Upcoming Security Overhaul: Better access control and validation for your account
As promised in our Two-Factor Authentication announcement, we will continue to give you regular updates on all upcoming features and changes we are working on to make your account and data even safer.
This week, I will outline some of the major changes set for May 7, 2018. In short, we aim to further improve your account safety and prevent unauthorized access to your personal information and hosting account files. Additionally, there is a set of new features that will give our clients the tools to execute their rights according to the GDPR requirements. Here is a list of all new features you can expect next week:
Current all FastComet clients have two separate areas to manage their products – the Client Area and the cPanel/WHM Control panel. The client area provides access to Technical Support, Billing information and other features not directly related to the management of the hosting service itself. Additionally, each hosting service has its own separate cPanel interface via which you can manage all features of the specific hosting product. These two separate areas are accessed by separate login details. All clients can set their Client Area password during the sign-up process, this password is encrypted and can not be retrieved or viewed in plain text anywhere in the system. On the other hand, the cPanel password for managing your hosting product is randomly generated during the account creation.
To make things easier for our clients we are introducing the Master Password. The Master Password will be your Client Area password, which you set up during the sign-up process. As this password is encrypted and kept securely in our system only the person who signed up for the service or know the password can change it or login into the Client Area. This access can be further secured by Two-Factor Authentication to prevent unauthorized access in case the Master Password is compromised.
Master Password will be used and required to perform the following actions:
- To access your Client area
- To access your hosting accounts cPanel directly via your Client area
- To obtain your hosting accounts cPanel password in plain text or to change your cPanel password
- To modify your existing Master Password
- To edit Contact Information and account ownership information
- To cancel an active product
This way your personal data, account ownership and active services will be protected by an additional layer of security and only the account owner with the Master Password can access and modify them. This, in combination with the two-factor authentication feature, should further prevent unauthorized access and account theft.
In addition to the Master Password, the cPanel password for your hosting products will not be visible in plain text or send via email. cPanel passwords will continue to be randomly generated and encrypted but no longer visible. The only way to retrieve or change your product cPanel password will be by using your Master Password. Yet, having your Master Password will grand you access to your cPanel without the need to reveal or obtain your cPanel login details due to the new integration settings between your Client Area and cPanel.
Additional control over Contacts/Sub-Accounts
Additional Contacts/Sub-Accounts provides you with the option to give a third-party access to your Client Area. As this area contains sensitive information and grants access to your hosting products, we will introduce several changes to give you more control over the Contacts/Sub-Accounts permissions.
Be advised that these new permission levels will not be enabled by default for your existing contacts and you will need to assign them explicitly to your existing contacts via your Client Area, Contacts/Sub-Accounts section.
Changes on currently available permissions:
- Primary account information will no longer be visible to sub-accounts on the Client Area home page. Instead, this section will show the contact information of the Sub-Account. This way, the master account information will be no longer visible to subaccounts without the Modify Master Account Profile permission.
- Available credit balance and the due amount will not be visible to sub-accounts without View & Pay Invoices permissions.
- Hosting products and active services will be no longer accessible from the Client Area homepage to sub-accounts without the View Products & Services.
- Quick cPanel access on Client Area homepage will be no longer accessible to sub-accounts without the View Products & Services permissions.
New permission settings that will be available on May 7, 2018:
- View Observer Monitoring & Reports – This permission level will provide sub-accounts with access to the Observer Monitoring system and Reports section.
- Two-Factor Authentication – This permission level provides your sub-account with the option to activate the Two-Factor Authentication for their account. After granting this permission, the sub-account will need to log in and manually activate this feature for their account following the standard steps in our Two-Factor Authentication Tutorial.
Changes to Client Area-cPanel integration
For security reasons, the Client Area-cPanel integration will require a general rework. The cPanel features under the Manage Product section in your client area will be discontinued and all changes to your hosting accounts will need to be performed directly via the cPanel interface.
To save you time and avoid the need to login into a separate area, you can always use the quick access icon on your Client area homepage to login into your cPanel, without the need to input separate login details. The quick access icon will be available only to the primary client area account and sub-accounts with View Products & Services permission.
In order to secure the cPanel quick access icon and integration, this feature will no longer use your cPanel password but a one-time authentication token which will be invalidated right after you access your cPanel. This way your cPanel password will be no longer visible or passed through the web. This process assures that your browser obtains a unique session by using a one-time token without revealing your cPanel login details.
Upcoming features scheduled for May 14, 2018
The next batch of features related to your account security and privacy is scheduled for May 14, 2018. That update will introduce a whole new section under your client area called Privacy and Security which will provide you with information and control over the following settings:
- Your Master Password, Sub-Accounts, Two-Factor Authentication and Personal Information
- A Subject Access Control – This section will provide information on whether and why any personal data is used, the reasons it is being processed and the option to request a copy of all personal data collected and stored by FastComet related to your services with us.
- An option to execute your Right to be forgotten in compliance with the GDPR regulations
- An option to obtain FastComet Data Processing agreement in compliance with the GDPR regulations
- Cookies control settings
Meanwhile, if you have any questions or feedback, please feel free to contact our customer service agents or leave a comment. We would like to thank you for all the support and feedback, your valuable suggestions helped us a lot during this process.
The latest tips and news from the industry straight to your inbox!
Join 30,000+ subscribers for exclusive access to our monthly newsletter with insider cloud, hosting and WordPress tips!