Passwords & Security

Your Portal and account possibly hold very confidential information. Therefore, we as FastPortal take a lot of precautions and security measures to prevent that people who should not have access, indeed do not have access.

Some of these security measures have some usability implications, meaning that some things that might work in less secure applications do not work in FastPortal. (Specifically, password reset.)

We can’t do it on our own. We need you to be aware of proper procedures and rules to keep your information secure.

Encryption fundamentals

All the Documents, Messages and most profile fields are encrypted on our servers. For the full story on encryption, we will point you to the Wikipedia article on encryption and our own page about our security measures. In this Knowledge Base article, we will give you a brief overview.

This is a long section, but the short summary is: FastPortal employees do not have access to data that is stored in your portal. We can also not provide password resets or restore lost data. Only Team Members have access to all data and can reset passwords.

The very first thing you need to know is that encryption is a little bit like a safe. If you know the code, you can open the safe, put some things in the safe and close it. No one else can access the information in the safe. That is precisely what we do with your information. If someone were to gain access to our servers all they would find is a bunch of safes. In fact, we have a different safe for each document. So even if they opened one safe (they can’t!), the only have one document. On a computer these saves look like a random bunch of letters, numbers and other characters.

So, now we have a bunch of encrypted files on the server (a bunch of safes) these files each have their own key. For our encryption we use AES with 256bit keys. This is the type of key used by banks, governments and large corporations. As far as computer security experts know, it is very secure and even government organizations cannot crack this type of encryption.

Now we don’t expect you to remember a secret encryption key for every single file, that would be completely unmanageable. Instead, we create something like a special safe that holds all your keys. This safe is also encrypted with one of those unbreakable AES 256bit keys.

Then the question remains: how do you open the safe with all your keys? Well, the answer to that is a little complex, but essentially we use your password to open your safe with keys. When you log in, we do some manipulations to your password that turns it into an encryption key. This technique is called a password derived key and Wikipedia has an article about it.

This does not mean we know or store your password. We have no idea what your password is and nor do we want to know your password. All we do is turn whatever you enter as your password into a key and we see f the key fits. If it fits, we let you in and your account temporarily has access to your safe full of keys. When you log out or leave for a while, we lock your safe back up and request you to reenter your password.

Implications of our encryption

This system is very secure but has some implications:

  • FastPortal has no access to your documents. Only you have access to your documents.
  • FastPortal cannot do a password reset for you, because if we change your password, the new password will no longer work to open your safe.

Those two implications are great, except Team Members must have access to all documents. Also, there must be a way to reset passwords, because people forget their password all the time.

Therefore, what we have done is made a very special safe that holds a back-up key to all the safes with the encryption keys. This very special safe is accessible only by Team Members. Whenever a Team Member logs in, he is granted access to these keys deep in the application.

Things only Team Members can do

That means that Team Members can:

  • Access all Documents and information in the portal.
  • Reset passwords for all Clients. Administrators can also reset passwords for Team Members.
If you read this whole section, you will know that ultimately, your data is as secure as your password. If you pick a very weak password, people can log in and access your information. Therefore, we have minimum password requirements built in that ensure you are protected.
As Administrator you can (and probably should) make the password rules even stricter than we have set them. This is always a trade-off between usability (shorter passwords are easier to remember) and security (more complex passwords are more secure).

Change your password

You can change your password at any time by clicking on your name in the top right corner of the page, this opens a little submenu with an option to change your password. If you click on that link, you must first enter your password and then you get to pick a new one.

Please pick a strong password! The stronger your password, the better we can protect your private information .
Please pick a strong password! The stronger your password, the better we can protect your private information .
Please pick a strong password! The stronger your password, the better we can protect your private information.
As Administrator you set the password rules for your Team Members and Clients. We suggest you make them very strong.

Password reset

As explained in the encryption fundamentals section, we (FastPortal) cannot do a password reset. That also means that you or any other Team Member or Client cannot get an instant password request. A Team Member of Administrator must always do this manually!

