sunhux
asked on
mitigation for permanent API token (as cant implement per session API token)
Our IT apps team is considering to use a “permanent API token” rather than
"per login session API token” for our internal system to obtain truck drivers
(or cargo drivers) sensitive Identification number to be sent from Self Service
Terminals (that's placed in our premises with no Internet access but these
SSTs are owned by an outsource security guard firm Certis):
I think IT apps team has issue with implementing "per session API token"
& they felt it's only a simple internal CRUD (Create Read Update Delete)
operation. Any concern with this?
If we were to use the 'permanent' token, should this token be refreshed
every 3 months (ie the token key has to be updated into the SST every
3 months & updated into our apps 3-monthly) or any other mitigations
like use firewall to restrict API calls between those few SSTs IP & our
internal system??
Leakage of the NRIC / passport# is punishable by local privacy laws
"per login session API token” for our internal system to obtain truck drivers
(or cargo drivers) sensitive Identification number to be sent from Self Service
Terminals (that's placed in our premises with no Internet access but these
SSTs are owned by an outsource security guard firm Certis):
I think IT apps team has issue with implementing "per session API token"
& they felt it's only a simple internal CRUD (Create Read Update Delete)
operation. Any concern with this?
If we were to use the 'permanent' token, should this token be refreshed
every 3 months (ie the token key has to be updated into the SST every
3 months & updated into our apps 3-monthly) or any other mitigations
like use firewall to restrict API calls between those few SSTs IP & our
internal system??
Leakage of the NRIC / passport# is punishable by local privacy laws
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Can we safeguard API token by storing them in a HSM (just like
storing keys)? Presume API token is different from API key
storing keys)? Presume API token is different from API key
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
can be expired yearly (ie force users to change password
once/year) while a password of length 8 is usually required
to change password every 60-90 days.
> 1. You are not using strong tokens.
In what way an API token can be stronger?
By making it lengthier?