How to secure account at SMSAPI? [GUIDE]
Security is not taken lightly here at SMSAPI. After all, on user accounts’ of our clients is stored sensitive data about their customers. The most basic rules regarding password security will protect you against the majority of threats. That is why, we have decided to gather and present all system-based solutions that will help you secure your account even further. Discover multifactor authentication, secure encryption, tokens, and IP listing.
SMSAPI employee will never ask for the password to your account.
Before we begin, it’s worth mentioning that since November 2019, the Network Operations Center department operates in our headquarters. The team is responsible for continuous monitoring of SMSAPI services, as well as other bulk SMS platforms of LINK Mobility Group.
The NOC works in shifts which allows it to operate 24 hours, no matter the holidays and days off. Among their competencies are incident solving and malfunction maintenance after the working hours of our office. Furthermore, they create solutions that help to future incidents.
Two-factor authentication via SMS
Multifactor authentication is an additional layer of protection for your account. Login with the SMS password forces you to enter the received code when accessing the system. This is more secure than a regular method because apart from checking the login and password, it also requires an access to a phone registered in the system.
To start signing with a text message codes, go to Account Settings and then select the Security tab.
After entering the current password and phone number to which the authorization codes are to be delivered, you will be asked to enter the first verification code sent by SMS. After verification of the number, the multi-factor authentication will be activated. From now on, you will be required to enter a verification code sent by SMS each time you sign in to the system.
SMS Authenticator - secure SMS login for companies
What’s more, we’ve also created the SMS Authenticator feature for our clients. With this tool, users can add a secure login solution to their systems. It works the same way as login with an SMS password to your SMSAPI account.
The connection to SMSAPI is secured by an SSL certificate. It has been issued by proven, reputable suppliers who guarantee the reliability of our website. Encryption applies to both the browser version of the website and references via the API.
These safeguards prevent information from being intercepted during a connection to the Platform by devices intermediating in network communication (e.g. Internet connection provider).
We are using TLS 1.2, older versions are no longer supported.
OAuth2 tokens – secure login with the API
The OAuth2 token is a string that enables a connection to our platform’s API. For an IT system that wants to use our services in an automated way (without using the Customer Panel), the token acts as a user and password, which you enter when entering the Customer Panel. To generate access token click API Settings on the left column and click API tokes (OAuth).
Separating these two methods of login improves security – information and services to which the IT system has access via a token can be limited, e.g. by allowing SMS to be sent but forbidding checking the contact database. The token itself can be disabled or deleted. It’s also possible to set its expiration date for temporary uses.
This approach allows you to specify in detail what the IT system will be able to do and what information associated with the account will it have access to.
It is worth using these restrictions, remembering that one of the security principles is to minimize the data collected and processed.
Users – limited access to the account
If more than one employee uses a company account at SMSAPI, it is worth considering creating separate subuser accounts. This feature allows you to allocate the necessary permissions, set the preferred time of sending the messages, grant access to contact databases and sender names as well as to set the available points limits for the campaigns.
The solution works well both in larger enterprises and in branched retail networks.
We recommend using a strong, unique password not used on any other website or service. We require it to contain at least 8 characters, including one capital letter and a number.
IP whitelist – address filtering
Listing IP addresses is a solution that significantly limits the possibility of unauthorized access to the platform.
IP whitelist – API:
IP whitelist – Customer Panel:
Changing the Customer Portal password does not affect API Tokens. If you want to change API token please go to API tokens (OAuth) in API Settings.
More safety procedures
If your company’s security policy requires it, you can also force a periodic password change to your SMSAPI account. After activating this function, the system will inform you every 30 days about it. You can set the reminder in the Security tab in Account Settings.
There you can also set the preferred session duration of the Customer Portal. Select the desired duration from the drop-down list. After this time you will be automatically signed off when there’s no activity on the account. This option is useful if you happen to work in public places or if you share a computer from which you log into the Platform.
In case you noticed suspicious login attempts, remember you can log out of all the devices with one click in the Customer Portal.
Additionally, in order to protect against unauthorized access to the account, the system sends an email with a notification about the attempted sign in from a new device. In case of suspicious account activity, we suggest changing the password. If you have any questions, please contact us!