感谢您的反馈!
Lazada Open Platform
Step 3.2 Account Security Service
更新时间:2022/07/05
访问次数:1510
With the update of the security review process, this document is offline.
Account Security Service verification is an automated process in DataMoat.
You will need to integrate all user and admin login routines in the application with LAZOP account security service. The purpose of this step is to ensure controls are in place to detect common attacks on the authentication step such as brute force attack and account enumeration.
The account risk control is implemented with following 2 Data Moat APIs:
1. DataMoat Login API: this API should be invoked upon user submit username and password to the application for verification. Regardless of the result of server authentication, please invoke DataMoat Login API to log the access request.
2. DataMoat computeRisk API: only when the username and password passed the application server side verification function, the application should invoke computeRisk API. A risk value will then be determined by DataMoat and return to the application. If the risk value is higher or equal to 0.5, the second factor authentication is required which could be a SMS verification code, email verification code or password questions. Only when the second factor verification is passed, the login process is passed successful. Otherwise, the login will fail.
Account Security Service Verification
This step is verified with automated test. Please run your application and click the submit button to test if the Account Security Service is implemented correctly. The test result will be returned immediately. You may submit as many time as you needed. Once the test is "passed", you will be redirected to next required step in the process.
Common Error Scenarios
The common causes for account security service automated test failure are listed below:
1. Question: Why do I have "ServiceUnavailable" error when I invoke the login API?
Answer: "ServiceUnavailable" error return only when the API call is made to the wrong service endpoint. DataMoat API endpoints do not contain region specific information in the URL which is different from other Lazada open platform API product endpoints. In DataMoat API, all regions share the same endpoint https://api.lazada.com/rest as documented in LAZOP > Documentation > DataMoat API.
2. Question: API calls failed due to invalid accessToken.
Answer: DataMoat API request is executed differently from other API products, where no access token is required when invoke the Login API and computRisk API.
3. Question: Which seller account should I put into "tid" parameter if one user could link to multiple seller account?
Answer: Please put all seller account into the "tid" parameter and separated seller accounts with comma ",".
4. Question: Please explain in detail when to invoke Login API and when to invoke computRisk API.
Answer: In summary, Login API is invoked after username and password server side verification, and computeRisk API is invoked only when the server side verification is successful. As shown in Figure 1 below, here are the detailed steps:
- Users login from the login page.
- After the account and password are verified by the server, the Login API will be called to send the log, regardless of the results of the login attempt.
- If the login attempt verification at the application level fails, do not call computRisk API.
- If the login attempt verification at the application level success , please call computeRisk API for risk value calculation. A risk value will then be determined.
- If the returned risk value >= 0.5, it means the user account is at risk. Please enable second factor authentication in your application.
- Here are some example of second factor authentication, please choose any of the verification method:
- Mobile Phone: A SMS with a random verify code should be send and verified by user.
- Email : An email with a random verify code should be send and verified by user.
- Password Question: The question and answer which was filled when registration by the user and should only be known by the user to be verified.
- If the second verification is passed, the login will be successful. Otherwise, the login will fail.
Figure 1. Flowchart for User Verification Function