Protecting Your Credentials
Owner account
Upon creating a new Atlar production organization, the email used will be given “Owner” status. By default, the owner can access the full functionality of the Atlar platform. The owner account will be used for setting up approval chains, roles, and users. To ensure the protection of Atlar credentials associated with the owner account, the following practices are recommended:
- The production organization should be set up with a non-personal email address, for example: [email protected]
- Do not share the login credentials with a wider team & consult your IT/security department to ensure you follow internal best practices for managing passwords
- Make sure that the email address can only be accessed by the intended owner(s) since the email account itself can be used to take over the account via the forgot password feature (especially if MFA is turned off!)
- Enable Multi-Factor Authentication (MFA) and at least one backup MFA option
- Do not use this account for day-to-day operations, such as checking the account balance Following the above bullets ensure that login credentials to the owner account remain protected. If the person with access to the owner account leaves the company or changes positions, you can easily rotate access as it’s tied to a non-personal email.
Human users
For human users that you invite to join the production organization, the Principle of Least privilege should be followed – a user should only be able to access the information and resources that are necessary for its purpose. The following practices are recommended:
- Even if you’re the one setting up the organization, i.e. the owner, set up a dedicated personal account with access for your day-to-day tasks
- Enable/require Single Sign-On (SSO) for all members.
- Enable/require Multi-Factor Authentication (MFA) for all members. It's recommended to have at least one backup MFA option.
- Add Atlar to your own company’s offboarding-checklist
Programmatic access
Like with human users, follow the Principle of Least privilege for programmatic access users. Only allow the programmatic access credentials to access exactly what you want your system to be able to access. The following practices are recommended:
- Don't share the Access Key and Secret over email, company chats, etc. Remember that these credentials, depending on what access you’ve given them, can be seen as login credentials to your bank!
- If the secret gets compromised, immediately delete the programmatic access user in the Atlar dashboard and create a new set of credentials by creating a new programmatic access user.
Beware of phishing attacks
- Atlar support will never ask for your password or programmatic access credentials.
- Don’t click on links in emails that seem to come from Atlar, unless you were expecting such an email (e.g. when signing up, clicking “forgot password”, being invited to Atlar by a colleague, etc.). Someone could try to imitate legitimate emails coming from Atlar and lead you to a malicious site.
How to recover from lost MFA, password, or API keys
- MFA (Multi-Factor Authentication): To ensure you can always access your account, add multiple MFA options. This way, you can use an alternative MFA method to log in. Remember to remove any lost MFA option to protect your account. If you've lost all MFA devices and are locked out of your account, contact Atlar for manual MFA disabling. This process includes a verification step to ensure that only authorized users regain access to the Atlar Web app.
- Passwords: If you’ve forgotten your password, you can reset it by visiting the Forgot password page. Note that you need to have an account with a previously verified email to reset the password.
- API keys: If the secret gets compromised, immediately delete the programmatic access user in the Atlar dashboard and create a new set of credentials by creating a new programmatic access user. If you forgot to store the API secret when retrieving it, you can create a new programmatic access user in the Dashboard.
Updated 5 months ago