Revoking access for a lost device

When a computer, laptop, or mobile phone used to access Haplo is lost, and you are managing access using Haplo internal accounts (not Single Sign On against a remote identity service), you should revoke access.

Revoking access (user accounts)

If you suspect the user has used a computer or device without full disc encryption and has used the “remember me” option in the web interface, invalidate all auto-login credentials to make sure access is revoked from that computer.

Your Name » System management » Configuration » Login options

If you are in any doubt, block the user’s account completely until you have made a full assessment of the loss and potential security breach.

Revoking access (devices)

Devices using Haplo Mobile store authentication tokens. These are revoked independently of passwords. Changing the user’s password does not remove this device’s ability to access information.

When a device is lost:

Your Name » System management » Users » Name of user

Scroll to the bottom to find the API keys, click on the key for the lost device, and click the Delete API key button.

Then:

Ask the user to change their password.
Where possible, initiate a remote wipe of the device.