Simple Steps to Increase Security

The EVRYTHNG Platform includes a number of features that allow you to increase the security and integrity of the data you store. Although the security model of the Platform is already a solid foundation to build on, these features enable protection from some of the more accidental or human-based attacks such as spoofing, inadvertent elevation of privileges, unguarded browser sessions, and more.

The following features are discussed below to help you secure your own EVRYTHNG Dashboard accounts in addition to the industry standard security measures.


Correct Use of API Keys

The EVRYTHNG Platform makes use of five different kinds of API key. The purpose of these different keys are to allow only specific privileges to those contexts/app components that require them. Using the correct key with the appropriate level of privileges is the key to creating a robust and secure EVRYTHNG implementation.

For example, a mobile app won’t need to be able to manage account-level aspects that an Operator user would, therefore the Application API Key is the appropriate choice, only allowing access to operations and resources that are applicable to applications, such as Application User creation.

These different API keys and what they are permitted to access are described in detail on the API Key Scopes and Permissions page, but in summary they should be used in accordance with these guidelines below:

Operator API Key - Secret

Administration of account-level resources by authorized individuals, such as setting up new roles and permissions.

Not for use in user accessible code or scripts (e.g.: web pages). It is also a good practice to reset this key on a regular basis.

Application API Key - Public

Use in mobile applications, web apps, etc. that require the ability to create and manage Application Users from a client context, as opposed to a server-side context.

May be used in publicly accessible places, but should be obfuscated as much as is reasonably practicable.

Trusted Application API Key - Secret

Secret counterpart to the Application API Key, enabling a private server-side application component to perform higher-level operations (manage products or Thngs) on behalf of the application itself.

Not for use in user accessible code or scripts (e.g.: web pages).

Application User API Key - Secret

Granted to each Application User when they either create their account, or log back into an application after previously logging out. This API key is private to them and should be used for access their own resources as scoped and permitted by the account administrator Operator.

This key should be securely stored within the application/accessing device, and never displayed, stored, or transmitted in plaintext. This key will be reset on a user logout.

Device API Key - Secret

Similar to the Application User API Key, but specifically to allow a connected device to access and modify its own Thng resource and properties, and no more.

This key should be securely stored within the physical device, and never displayed, stored, or transmitted in plaintext.


Enabling 2FA (Two-Factor Authentication)

Two-Factor Authentication is an additional layer of security we strongly advise you to apply to your EVRYTHNG Dashboard account by simply enabling it and using any common ‘authenticator’ mobile app to provide time-limited single-use codes each time you log into your account. This prevents access to anybody who does not also have access to the device on which the ‘authenticator’ app is installed.

Enabling 2FA in your EVRYTHNG account is simple and easy to use to increase account security. Just follow these steps:

  1. Log into the EVRYTHNG Dashboard with the user account you wish to enable 2FA on.
  2. Once logged in, click the ‘User Settings’ item in the top-right user menu.
  3. In the ‘Security’ section, click the padlock on the right to edit the security settings.
  4. Press ‘Enable’ under ‘Two-factor Authentication’.
  5. Follow the on-screen instructions to set up your ‘authenticator’ mobile app. We recommend one such as Google Authenticator, which is easy to use.

Of course, you must take reasonable precautions to ensure the device is not stolen, but if it is, you must contact us as soon as possible so we can help you reset your 2FA settings.


Enforcing 2FA for Shared Accounts

The additional security benefits brought the enabling 2FA for your account (as described in the previous section) can be easily extended to any other Operator users that have been added to your account as collaborators. Simply follow these steps:

  1. Log into the EVRYTHNG Dashboard as the administrator Operator user for the shared account you wish to enable 2FA on.
  2. Once logged in, click the ‘Account Settings’ item in the top-right user menu.
  3. In the ‘Security’ section, click the padlock on the right to edit the security settings.
  4. Press ‘Enable’ under ‘Two-factor Authentication’.

2FA will now be enforced for the account, and all collaborating users must have 2FA enabled for their own accounts in order to continue accessing your shared resources and data.


Setting the Session Timeout

In addition to 2FA, the ‘Accounts Settings’ section of the EVRYTHNG Dashboard also allows you to enforce a session timeout up to 48 hours. This means that after the selected duration has passed since an Operator user logs into the account in question, they are automatically logged out and must log in again.

This additional layer of security can prove useful if any device used to access the account is lost, stolen, or damaged, and you are unable to revoke access remotely. To enable this feature, follow these simple steps:

  1. Log into the EVRYTHNG Dashboard as the administrator Operator user for the shared account you wish to enable the login timeout on.
  2. Once logged in, click the ‘Account Settings’ item in the top-right user menu.
  3. In the ‘Security’ section, click the padlock on the right to edit the security settings.
  4. Under ‘Session timeout’, choose the desired hours and minutes after which users will be required to log in again.
  5. Click ‘Update’ to apply the changes.

Using Our Security Certificates

TLS (Transport Layer Security) communication is now enforced for all our API endpoints. In some situations you may need to provide a security certificate manually in order to connect with TLS (such as HTTPS, WSS or MQTTS). In most situations such as web browsers and mobile devices, this requirement is handled for you, but not for all embedded or devices with limited storage.

You can find the EVRYTHNG security certificates on the Security page, alongside a SHA256 hash to ensure the integrity of the certificates download. To avoid potentially locking your devices when we deprecate a certificate, make sure you embed all the certificates we provide and not just the current one. How these certificates are implemented may vary between devices and applications, so consult the documentation of your platform for information on how to do this. For example, using the Mosquitto MQTT tool.

Updated 2 years ago


Simple Steps to Increase Security


Suggested Edits are limited on API Reference Pages

You can only suggest edits to Markdown body content, but not to the API spec.