MyWorkPal is structured on a three tier architecture, separating data, business logic and web front end. Developed in C# ASP.NET / MVC5, using latest technologies such as entity framework for rapid database design and angular JS for UI capability we have closely managed an object oriented approach to re-use and coding standards. 

Functionality is provided via three routes: 

  1. Web user interface, utilising the most current browser UI capabilities. 

  2. Authenticated API services interfacing direct with the Web API layer

  3. Scheduled tasks such as daily recalculations, automatic enrolment etc - a windows scheduled service interfacing with the API

  4. Automatic scheduled download from remote location - such as SFTP, Google Drive, Dropbox

Data is structured in a logical manner allowing access to the user interface through business logic API framework. 

Public UI components interface with internal business logic APIs through port 443 TLS protocols. Internal web APIs are typically locked to internal traffic only via firewall rules, allowing communication between web UI and database only.  



  MyWorkPal “Torus” core platform is built on the following stack 

  • Azure SQL database
  • C# ASP.NET / MVC5 business logic web APIs 
  • C# ASP.NET / MVC5 user interface layer 
  • IIS separate VM 


All data for an instance of MyWorkPal is stored on a Azure SQL, including tenant configuration, module configuration, user details and site content. Each MyWorkPal platform is based on a single database catalogue, User input and data upload is controlled through appropriate data type controls to manage integrity. User Interface design controls user input through Angular JS along with a further layer of business logic.


Data is protected on a role / permission level and at data owner level. Business logic on the Web API layer determines appropriate access to data via the authenticated user's claims.  


All databases are encrypted at rest with TDE Transparent Data Encryption of database catalogues via Azure Managed Instance.


All API endpoints are developed securely to prohibit unauthorised attacks such as as cross site scripting and SQL injection. Access to endpoints require user authentication and processing behind each endpoint performs further permission checks to ensure users are not attempting to traverse user accounts. The web API is tested as part of the annual Penetration test


MyWorkPal uses Entity Framework as the interface between application and database layer. The “code first” approach is used to configure and manage the database schema during the initial deployment as well as periodic updates and maintenance.  

Frequently Asked Questions

How are users authenticated on the system?


Username / Password authentication through dedicated Identity Service. Tenant users have facility to add two factor authentication through static PIN,  mobile authenticator app, U2F or client PKI certificate. All passwords are hashed using PBKDF2 iterating over 2000 times. 


Password complexity is controlled by system settings. The following password complexity checks are used: 

  • numeric are used 
    1. there are lower case letters 
    2. there are upper case letters 
    3. there are special characters 
    4. the password is equal or more than ten characters in length 
    5. there are no characters repetitions. 

 

By Default, MyWorkPal requires 4 or more of the conditions to be met along with a minimum length of 8 characters.  


We do not implement a password blacklist.  

Depending on tenant configuration the user can also connect their social media authentication to allow logon through Google, Facebook or Windows Live using the Open ID Connect protocol


Is there a password reset mechanism that end-users and administrators can use if they forget their account passwords?


A forgotten password mechanism is available on the admin and tenant portals, allowing a user to request a password reset link to be sent to the email address associated with an account. Inputting an email address on a tenant that isn't recognised as being associated with an account will not send a password reset email and will not inform the user at the point of request that the email address is not recognised for security purposes.

If an admin or tenant user has included two factor authentication on their account and has forgotten or lost the ability to authenticate they must contact a platform administrator to have the second factor removed from their account.


Does the system impose a password history count?


By default, users are unable to change their password to the last successfully set password. Optionally, this can be further configured at tenant level to:


  • Enforce password change every nndays
    • Extent password history count so that users cannot use a password from the previous nn on their account 

When users attempt to set their password to one on the password history in scope they are not informed that their attempt to set the password is due to re-use, for security purposes.


Is an API gateway made available to platform owners so that it may connect its own application programming interfaces to the environment?


API endpoints are exposed via specific user authentication. Currently this is supported for retrieving reports data only, but can be extended to further services where required and appropriate.


Are user accounts locked on unsuccessful login attempts with a valid username?


An unsuccessful login attempt threshold is maintained on the platform restricting attempts to authenticate on a valid user account with incorrect password and/or 2nd factor authentication token. 

Once the the number of failed attempts to log in against a valid username has reached the threshold (typically set at 6, but this can be configured by the platform owner) the account is locked out for 15 minute. Subsequent attempts within the 15 minutes are rejected but the user is not informed the account is locked. 


After 15 minutes the user account has just one attempt to authenticate, and is locked again if unsuccessful. Once the user has successfully authenticated the  failed login count is reset. Administrators have event access to user logs and appropriate information showing details of login attempts.  


Is multi-factor authentication available for users and administrators?


A range of multi factor or two factor authentication (2FA) mechanism are made available on the platform at Admin and Tenant User level, configured via settings on the platform by the platform owner. By default users logging in to the Admin portal are forced to set a second factor, and tenant users are enabled to configure them by choice.

