Simple Steps to Increase Security
The EVRYTHNG Platform includes several features that allow you to increase the security and integrity of the data you store. Although the security model of the Platform is already a solid foundation to build on, these features enable protection from accidental or human-based attacks, such as spoofing, the inadvertent elevation of privileges, unguarded browser sessions, and more.
These security features are discussed below to help you secure your own EVRYTHNG Dashboard accounts. We recommend you use them in addition to industry-standard security measures.
Correct Use of API Keys
The EVRYTHNG Platform uses five different API keys. These keys allow specific privileges for those contexts and app components that require them. Using the correct key with the appropriate level of privileges is important in creating a robust and secure EVRYTHNG implementation.
For example, a mobile app won’t need to manage account-level aspects that an Operator user would, therefore the Application API Key is the appropriate choice because it allows access only to operations and resources that apply to applications, such as Application User creation.
These API keys and what they may access are described on the API Key Scopes and Permissions page. In summary, they must be used under these guidelines:
Operator API Key - Secret
Administration of account-level resources by authorized individuals, such as setting up new roles and permissions.
Not for use in user-accessible code or scripts (for example, web pages). It is also a good practice to reset this key regularly.
Application API Key - Public
Use in mobile applications, web apps, and so on that require the ability to create and manage Application Users from a client context, as opposed to a server-side context.
May be used in publicly accessible places, but we recommend you obfuscate it when practical.
Trusted Application API Key - Secret
Secret counterpart to the Application API Key, enabling a private server-side application component to perform higher-level operations (manage products or Thngs) on behalf of the application.
Not for use in user-accessible code or scripts (for example, web pages).
Application User API Key - Secret
Granted to each Application User when they create an account or log into an application after logging out. This API key is private to each user. It's used to access their own resources as scoped and permitted by the account Operator.
This key must be securely stored within the application or accessing device and never be displayed, stored, or transmitted in plain text. This key is reset upon user logout.
Device API Key - Secret
Similar to the Application User API Key but specifically allows a connected device to access and change only its own Thng resource and properties.
This key is be securely stored within the physical device and never be displayed, stored, or transmitted in plain text.
Enabling Two-Factor Authentication (2FA)
Two-Factor Authentication is an additional layer of security we strongly advise you to apply to your EVRYTHNG Dashboard account by enabling it and using a common authenticator mobile app to provide time-limited, single-use codes each time you log into your account. This prevents access to anybody who doesn't also have access to the device on which the authenticator app is installed.
Enabling 2FA in your EVRYTHNG account is simple and increases account security.
To enable 2FA:
- Log into the EVRYTHNG Dashboard with the user account you wish to enable 2FA on.
- Click the User Settings option in the top-right user menu.
- In the Security section, click the padlock icon on the right to edit the security settings. When prompted, enter your password.
- Click Enable under Two-factor Authentication.
- Follow the on-screen instructions to set up your authenticator mobile app. We recommend one that's readily available and easy to use, such as Google Authenticator.
You must take reasonable precautions to ensure the device isn't lost or stolen, but if it is, you must contact us as soon as possible so we can help you reset your 2FA settings.
Enforcing 2FA for Shared Accounts
The additional security benefits provided by enabling 2FA for your account (as described in the previous section) can be easily extended to any other Operator users that have been added to your account as collaborators.
To add 2FA to a shared account:
- Log into the EVRYTHNG Dashboard as the administrator Operator user for the shared account you wish to enable 2FA on.
- Click the Account Settings option in the top-right user menu.
- In the Security section, click the padlock icon on the right to edit the security settings. When prompted, enter your password.
- Click Enable under Two-factor Authentication.
2FA is now enforced for the account.
Important
All collaborating users must have 2FA enabled for their own accounts to continue accessing your shared resources and data.
Setting the Session Timeout
Besides 2FA, the Accounts settings section of the EVRYTHNG Dashboard allows you to enforce a session timeout up to 48 hours. This means that after the selected duration has passed since an Operator user has logged into the account in question, they are automatically logged out and must log in again.
This additional layer of security can be helpful if any device used to access the account is lost, stolen, or damaged, and you can't revoke access remotely.
To enable the session timeout:
- Log into the EVRYTHNG Dashboard as the Operator user for the shared account you wish to enable the login timeout on.
- Click the Account settings option in the top-right user menu.
- In the Security section, click the padlock icon on the right to edit the security settings. When prompted, enter your password.
- Under Session timeout, choose the desired hours and minutes after which users will be required to log in again.
- Click Update to apply the changes.
Using Our Security Certificates
TLS (Transport Layer Security) communication is now enforced for all our API endpoints. In some situations, you might need to provide a security certificate manually to connect with TLS (such as HTTPS, WSS or MQTTS). In most situations, such as in web browsers and mobile devices, this requirement is handled for you, but not for all embedded or devices with limited storage.
You can find the EVRYTHNG security certificates on the Security page, with an SHA256 hash to ensure the integrity of the certificates download. To avoid potentially locking your devices when we deprecate a certificate, be sure to embed all the certificates we provide and not only the current one. How these certificates are implemented can vary between devices and applications; see the documentation for your platform for information about how to do this (for example, using the Mosquitto MQTT tool).
Updated almost 2 years ago