Security Overview¶
This page contains a general security overview of Pointr products.
Authentication & Authorization¶
Beginning with V8, the authentication and authorization process is well-defined and improved.
Authentication Mechanisms¶
We have different initial authentication mechanisms for different environments/channels. Each one will be discussed separately below:
- Pointr Cloud Dashboard: Username and password are used for authentication over HTTPS (TLS 1.2). This is considered sufficient and practical for current sensitivity in this web application.
- Mobile SDK:
client_idandclient_secretare used for authentication through Mobile SDK, again using TLS 1.2 for encryption. Please note that only client-specific non-sensitive content is accessed, and Device Registration + Data Upload (if enabled) are done through this authentication. Thus, this is considered sufficient and practical for current sensitivity for the resources used. - Web SDK: client_id and client_secret is used for authentication through Mobile SDK again using TLS 1.2 for encryption. Please note that only client specific non-sensitive content is accessed and Device Registration + Data Upload (if enabled) is done through this authentication. Thus this is considered sufficient and practical for current sensitivity for the resources used.
- External REST API User:
username: "email"andpassword: "password"are used for authentication over HTTPS (TLS 1.2). This is considered sufficient and practical for current sensitivity in this web application. -
CDN: SAS Token is introduced with version 8.13 and enables SDK clients to retrieve CMS contents directly from a CDN provider instead of microservice API calls. This enables reliable and faster connectivity. From a data security perspective, a SAS token is required to protect CDN data from anonymous access.
-
All traffic during authentication and authorization processes is secured through TLS while in transit.
Authorization¶
JWT is used exclusively for further authentication and authorization processes.
This is considered sufficiently secure for each channel as stated above. All JWT transmissions are encrypted through TLS 1.2 at a minimum. JSON Web Token (JWT) is an open standard (RFC 7519) that defines a compact and self-contained way for securely transmitting information between parties as a JSON object. This information can be verified and trusted because it is digitally signed.
For further information, please check here.
Security Precautions¶
- When a user tries to log in M times with wrong credentials in N seconds, we block the user with IP and email address. The blocked users are unblocked by restarting the application.
- The token is not kept in any persistent storage.
- If the token is expired or the time to expire is closer than X (configurable) minutes, we will call the token endpoint with a refresh token. If the refresh token is expired we logout the user.
- The email address is validated.
- A password policy is applied.
- No specific information on a non-successful login attempt is returned.
- Direct navigation to any authenticated URL should redirect to the login page after logout.
- The default value for the Refresh Token Expire Time and Token Expire Time is 120 minutes.
Data Encryption¶
Data is encrypted at rest using Azure Transparent Data Encryption and TLS 1.2 when in motion.
Data Privacy¶
Pointr by default doesn’t store users’ personal data anywhere on its platform. For more details, please check our privacy policy. Also, for reference purposes we have a list below of how countries currently view Pointr as compliant with their privacy laws (for example GDPR).
| Region | Country | Can we implement without any regulation (Y/N) |
|---|---|---|
| America | USA | Y |
| Brazil | Y | |
| Mexico | Y | |
| Canada | Y | |
| Chile | Y | |
| Argentina | Y | |
| Colombia | Y | |
| UK | United Kingdom | Y |
| Europe | Hungary | Y |
| Belarus | Y | |
| Austria | Y | |
| Serbia | Y | |
| Switzerland | Y | |
| Germany | Y | |
| Andorra | Y | |
| Bulgaria | Y | |
| Sweden | Y | |
| France | Y | |
| Montenegro | Y | |
| Luxembourg | Y | |
| Italy | Y | |
| Denmark | Y | |
| Finland | Y | |
| Slovakia | Y | |
| Norway | Y | |
| Ireland | Y | |
| Spain | Y | |
| Malta | Y | |
| Ukraine | - | |
| Croatia | Y | |
| Moldova | Y | |
| Monaco | Y | |
| Poland | Y | |
| Iceland | Y | |
| Albania | Y | |
| Lithuania | Y | |
| North Macedonia | Y | |
| Slovenia | Y | |
| Romania | Y | |
| Latvia | Y | |
| Netherlands | Y | |
| Russia | - | |
| Estonia | Y | |
| Belgium | Y | |
| Czech Republic | Y | |
| Greece | Y | |
| Portugal | Y | |
| Other | Australia | Y |
| UAE | Y | |
| Oman | Y | |
| Singapore | Y | |
| China | Y | |
| Hong Kong | Y |
Pointr Cloud Dashboard Account Locking Due to Failed Login Attempts¶
On the Pointr Cloud REST API V8, there are four parameters related to this configuration:
IPLoginRetryTimeSpan = 300
MaxUnsuccessfulLoginAttempts = 10
PasswordLockoutMode = "IP" (Default) OR "Account"
UnsuccessfulLoginBlacklistDuration = 60 Minutes
You can change these values in the database after the application is up and running.
Based on the default values above:
- If you attempt 10 times within 5 minutes, your IP address will be blacklisted.
- If you set the
PasswordLockoutModeto “Account,” your account will be blacklisted. - Currently, this is our locking mechanism within the application.
- The duration of how long you will stay on the blacklist is determined by the
UnsuccessfulLoginBlacklistDurationparameter, with a default value of 60 minutes. - If a user is on the blacklist, they will receive a response like the following:
- Code : forbidden 403
- Message : “Too many unsuccessful attempts”