To protect data from unauthorized access, Movere utilizes two-factor authentication and short-lived tokens that are issued upon login. The actual authentication and token management is performed by specialized APIs and industry-standard providers such as Identity Server. Once the user’s identity is validated, the identity is stored in a token that has a lifespan of one day. This means that if a logged-in user closes their browser without logging out, opening the browser and navigating to the Movere site will allow access for up to one day after the original login. In addition to using short-lived tokens, the user’s identity is protected from impersonation and “man-in-the-middle” attacks.
To ensure a user’s account has not been compromised, Movere employs several validation techniques. First, it records system-specific information such as IP address, Internet browser version, display resolution, and other variables upon logon. Collectively, they are referred to as the users accessing system fingerprint. If the user’s system fingerprint changes, the user is prompted to enter a new seven-digit code that is sent over SMS or voice call. Second, if a user enters the wrong password three times consecutively, their account will be temporarily locked for 30 minutes. This prevents bots or other types of unauthorized users from “brute-forcing” their way into Movere.
IMPORTANT: Movere users can only access web content and all passwords are hashed using PBKDF2.