At Reward Gateway, security is of utmost importance to us. Allowing our clients to easily manage their own security policies is as key. This article will explain some of the key security settings that can be changed by our clients to enhance the security of their program.
To access this feature, the client must first log in to Reward Manager and access their Security Setting Dashboard using the "Security" menu on the left-hand sidebar. This can be done by a client admin with the role 'Programme Security Administrator'.
Once accessed, a client will see the options shown below.
Basic Settings
Automatically log-out members who are idle
If this option is selected, any members who remain idle for a certain period of time will be automatically logged out from their account.
Allow "Remember Me" option on login
If this option is selected, members are given the option to remember their login details on their browser for up to 90 days. This would mean members would not need to re-authenticate on that device/browser for up to 90 days.
Detailed error messages
By default, all error messages across the platform are quite generic. This is so we do not reveal any sensitive information to any attackers which could allow them to figure out where a vulnerability lies. However, we do realize this can be sometimes poor for user experience as a legitimate end-user might not realize what has gone wrong.
If this option is selected, we show more detailed error messaging pertinent to the end-user.
Allow email address change (preload only)
Once enabled on a preload programme:
- Members will be able to update their email address in 'My Account' > 'Security Centre'
- Client admins with the 'Member Access Control Administrator' access role will no longer be able to update any member's email address in 'Members' > 'Browse Members' > 'Options' > ‘Edit’
- Any further changes to email address via membership uploads will be ignored
How this works on self-registration:
- Members are able to update their email address in 'My Account' > 'Security Centre'
- Client admins with the 'Member Access Control Administrator' role cannot update member emails (neither 'Members' > 'Browse Members' > 'Options' > ‘Edit’, nor via membership uploads)
- This can only be done for members with an empty License Key (aka Payroll ID)
Safelist IP Addresses
Reward Gateway operates rate limiting and CAPTCHA throttling checks on almost all areas of the site to control automated attacks against a client program. However, this could mean if a client has a majority of members accessing the platform from a single IP address it could be flagged as suspicious and slow down the programme.
To avoid this, clients can safelist their Office/Corporate IP Addresses which would mean these checks are ignored when members access the site while at work.
To safelist an IP Address, simply type in the IP Address and the Subnet Mask and select the "Add" button.
Password Management
This section would allow clients to define their own password policies on their Reward Gateway program.
Special characters in passwords
If this option is selected, all user passwords must contain at least one uppercase, one lowercase and one digit.
Minimum Password Length
Clients can define their minimum password strength here. The minimum can be from 8 characters to 16 characters. By default this is 8.
Prevent password Re-Use
If this option is selected, members cannot re-use any of the last seven passwords that they have used before on their Reward Gateway program.
Periodic password Refresh
If this option is selected, members will be asked to change their password at a set interval.
Password Refresh Period
This is by default 90 days. However, clients can choose to change this to be a minimum of 30 days to 360 days.
Enforce these changes on next login
If this option is selected, the changes that were applied above will be enforced to all users on their next login into their Reward Gateway account.
This option becomes available to clients only if changes are applied to the required password length or the usage of special characters in members' passwords.
Login Challenges
This section would allow clients to control certain login challenges that can be enforced to end-users as well as administrators.
Digital Identity Verification
If this option is activated, all members will be asked to verify their information (Payroll number, employee id, date of birth etc) on their next login before getting access to their account.
Note: This is only available on non 'preload' programmes. See Registration Criteria for more information.
Paper Identity Verification
To be used on very rare occasions, if for some reason a client suspects fraudulent activity on their program they can request this option to be turned on. This request must be confirmed by Reward Gateways internal Information Security Team and once confirmed it would request all members login into the platform to upload an identity document (Driving Licence, Password etc) to verify themselves.
The verification process is handled by the Reward Gateway internal Information Security team.
Multi-factor Authentication
This is only applicable for any administrators accessing Reward Manager. Here a client can reset an administrator's Multi-factor settings or unlock their account if for some reason it was locked due to invalid multi-factor attempts.
Security and Privacy Resources
In this section, a client can download or view all Security and Privacy resources related to their program.
Audit Records
In this section, a client can view all audit records on their program.
The audit information held on Reward Gateway can be filtered based on certain events (Login attempts, Multi-factor attempts, etc). It can also be narrowed down to specific date ranges and to a specific member.