Security in Openprovider

Our recent release of two-factor authentication is one more step in providing our customers tools to secure their Openprovider account. With the economical value of domain names and our other products continuously growing, it is important that nobody but the authorized persons have access to its management. This blog post lists the various security layers of Openprovider and provides you with information on how to use them.

Username and password

Right, this is the most basic form of user management and credential validation. There is almost no system in the world that works without a username/password combination and choosing the right password (and password management / rotation scheme!) it still provides a basic level of security.

The Openprovider control panel and API are accessible by just a username/password combination, if that’s what you prefer. You set your own username and password upon account or contact creation, and can change your password anytime through our control panel, by editing your contact details.

User accounts

People come and go in each company. Some form of user management makes life easier, and safer! Create a personal account for every employee. In case somebody leaves, just remove his personal account and access has been revoked.

User accounts can be created and managed through the Openprovider control panel.

Password hashes

Logging in with your password to the Openprovider control panel is pretty safe: a secure connection and the password hidden by bullets, stars or whatever other character your browser uses.

API usage is different: somewhere in the code you need to specify the username and password, probably in plain text. As the control panel uses the same user credentials as the API, somebody with access to the API code can find your password and log in to the control panel.

To prevent this from happening, you can obscure your API password, the so-called API hashing. Rather than your plain text password, you use a hashed version of it to authenticate your API session. Find this password hash in your contact’s details.

IP whitelisting and blacklisting

Most customers log in to the Openprovider control panel from just a selected set of locations: office, home or via a VPN connection. API access is often even more limited: just one server maintains the API connection.

Having this knowledge, you can decide to limit API or control panel access to just a couple of IP addresses. Somebody trying to connect from another IP address will get an error message. You can define and manage this whitelisting through the contact details pages.

The contrary of whitelisting is blacklisting: allow access from any IP address except one or a few.

Whitelisting and blacklisting is defined on user level (each user can be assigned a different set of IP addresses) and access level (API or control panel). Both IPv4 and IPv6 are supported, as are IP ranges.

Two-factor authentication

If you are traveling a lot and don’t have a VPN connection, IP whitelisting may not be possible. In this case you can add a second level of security by enabling two-factor authentication: logging in does not only require a username and password (something you know), but also a unique code generated by a personal device (something you have).

Setting up two-factor authentication is done within a minute through the special settings page. Two-factor authentication can be configured per user.

Time to investigate

Knowing the various ways in which Openprovider helps you keeping your account secure, it’s time to investigate your current account. Are the access credentials still safe enough for your personal situation? Review the tools mentioned in this blog post and set the right security level for your account!