When you reset a password, please also make sure that the account for this person is not also blocked. Accounts will be blocked after a number of bad login attempts. If you forget to unblock the account before the password reset, the Client or Team Member will not be able to log in.

Password reset for a Team Member

If a Team Member requires a new password, this can only be done by an Administrator. In order to do so, follow these steps:

Make sure the password reset request is legitimate. If a bad guy has gained access to your Team Member’s email account, they might try to fool you into letting them into your portal as well!
  • In the top menu click on the More link. This will open a dropdown menu with an option called Team Members. Click on Team Members.[IMAGE dropdown top menu with Team Members]
  • On the Team Members page, you find the Team Member whose password you wish to reset.
    Find the team member
  • Now click on the three little dots at the very right of the row and then on the reset password option.
    Select the password reset option.
  • This opens a page with a warning to make sure you want to reset this password. If you are sure, please enter your own password, and click reset.
    Approve the password reset.
  • Your Team Member will be notified and receive instructions on how to pick a new password.

Password reset for a Client

If a Client requires a new password, this can be done by any Team Member. In order to do so, follow these steps:

Make sure the password reset request is legitimate. If a bad guy has gained access to your Client’s email account, they might try to fool you into letting them into your portal as well!
  • In the top menu click on the Clients link.
    [IMAGE dropdown top menu with Team Members]
  • 2. On the Clients page, you find the Client whose password you wish to reset.
    Find the team member
  • Now click on the three little dots at the very right of the row and then on the reset password option.
    Select the password reset option.
  • This opens a page with a warning to make sure you want to reset this password. If you are sure, please enter your own password, and click reset.
    Approve the password reset.
  • Your Client will be notified and receive instructions on how to pick a new password.

Two-factor authentication

Two-factor authentication is great and you should use it! Two-factor authentication means that you need two ways to identify yourself when you log into your portal. The first is your username and password. The second way is either a secret code that we email to you or that you get from a special Google application called Google Authenticator that you install on your smart phone.

Why is this better than just a username and password? Well, perhaps your login information is stolen by someone or stored in a browser. Those login credentials will work forever (or until you change your password). The code that we send you or that you get from Authenticator only works once and only for a few minutes.

Two-factor authentication does not replace your username and password; it is an additional layer. Even if someone got a hold of your phone or email address, they would still also need your portal login information.

Enabling two-factor authentication using email

There are two supported ways to enable two-factor authentication. You can either receive an email with a secret code or use a special app from Google, called Google Authenticator. This section is about receiving the code by email.

This is only useful if you have different (and strong) passwords for your email account and your portal.

To setup two-factor authentication by email:

  • Go to your Profile
  • Click the button “Set it up now” at the top of the page, next two “Two-factor: Not enabled”
    Click "Set it up now" to start configuring your two-factor authentication.
    If you already have two-factor enabled and want to change the method or register a different phone, just click the “Change” button first and then the “Set it up now” button.
  • On the next page, select the email method and continue.
    Select email to setup email two-factor.
  • Now you will receive an email with your very first two-factor verification code. (We do this to make sure that have access to the email account and that the emails don’t end up in your spam folder.) Find this email in your email account and copy the six-digit code.
  • Paste or type the six digit code into the text field and then click continue.
    Enter the six digit code you copied.
  • If everything went according to plan, you will be back on your Profile and see “Two-factor: Enabled (Email authentication) at the top of the page.
    Two-factor is setup.

Enabling two-factor authentication using Google Authenticator

There are two supported ways to enable two-factor authentication. You can either receive an email with a secret code or use a special app from Google called Google Authenticator. This section is about using Google Authenticator.

