Authorization protection

• Information restriction for unauthorized Loymax Platform users
• Loymax Platform user session time limit
• OAuth authorization
• Error code system
• Two-factor authentication
• Single point of access to the System
• Configurable user password validity period
• Access control policy
• Restriction of access to hidden information

Information restriction for unauthorized Loymax Platform users

Information on the System version is restricted for unauthorized users of Loymax Platform:

• Loymax Platform users can see the System version only after authorization;
• GET requests for downloading files from the server do not contain information about the System version;
• The GET /api/Version method, which returns information about the System version, is available only to an authorized user.

Loymax Platform user session time limit

Session is a period of time during which Loymax Platform user is authorized in the System and can access API methods.
The session records the user's activity both in the user interface — Loymax Platform — and outside it, for example, during API methods invocation via Swagger, Postman and others.

Starting from the System version lmxR4, sessions can be configured for each Loymax Platform user, as well as the time during which users can be inactive without leaving the session. To configure the session, proceed to the System Settings > Configurations and set the SessionsForUsersAreaEnabled and SessionsForUsersAreaTimeout parameters. For more details on session configuration, please refer to a special article.

OAuth authorization

To provide access of third-party applications to the data stored in Loymax system, the open authorization protocol OAuth 2.0  is used. This protocol allows to grant to a third party limited access to the user's protected resources without the need to provide the third party with login and password details. An access token is used instead. Access token is an alphanumeric sequence with the following encrypted information:

• identifier of the account to which access is granted;
• identifier of the application to which access is granted;
• a set of permissions (actions accessible for the application).

The access token can be obtained with or without the customer's participartion. In the first case, it is additionally required to authorize the user in the System, who then gives permission to the application to access data. Thus, two-factor protection of personal data is achieved.

In addition, the token has a lifetime limit, i.e. after a certain period of time access to the System is terminated until the next authorization. When working with a Mobile App, in addition to the access token, an update token is also transmitted, which has longer lifetime than that of the access token. Using the update token, a new access token is automatically created when the lifetime of the last one expires. Periodic token updates do not affect the user's work in the System. At the same time it creates additional protection for access to the user's personal data.

Error code system

To enhance information security, Loymax has developed a system of unified errors with codes. In case of erroneous or suspicious actions with the data of Loyalty Program members (for example, when entering a phone number that already exists in the System), an error code is returned with a general description of a possible problem instead of an explicit error. The use of error codes helps to avoid database vulnerabilities and reduce the risk of fraudulent actions with the data of LP members, such as:

• picking of card numbers of the LP members;
• fraud (conducting fraudulent transactions using the cards of the LP members);
• theft of the System user credentials;
• theft of the card number database.

Note: if it is required to display the error explicitly, it is possible to grant the right to receive an error explicitly (ApplicationGetErrorExplicitely) to OAuth application. This permission allows to get an explicit error during registration, if an existing phone number is entred. If this permission is not selected, a message that a confirmation code has been sent to the phone number (by SMS or using Flash Call) will be returned as an error. For data safety purposes, Loymax does not recommend granting this permission.
This permission allows also to return an explicit error when accessing API methods designed for:

• sending a confirmation code and setting a new password in case of password recovery;
• merging cards of the LP Member;
• linking a card to the LP Member's account;
• starting the procedure of card replacement;
• email address change ;
• phone number setting and sending a confirmation code.

Two-factor authentication

To enhance security during authorization in the Loyalty Program, two-factor authentication functionality is implemented in the System. In case of two-factor authentication, after entering correct login and password details, LP members should enter a confirmation code sent to them by SMS message. Thus, scammers will not be able to pick and enter third party data for authorization in the Loyalty Program.

Two-factor authentication is enabled by setting the corresponding System configuration parameters.
Authorization involving input of the confirmation code is implemented with help of public API. Thus, if required, this functionality can be added to the customer services integrated with Loymax — Personal Account and Mobile App.

Single point of access to the System

User access to the System can be limited to one active session, i.e. only one user can work under one account at a time. If another user logs in under the already active account, the active session will be terminated and a new session will start for the new user.

By default, this limitation is removed and can be set by the administrator in the settings for each account. This mechanism allows to uniquely identify users by giving them only one access point to the System.

Configurable user password validity period

Special configurations enhance information security and prevent unauthorized access to the System:

• Configuration that sets the lifetime of a user's password. The user will see a pop-up message about the need to update the password during the first authorization in the System, as well as in case if the password has expired.
• Another configuration sets the time limit within which the passowrd uniqueness is checked, thus preventing the password from being repeated.

Access control policy

Loymax system implements differentiation of access rights to various sections and functionality. A collection of permissions and their combinations (roles) are used for this purpose. The administrator has the ability to assign roles and give individual permissions to users in the System settings.

This approach prevents unauthorized access to information and users are given access to the specific and necessary data.

Restriction of access to hidden information

To view hidden user information (card numbers, phone numbers, confirmation codes), the System user must have special permissions. For example, Call Center operators have access to the functions of changing a phone number, blocking cards and accounts only if they are granted special rights.

This mechanism allows limiting access to confidential information to persons for whom this data is redundant.