The AVANSER Customer Portal allows the security restrictions to be customised to meet the differing requirements that clients may have.
Access these options through the Setting menu (the cog icon at the top of the menu) and the Security Options menu item.
AVANSER clients should familiarise themselves with the options presented on this screen and set them as appropriate for their business.
The page is split into two section, User Authentication and Audio Download.
User Authentication
Options are provided to force password complexity or users restrictions as below:
Password minimum 8 characters
When enable, users must have at least eight characters in their password when setting a password.
Password must include at least 1 uppercase, 1 lowercase and 1 number
When enabled, users must have at least one A-Z uppercase letter, one a-z lowercase letter and one 0-9 number as part of the password when setting a password.
Password expires after 90 days
When enabled, users must changed their password every 90 days.
Check for password history
When enabled, user must choose a new password each time a password is changed, they cannot simply recycle old passwords. The last five passwords are tracked.
Lockout user for too many incorrect login attempts
If enabled, the users account is locked if an incorrect password is attempted more than five times. This setting is useful for protecting against a brute force attack on user accounts. If the user's account is locked, the user needs to follow the
password reset steps to regain access.
Lockout user who has not logged in for 6 months
When enabled, any user account that is not logged into for a 6 month period will be logged out. The user would then need to follow the password reset steps to regain access. These steps require that the user can receive an email to their registered email address. This feature is useful for blacking accounts that might have been left active inadvertently instead of deleted as staff change.
Security Options apply to each client account specifically. If a user account has access across multiple client codes, the User Authentication rules from the primary account will apply.
Audio Download
The options in this section control who is able to access audio recordings on the client account. As recordings can contain sensitive or personally identifiable information, it is recommended that some form of access control is set for audio files.
Access Control
The Access Control option sets the type of restrictions that are placed on audio downloads. The options available are:
- No Security Restrictions - anyone with a link to the audio file is able to download or play the audio file. This setting can be convenient for listing to voicemails from missed call notification emails, but it is recommended that at least 'User Authentication' is activated so that forwarded emails cannot be viewed by a third party.
- IP Whitelist - a list of IP address, connections from which are allowed to access audio recordings. This feature is useful when authorised users are in the same office, as it allows access to the recordings with a password prompt while users are in the office. When selected, an IP Whitelist field will be shown where each allowed IP address can be entered on a separate line
- User Authentication - when selected, users must be logged into the Customer Portal to listen to audio files. If the user is not already logged in, clicking on a link will ask the user to log in before playing the file. If the user is already logged in, the audio file will play automatically.
- Both IP Whitelist AND User Authentication - when selected, BOTH the IP Whitelist and User Authentication conditions must be met. This option is appropriate when only some users in a larger office should have access to audio recordings.
- Either IP Whitelist OR User Authentication - when selected, EITHER the IP Whitelist and User Authentication conditions must be met. This option is useful to provide access to all users access to audio recordings without a password prompt when they are in the office, while also allowing access to users working remotely as long as they have a valid login to the portal.
HTTP Rate Limits
HTTP rate limiting controls the number of server requests allowed within a specified time frame to prevent system overload. In configuring, "Request Max Count" defines the number of allowed requests, "Request Max Seconds" sets the time window for these requests, and "Request Ban Expiry" determines the ban duration if the limits are exceeded. If a client surpasses these limits, the server responds with a 429 Too Many Requests error. This error signals the client to slow down its requests.
About hard limits
Be aware: for security reasons, the platform enforces a Hard Limit, blocking any IP address that exceeds 600 requests within a 60-second window (i.e., more than 10 req/s in any 60-second period). Ensure your 'Request Max Count' and 'Request Max Seconds' adhere to these maximums.
Request Max Count
The maximum number of requests that can be made from an IP address within a short time span. The default is 50 requests within the time period.
Request Max Seconds
The time span in which Request Max Count applies. The default values is 60, which means that if a user requests 51 file within a one minute period, the IP address is blocked from any further requests for the time period set below.
Request Ban Expiry
The length of time (in seconds) that an IP address will be banned after making too many requests. The default value is 3600 seconds, so any block from a breach of the settings above will be removed after 1 hour.
Audio Security
Users must have access to the Tracking Number (BNUM) that the recording is generated on, as well as to the client account. This ensures that if emails are forwarded or links are shared, only users that have been granted access to the number the recording is associated with.
This security restriction is only enforced when the Access Control is set to something other than "No Security Restrictions" on this page.