It’s been a busy few weeks here, plenty of late nights and overtime as our team has worked tirelessly to ensure the forms2mobile platform meets GDPR requirements. While it’s been exhausting for the entire team, we got there! This has also been a good opportunity for us to add some new features to the platform that will help you better secure and manage your data going forward.
New Personal Data Options
We all have obligations to meet surrounding personal data. To make it easier for you to export (or connect) your data out of forms2mobile, as well as managing basic user account information like name and email, we’ve added a number of new features.
As an ‘App Creator’, you are the controller of data that you capture in the forms, screens and apps you build. We’ve added a new “Is Personal Data” checkbox around certain key areas of the platform including Forms, Data Sources and Connectors.
This new checkbox allows you to indicate that a field or column may contain personal/sensitive data. While no additional security or protection is offered by this enhancement, it does enable the platform to offer anonymisation of those data values when exporting and using connectors.
You’ll spot the new “Anonymise Personal Data” options across the platform including system exports and Form Connectors when the presence of personal data has been indicated.
New features for API users too! We’ve added a new set of “Anonymise” Keys. The main difference between these and existing Full Access Keys? Any responses to requests authenticated using the Anonymise keys will mask personal data in non-human readable formats.
Security Improvements
Regenerable API Keys
If you’re an API user you will have noticed that only one Secret Key Value is available per company account. Until now! We’ve added a second Key to give you greater flexibility when building integrations. Use it to rotate keys or just increase security by regenerating.
Validation of Passwords Against 10,000 Most Common
NIST linked security researchers have compiled 10000 of the most commonly used passwords. We’ve loaded these into the platform and will actively block users from either setting or changing their passwords to any of these. This is to help enforce OWASP and NIST guidance for preventing users from setting easily hackable passwords.
Maximum Password Attempts Lockout
We’ve added a temporary lockout feature for platform user accounts. This will kick in if an incorrect password is entered 5 times in succession. Again based on NIST recommendations this will give greater security against brute force password attacks. Currently this has only been implemented on the form builder platform, however we’ll be rolling this out to mobile app logins over the newt few months.
Maximum Password Attempts Lockout (Premium Feature)
To date our password engine has enforced a simple, 6 character minimum length password. The primary aim for this requirement is to help get new users up and running quickly. In addition to this, we’re adding new options on your Organization Setup page to give you more control of the password policies in use for your company account. As well as the current default Basic Policy, we’ve added a drop-down menu with an additional two policy types based on current best practice and recommendations:
- NIST SP 800-63
A phrase-based policy based on the latest recommendations of NIST, which encourages human-friendly passwords that are still hard to crack. - OWASP 2017
A strict policy which favours complex passwords that are hard to crack but also harder for people to remember.
These additional policy options will give greater flexibility and stronger security requirements for your users. You should consider carefully the best options for your company and your users.
We will continue to apply our Basic policy for all new company accounts, however this can be updated at any time by the platform administrator. When you switch to a stronger policy, this will be applied to new users automatically, and to existing users when they next change their password.
Development Roadmap Back In Focus!
The work in reaching our internal targets for GDPR compliance, as well as for the features above, has been way more than we planned or expected, but thankfully we see the light at the end of the tunnel. Once everything GDPR related has settled down, we’ll be moving back onto our planned roadmap work. We’re super excited to ramp back up on all the new features planned and we’ll be sharing more about that soon.