If user account got compromised

Hi, We do have approx. 1600 users account with no MFA. My query is to understand the possible risk related to the user’s account. Let’s assume if one of our staff’s accounts got compromised then what information can be exported by using a compromised credential and the best recommendation to minimize this risk?

Welcome to the community, @Govind! So do you mean all your 1600 users share the same single credentials or they have different credentials?

Thanks, Kal, 1600 users have different credentials but you know breaking a password is not a big deal especially if the users are allowed to choose their password freely. We have a password policy but don’t have a tool to perform policy compliance checks. Obviously, this is a separate topic but as of now, I am trying to understand what could be worse if an existing user account got compromised.

@Govind, we have not heard of this so far unless a user shares his/her user credentials with others. However, if you look at our roadmap we have the MFA feature that will be available soon:

If and in case a user loses his/her credentials he/she could reach us through support@kobotoolbox.org with the email id that was registered to the user account. We should then help with the verification of the account.

1 Like

I understood your point. but my concern is related to compromised user credentials. If the account owner is not aware that his credential is compromised and someone else tries to access Kobo instances then what information the person can fetch?

Furthermore, As per my understanding once the data is transferred from a mobile device to the Kobo server instance it is considered to be safe as other security protocols are already in place to protect the transferred data from unauthorized access. Is it the correct understanding? If yes, I would like to know can an authenticated users re-access the transferred data from his/her credentials?

@Govind hi, theoretically what can be compromised through accounts, depends on their permission levels.

  • Do each user access to view each submission?
  • Do users have permission to delete forms?
  • Do users have permisson to edit forms?

so on.

1 Like

Wow interesting. I am not a technical expert in kobo toolbox and would appreciate you if you can help me to understand who can configure these setting under which options?

Sure thing @Govind,

There are two excellent articles about Managing Permissions and Row-Level Permissions I would suggest you to read those first, and if you have any questions or problems, community will help you :slight_smile: