SMSAPI Account Security Guide

Security is not taken lightly here at SMSAPI. After all, our clients store sensitive data about their customers. The basic rules regarding password security will protect you against most threats. Furthermore, the SMS gateway offers numerous solutions to increase account and data security. Discover multifactor authentication, secure encryption, tokens, and IP listing. Stay safe and never re-use your passwords!

Attention

SMSAPI employees will never ask for the password to your account.

24/7 Monitoring

Before we begin, you should know since November 2019 the Network Operations Center department has been operating in our headquarters. The team is responsible for continuous monitoring of SMSAPI services and other bulk SMS platforms of LINK Mobility Group.

The NOC works in shifts, allowing it to operate 24 hours, no matter the holidays and days off. Among their competencies are incident solving and malfunction maintenance after the working hours of our office. Furthermore, they create solutions that help during future incidents.

ISO 27001 certification

We are ISO 27001 compliant! The certification guarantees that we abide by the highest infrastructure and data security standards. We have been audited by one of the strictest certification organizations in Poland, TÜV Nord Polska. Read more about it:

Two-factor authentication via SMS

Multifactor authentication (2FA SMS) is an additional layer of protection for your account. The login with the SMS password forces you to provide the received code when accessing the system. The SMS with code is more secure than a traditional method because it also requires access to a phone registered in the system apart from checking the login and password.

Secure password

We recommend using a strong, unique password not used on any other website or service. We require at least 8 characters, including one capital letter and a number.

Never re-use your passwords!

How to set up SMS authentication?

To start signing with a text message code, go to Account Settings and select the Security tab.

SMS Two-Factor login authentication
Login with an SMS authentication

After entering the password and phone number to which the authorization codes are delivered, you will be asked to enter the first verification code sent by SMS. With the number verified, multifactor authentication is activated. From now on, you will be required to enter a verification code sent by SMS each time you sign in to the system. Well done, you just got safer! 🙂

SMS Authenticator – secure SMS login for companies

What’s more, we’ve also created the SMS Authenticator feature for our clients. With this tool, users can add a secure login solution to their systems. It works the same way as logging in with an SMS code to your SMSAPI account.

Read more:

Connection encryption

An SSL certificate secures the connection to SMSAPI. It has been issued by proven, reputable suppliers who guarantee the reliability of our website. Encryption applies to both the browser version of the website and references via the API.

These safeguards prevent information intercepting during a connection to the platform by devices intermediating in network communication (e.g. Internet connection provider).

We are using TLS 1.2. Older versions are no longer supported.

OAuth2 tokens – secure login with the API

Jakub Kluz Product Manager at SMSAPI

The OAuth2 token is a string that enables a connection to our platform’s API. For an IT system that wants to use our services in an automated way (without using the Customer Panel), the token acts as a user and password, which you enter when accessing the Customer Panel. To generate access token click API Settings on the left column and click API tokes (OAuth).

Jakub Kluz – Product Manager at SMSAPI
List of all your API tokens
List of generated API token

Separating these two methods of login improves security – information and services to which the IT system has access via a token can be limited, e.g. by allowing SMS to be sent but forbidding checking the contact database. The token itself can be disabled or deleted. It’s also possible to set its expiration date for temporary uses.

Adding an API token
Choose which features will be available

This approach allows you to specify in detail what the IT system will be able to do and what information associated with the account will it have access to.

We recommend using these restrictions. Remember that one of the security principles is to minimize the data collected and processed.

Users – limited access to the account

If more than one employee uses a company account at SMSAPI, it is worth considering creating separate subuser accounts. This feature allows you to allocate the necessary permissions, set the preferred time of sending the messages, grant access to contact databases and sender names, and set the available points limits for the campaigns.

Subusers in SMSAPI Customer Portal
Add new subusers of your SMSAPI account

The solution works well both in larger enterprises and in branched retail networks.

IP whitelist – address filtering

Listing IP addresses is a solution that significantly limits the possibility of unauthorized access to the platform.

You can specify from what addresses it is possible to log in to the Customer Portal and connect via API. Remember that these two are separate lists.

IP whitelist – API:

How to whitelist IPs that can access API
In the API Settings (bottom part of the left menu), you can define the set of IP addresses
from which it will be possible to connect to our API.

IP whitelist – Customer Panel:

Setup IP verification in SMSAPI Customer Portal
In Account Settings, you can specify the addresses to sign in to the Customer Portal.

Attention

Changing the Customer Portal password does not affect API Tokens. If you want to change your API token, please go to API tokens (OAuth) in API Settings.

More safety procedures

If your company’s security policy requires it, you can also force a periodic password change to your SMSAPI account. After activating this function, the system will inform you every 30 days about it. You can set the reminder in the Security tab in Account Settings.

There you can also set the preferred session duration of the Customer Portal. Select the desired duration from the drop-down list. After this time, you will be automatically signed off when there’s no activity on the account. This option is helpful if you happen to work in public places or share a computer from which you log into the platform.

Check logged devices
List of most recent account activity

If you noticed suspicious login attempts, remember you can log out of all the devices with one click in the Customer Portal.

A security e-mail from SMSAPI
An example of an e-mail informing about a new sign-in

Additionally, to protect against unauthorized access to the account, the system sends an email about the attempted sign-in from a new device. In case of suspicious account activity, we suggest changing the password. If you have any questions, please contact us!