To setup two-factor authentication using Google Authenticator:

  • Download and install Google Authenticator on your smart phone.  Search for Google Authenticator in the Google Play store (for Android) or the App Store (iPhone) and install the app. (If you need help, please see  https://support.google.com/accounts/answer/1066447).
  • Go to your Profile.
  • Click the button “Set it up now” at the top of the page, next two “Two-factor: Not enabled”
    Click "Set it up now" to start configuring your two-factor authentication.
    If you already have two-factor enabled and want to change the method or register a different phone, just click the “Change” button first and then the “Set it up now” button.
  • On the next page, select the Google Authenticator method and continue.
    Select Google Authenticator
  • This will open a page with a QR code and a field where you can enter the validation code. Now on your phone open the Google Authenticator application you have installed.
  • If this is your first time using Authenticator, the app will have a link at the bottom to start configuration. Click that link “Start Configuration” and follow the steps. If you have used Authenticator before, just do what you normally do to add a new account.
  • On the next page (still on your phone) you pick the option to “Scan a barcode”. NOTE: If you have not yet installed a barcode scanner app, Google Authenticator will ask you to install a Barcode Scanner app. Just follow the instructions. If you need help, please check https://support.google.com/accounts/answer/1066447. Go back to the Google Authenticator app and again select the Barcode option
  • This will turn on your camera and present a barcode scanner. Use this scanner to scan the QR code on your computer screen.
    Scan the QR code to generate the time-sensitive code
  • Google Authenticator will now show a six digit code that is valid for about a minute. Type the six digit code into the text field and then click continue.
    Enter the time-sensitive code into the field.
  • If everything went according to plan, you will be back on your Profile and see “Two-factor: Enabled (Email authentication) at the top of the page.
    Two-factor is setup.

Disabling two-factor authentication

If you no longer have access to the phone or email address you use for two-factor authentication or if there is some kind of error, you can ask another user to remove your two-factor authentication. Administrators can remove two-factor authentication for a Team Member and any Team Member can remove two-factor authentication for a Client.

If you are still logged into your portal and want to remove two-factor authentication or switch authentication methods, you can disable two-factor authentication in your profile by yourself.

To disable two-factor authentication:

  • Go to your Profile.
  • Click the button “Disable” at the top of the page, next two “Two-factor: Enabled”
    Click disable to turn off two-factor authentication

Email confirmation

When you first sign up or we have a reason to doubt whether it is really you trying to log in, we will send you an email to confirm that you control the email address that is used for registration.

Account lock-out

Administrators can configure how many times you are allowed to type a wrong username and password combination. The default number of times is three. So, after you have entered a wrong password more than three times in a row, you will be locked out. The duration of the lock out is something that Administrators can set. The default setting is an hour.

After such a lockout, you have two options:

  • Find the correct password. Wait for an hour (possibly longer if that is what the Administrator has configured) and try again.
  • Ask an Administrator (if you’re a Team Member) or any Team Member (if you’re a Client) to remove the lock out.

Administrators can remove a lock-out for a Team Member and any Team Member can remove a lock-out for a Client.

Password rules

Administrators can set the minimum password requirements. We have already configured some minimum defaults that you cannot go under, but we highly suggest you pick a very strong password. To help you with this, we suggest you use a password manager.

IP address limit

Administrators can set a limit on Team Member accounts, such that Team Members can only log in from certain IP address (like your office).

Change in payment service provider

You can configure a payment service provider in order to accept payments using FastPortal. The last thing you want, however, is for a bad or unknowing person to change your payment details into something else. In the best case scenario, this will break the payments module and in the worst case, someone will steal your money.
Therefore, whenever the payment service provider details are changed, every single Administrator will receive an email notifying them of the change.

“No rewriting of history”

Throughout FastPortal we have at least one rule that is set in stone that you should know about. That rule is “No rewriting of history”.

This means that whatever has been communicated to a Client or a Team Member cannot be “uncommunicated” without the other party knowing you removed it. Of course it is possible to fix mistakes or change Documents, but we do not allow alteration of dates or submitted information. This way, we act as a safeguard for both you and your Clients that everybody is playing fair.