the mail list unique id for that email
How it will work
Once the user sends this hit, your unique id will be recorded in custom dimension 1.
Generate a custom report in GA with event category=email & event action=open and add a dimension custom dimension 1.
All the id's displayed there have actually opened the email ;)
PS: It's tried and tested, so won't cause any issue. Also if you don't want to use custom dimensions, you can also send this id in event label or event value
PPS: In any mail client, getting unique value for that email is pretty easy. You can actiually use its position number or add another column for the unique id, then grab that id win the template
The cid is the clientId, an identifier that is used to aggregate pageviews into sessions, and sessions into unique users.
The way to use that in email-tracking would be to capture the client id when a user subscribes to your newsletter and then insert it into the email links. Since your mails are not personalized this will not work.
If you use a random ID you will not be able to link the request from the mail to an existing user. So one way to deal with the problem would be to ignore it - using a constant userId would still give you an event count (the unique events metric might be a little of if users click the link multiple times within a session lifetime).
If for some reason you absolutely need to track these as different users you can set up a redirect - do not send data to ga directly from your mail, instead call a script on your server that inserts a random clientId and then sends the data to Google.

How to send Measurement Protocol if there is no ClientID?

I need to send Measurement Protocol, but clietID cookie may not exist. ClientID is required parameter. What to do in this case? Generate it? In which way?
(I need to do in on PHP)
The clientId is used to tie up the session. You can post a dummy clientId as a UUID, but the event will be stored in a new session. Take a look at Client Id section within Measurement Protocol - more information on UUID can be found inside of A Universally Unique IDentifier (UUID) URN Namespace
If you are working with a User (as opposed to standard) View, the UserId can be used to tie multiple sessions together, providing the UserId (UID) matches
If anyone else have the problem that hits wont get registered, if cid is empty, I just found out that the docs are wrong:
Client ID: Optional. This field is required if User ID (uid) is not specified in the request.
cid is always required, even if uid is set. Otherwise the hit won't get registered.

Resources