Security Features
Overview
MyClient makes a number of security features available for your peace of mind. This article presents a noncomprehensive overview of certain security features in MyClient.
Operator security
IP whitelisting and Intrusion alerts
Operators may configure a whitelist of allowed IP addresses from which MyClient will allow them access. Operators may opt to recieve email alerts for every successful and unsuccessful login.
Two-factor authentication
MyClient supports two-factor authentication using the TOTP standard. This allows you to require a second verification when logging in with your password, securing you even in the case of a hijacked password. For more information, see Two-factor Authentication »
Single-use codes, and login via Email/SMS
Experience has shown us that technicians often use MyClient in the field or at a customer's site to make changes on the fly. However, it would be inadvisable to enter your password on an untrusted computer in case of keyloggers or other malware.
MyClient allows you to pre-register single-use login codes from the Account page, or securely register a new login code at any time from the login screen via email or SMS verification.
If two-factor authentication (TOTP) is enabled as above, this is still required to be met at first login.
Administrators may configure the expiry time for single-use codes from the Manage System Behaviour page > System Users tab > "Expiry time for single-use logon codes" option. It is recommended to couple this with other security enhancements e.g. disabling the "Allow login from multiple locations simultaneously" option, to ensure that accounts are not mistakenly left logged in at remote sites.
Hashed passwords
MyClient employs industry best practices to maintain password security. Passwords are salted and hashed using 448-bit bcrypt with a strong work-factor parameter. We also make PBKDF2-SHA256 available for licensees who require specific regulatory compliance (e.g. NIST SP 800-132).
If an account was imported from an AhsayOBS SubAdmin, then it maintains the weak unsalted MD5 hash format only until first login, when the security is upgraded to bcrypt as above. This maximises security while still preserving imported passwords. MyClient supports importing passwords in a variety of formats, including ASP.NET MVC's hash format - please contact support if you wish to arrange importing legacy accounts.
Password policies
Administrators may configure password rotation policies for all system operators. Both soft and hard password expiry dates can be configured, along with length and complexity requirements. Please contact us if you have further requirements.
Staff and reseller accounts with passwords contravening the password rotation policy will be required to change their password at next login.
CAPTCHA after repeated invalid password attempts
Administrators may configure MyClient to prompt for image verification after a configurable number of invalid password attempts from a single IP within a configurable duration.
Idle timeout
Administrators may configure the timeout before which a system operator is logged out. This option is available from the Manage System Behaviour page > System Users tab > "Log out inactive system users after" option.
Audit trail and Event handlers
All operator login events are logged for administrative review on the System Notifications page along with IP address. Administrators may search the notification history and set up automated handlers to flag unusual activity (e.g. logins outside business hours).
MyClient Enterprise licensees may also use the Event Handler system to manage account logins. For instance, you may configure event handlers to log out all system operators at 5 pm, or prevent logins during certain time periods.
AhsayOBS Server security
Password encryption
For technical reasons, AhsayOBS server passwords are required to be stored with reversible encryption. AES256 is used with a random key. Key management is arranged so that a breach of either database or software alone would be insufficient to retrieve the password.
Server-side security with URL rewriting
You may employ URL rewriting on your AhsayOBS server to avoid supplying your AhsayOBS passwords to MyClient. You can specify a custom code to send in the User-Agent header on the Manage System Users page that, when coupled with MyClient's IP address, initiates pre-filling AhsayOBS credentials without ever exposing them to MyClient.
For more information, please see Using URL Rewrite for API connections ».
Audit trail and Event handlers
All direct logins to the AhsayOBS server are logged on the System Notifications page. MyClient Enterprise customers may use the Event Handler system to subscribe to emails or other alerts when a user logs in to the AhsayOBS server.
Customer account security
Retrieve passwords in an emergency
It is possible for MyClient to store customer account passwords. You can enter passwords yourself, or choose to store account passwords when new accounts are created from within MyClient. This allows you to retrieve customer passwords in the event of an emergency. All customer password retrievals require you to re-enter your MyClient password to provide non-passive authentication.
This again requires the use of reversible encryption. AES256 is used with a random key. Key management is arranged so that a breach of either database or software alone would be insufficient to retrieve the password.
Bruteforce protection
After five failed login attempts to the Customer Portal or the Secure Login Form from a given IP address, the target IP address is blocked and a notification is sent to the configured administrative contact. The user must either wait for a timeout, or contact an administrator to clear the block.
Application security
A comprehensive permissions infrastructure ensures that no feature is available unless you allow it. All MyClient installations require HTTPS, allowing secure use from trusted devices on untrusted networks.
Further information
We are happy to discuss specific details of our security architecture with interested professionals. For more information, please Contact Us ».