Check offers several security features, such as login alerts and two-factor authentication, to help you add an extra layer of protection to your account.

Two-factor authentication

Two-factor authentication is an extra layer of security, You can use it to prevent other users from accessing your online accounts and data, even if someone knows your password. To enable it in Check you'll need a two-factor app, like Google Authenticator, on your smartphone to proceed.

To enable two-factor authentication in Check: 

  1. Click your profile avatar in the bottom left of your workspace and select User Settings from the pop-out menu;

  2. Navigate to tab Security and select the two-factor authentication checkbox.

Manage security alerts

Check sends an alert when someone tries logging in from a device or location we don't recognize or when you failed 4 login attempts. By default, these alerts are all enabled. If you want to disable it, follow the steps:

  1. Click your profile avatar in the bottom left of your workspace and select User Settings from the pop-out menu;

  2. Navigate to tab Security and disable the toggles for the notifications.

If you don't recognize this sign-in, we recommend that you change your password immediately

Secure browsing (HTTPS)

All data sent between your browser and the website that you are connected to is encrypted. We do not, however, currently encrypt traffic internally between services.

API tokens: Users can log in with application credentials without having to share them, they are stored in tokens. These are used to inform the API that the bearer of them has been authorized to use and perform actions. 

CloudFlare for DDoS prevention (through Project Galileo)

DDoS attack is an attempt to make an online service unavailable by overwhelming it with traffic from multiple sources. Just as DDoS attacks are by their very nature distributed, Cloudflare's DDoS mitigation system is distributed across our massive global network.

SSH non-standard port (key required)

SSH is a protocol to log in to our servers. SSH provides strong authentication and secures encrypted data communications for administrators and operating services.

We run SSH on a standard port with public-key encryption. We use Amazon GuardDuty to alert us of attacks.

Iptables firewall (through Ferm)

Firewalls provided by AWS Security Groups and ACLs protect the server from unwanted traffic based on given rules (policy) which allow or block connection and control traffic.

Sessions are encrypted before being stored in a cookie

Cookies are short pieces of text that are stored by a visitor's browser and used as an identifier for a session. Data stored in our product cookies are encrypted so they are safe from being read by unauthorized parties.

Expiring sessions on sign-in and sign-out to avoid “Session Fixation”: To avoid attacks using an existing session ID, a new session ID is assigned every time a user logs in.

A permissions system to control access to database information

Different types of users are granted different levels of information access. Anonymous users (not logged in) do not have all the functions available to logged-in users. For logged-in users, the functionality differs depending upon their role in the system. For example, only authorized users who are granted delete permission can execute a successful deletion operation to remove content.

Security checks over source code (using Code Climate)

Code Climate performs an automated code review for ensuring code health.

Did this answer your question?