Authorization protection

• Information restriction for unauthorized MMP users
• MMP user session time limit
• OAuth authorization
• Error code system
• Two-factor authentication
• Single access point to the System
• Configurable user password validity period
• Access control policy
• Access limitation to hidden information

Information restriction for unauthorized MMP users

Information on the System version is restricted for unauthorized users of the Marketing Management Platform (MMP):

• MMP users can see the System version only after authorization;
• GET requests for downloading files from the server do not contain information about the System version;
• The GET /api/Version method, which returns information about the System version, is available only to an authorized user.

MMP user session time limit

Session is a period of time during which the MMP user is authorized in the System and can access API methods.
The session records the user's activity both in the user interface — MMP and outside it, for example, during API methods invocation via Swagger, Postman and others.

Starting from the System version 2022.2, sessions can be configured for each MMP user, as well as the time during which users can be inactive without leaving the session. To configure the session, proceed to the System Settings > Configurations and set the SessionsForUsersAreaEnabled and SessionsForUsersAreaTimeout parameters. For more details on session configuration, please refer to a special article.

OAuth authorization

To provide access of third-party applications to the data stored in Loymax system, the open authorization protocol OAuth 2.0  is used. This protocol allows to grant to a third party limited access to the user's protected resources without the need to provide the third party with login and password details. An access token is used instead. Access token is an alphanumeric sequence with the following encrypted information:

• identifier of the account to which access is granted;
• identifier of the application to which access is granted;
• a set of permissions (actions accessible for the application).

The access token can be obtained with or without the customer's participartion. In the first case, it is additionally required to authorize the user in the System, who then gives permission to the application to access data. Thus, two-factor protection of personal data is achieved.

In addition, the token has a lifetime limit, i.e. after a certain period of time access to the System is terminated until the next authorization. When working with a Mobile App, in addition to the access token, an update token is also transmitted, which has longer lifetime than that of the access token. Using the update token, a new access token is automatically created when the lifetime of the last one expires. Periodic token updates do not affect the user's work in the System. At the same time it creates additional protection for access to the user's personal data.

Error code system

To enhance information security, Loymax has developed a system of unified errors with codes. In case of erroneous or suspicious actions with the data of Loyalty Program members (for example, when entering a phone number that already exists in the System), an error code is returned with a general description of a possible problem instead of an explicit error. The use of error codes helps to avoid database vulnerabilities and reduce the risk of fraudulent actions with the data of LP members, such as:

• picking of card numbers of the LP members;
• fraud (conducting fraudulent transactions using the cards of the LP members);
• theft of the System user credentials;
• theft of the card number database.

Note: if it is required to display the error explicitly, it is possiblt to grant the right to receive an error explicitly (ApplicationGetErrorExplicitely) to OAuth application. This permission allows to get an explicit error during registration, if an existing phone number is entred. If this right is not selected, a message that a confirmation code has been sent to the phone number (by SMS or using Flash Call) will be returned as an error. For data safety purposes, Loymax does not recommend granting this right.
This permission allows also to return an explicit error when accessing API methods designed for:

• sending a confirmation code and setting a new password in case of password recovery;
• merging cards of the LP Member;
• linking a card to the LP Member's account;
• starting the procedure of card replacement;
• email address change;
• phone number setting and sending a confirmation code.

Two-factor authentication

To enhance security during authorization in the Loyalty Program, two-factor authentication functionality is implemented in the System. In case of two-factor authentication, after entering correct login and password details, LP members should enter a confirmation code sent to them by SMS message. Thus, scammers will not be able to pick and enter third party data for authorization in the Loyalty Program.

Two-factor authentication is enabled by setting the corresponding System configuration parameters.
Authorization with the input of the confirmation code is implemented using public API. Thus, if necessary, this functionality can be added to the client services integrated with Loymax — Personal Account, Mobile app.

Single access point to the System

User access to the System can be limited to one active session, that is, only one user can work under one account at a time. If another user logs in with an already active account, the active session will be completed, a new session will begin for the new user.

By default, this limitation is removed and can be set by the administrator in the settings for each account. This mechanism enables to uniquely identify the user, providing one with only one access point to the System.

Configurable user password validity period

Special configurations enhance information security and prevent unauthorized access to the System:

• Configuration, which sets the lifetime of the user's password. The user will see a pop-up message about the need to update the password during the first authorization in the System, as well as if the password has expired.
• Another configuration sets the time limit within which the uniqueness of the password is checked, thus preventing the password from repeating.

Access control policy

The Loymax system implements the separation of access rights to various sections and functionality. To do this, use a collection of rights and their combinations, called roles. The administrator has the ability to assign roles and individual rights to users in the system settings.

This enables that information is protected from unauthorized access and provides users with only the data that they need and sufficient.

Access limitation to hidden information

To view hidden user information (card numbers, phone numbers, confirmation codes), the System user must have special rights. For example, Call Center operators have access to the functions of changing a phone number, blocking cards and accounts only with special rights.

This mechanism enables to restrict access to confidential information of persons for whom this data is redundant.