MyWorkPal supports the following multi factor authentication mechanisms

  • Static Personal Identification Number (PIN) - users set their own 6 digit PIN. Once set they are challenged to enter two random digits to confirm their identify
    • Authenticator Mobile App - typically google or duo authenticator app. Users register their account on their app by scanning a bar code and enter a number generated by the app on login
    • Client certificate - PKI certificate installed on the user's computer, associated with their account
    • Universal Second Factor (U2F) device - USB hardware device associated with the users account that they must tap to indicate their presence on logging in


Each tenant, including admin portal, has settings to define which methods can be offered to users. A separate setting defines whether MFA is enforced on users. For example, the Admin tenant allows MFA and enforces it, so users must set a second factor and log in with it. Configuration settings define which methods are available. A tenant however may allow MFA but not enforce it, so users can elect to secure their login by setting a second factor through their account page. As above, the range of methods available to the tenant can be defined via a setting


Does your application provide the means to mask personal or sensitive data when viewed by administrators or end-users?


MyWorkPal administration portal and all tenant portals (for end users) have the ability to mask the view of information on screen at the press of the escape key on the user's keyboard. It is also possible if mask financial data on end user's screen by default, only revealing on setting a switch to "view"


How are emails sent from MyWorkPal?


MyWorkPal can be configured to relay emails via a client's or platform owner's own SMTP server or use our default 3rd party solution provided by MailGun. Each platform domain  configured to use MailGun requires DNS records on the top level domain (e.g. @mydomain.com) to allow sending mail on behalf of that domain name.


Domains configured on MyWorkPal before 2019 are hosted in the United States. Domains can be moved to be hosted in the EU, and any new domains can be configured to work from the EU. Mailgun is self-certified to the EU-US Privacy Shield Framework maintained by the US Department of Commerce (Privacy Shield). You can inspect the certification in the Privacy Shield list of the US Department of commerce by searching for “Mailgun" here https://www.privacyshield.gov/list. 


More information about MailGun's GDPR compliance can be found here.


See attached Mailgun Data Processing Addendum v4-12-18


Are Single Sign On (SSO) protocols are supported by MyWorkPal?


The SAML2 Single Sign On protocol is supported on MyWorkPal, enabling users to log on to third party services' website without having to authenticate with username / password. Each SSO configuration is the responsibility of the platform owner, including the scope of personal and identifying data passed to it. Users' MyWorkPal authentication details are not passed to the third party via SSO tokens.


Single Sign On in to MyWorkPal is supported via the WS Federation authentication method. Platform owners are responsible for configuring single sign on inbound.  


Is data encrypted in transit when travelling across public networks?


Information gathered via the web application is protected to industry standard levels. The website configuration, related processes and procedures maintain the confidentiality, integrity and availability of information at all times. 


Traffic is routed via HTTPS secure connection and encrypted at 2048 bit TLS protocol. 


Public UI components interface with internal business logic APIs through port 443 TLS protocols, also protected by TLS 2048 encryption certificates.


Content of files or emails are not encrypted, but the method of transmission is encrypted as described above. Content of emails are the full control of the platform owner, Avantus recommends no personal or sensitive data is communicated by email. If data is required to be transferred out of the platform this is managed over a secure protocol such as SFTP.


Can access to the system be locked down to specific locations?


MyWorkPal is typically hosted as a public web application to tenants across multiple and dispersed locations. There is no facility to lock specific tenants to geographic location by IP address. 


Instead, user access and security is managed by a wide range of controls including use of strong passwords, enforced password history, two factor authentication and secret key on account activation.


What options are available to control and secure user session when authenticated?


User security policies can be configured for each tenant, with settings for

Use persisted session

If enabled a "remember me" tick box is provided on the user login screen, allowing them to save their logged in session for up to 30 days. When ticked at the point of logging this sets a cookie on the browser to identify them. When they next visit the site after closing down their browser they will be automatically logged back in. Actively logging out via the Log Out link will re-set the identifier, requiring them to log in again.


Require regular password resets

If you require users in a tenant to re-set their passwords on a regular basis you can switch this option to Yes and set the number of days a password is valid for. Once this time has elapsed for the user they are taken to a change password screen when they next log in, requiring them to create a new password. As with forgotten password they set the new password to the same as the previous one or any in their password history defined in Password history count. 


Password history count

This defines the number of previous passwords stored against a user's account and disallows them from setting a new password to any one that matches. This does not include the immediately previous password. For example, you set the password history to 0, this still does not allow a user to change their password to the one they already have. If you set the count to 1 the password cannot be set to the one they already have OR the one before that.  


Enhanced user security

Depending on how the user security is set up on a tenant, user sessions are closed after 20 minutes of inactivity or on closing the browser. However, this is further complicated by Google Chrome's capability of maintaining a session even after you've closed down the window as part of it's background extensions.


An optional "Enhanced user security" switch to end the user session when any browser tab running a tenant screen is also available. This update is theme specific.


What data is transferred to an endpoint whilst using the service?


Whilst personal and sensitive data is transferred from the web server to the endpoint device (web browser on a computer or mobile device) it is not stored or cached on the device. 


MyWorkPal does store non sensitive, unencrypted data in the HTML 5 Local Storage area on a user's endpoint devices. This data stored defines page layout and objects available to the user, allowing complex pages to be rendered to screen quickly.