Login | Lavawall

Log In

Lavawall® encryption and advanced authentication features use a combination of JavaScript and server-side technologies.
You will not be able to login successfully if you continue to block scripts.

Password Forgotten Password?

Forgotten Password

To reset your password, press the Help button on your Lavawall®. We will then send you an email with a one-time link to start the password reset process. The link expires within 5 minutes of pressing the button. Your service provider may also call you to make sure that everything is going smoothly.

To make your password reset as easy as possible, please:

Log into your email before pressing the button.
Open the link in the email from the same computer and web browser that you last used to log in.
Have your MFA device handy.

We are unable to retrieve your password. Your computer hashes it 1,000 times using PBKDF2 one-way encryption before we receive it and hash it some more.

Note: The first time you log in after changing your password, you will be prompted to select another person at your company to vouch for you to regain access to your information because a slow hash of your password is one of the pieces that we use to encrypt the key that gives access to your information. Another logged-in user can re-generate that key for you. We transfer it between users using public/private key encryption that uses a private key that is partially calculated on your computer to prevent us from being able to intercept it while your access is restored.

Extra Security Required

In addition to your username, password, and multifactor code, Lavawall® provides additional security by verifying that you are using the same computer and network as your last login.

You haven't logged in from this computer within one year.
(or your browser was upgraded, cookies were cleared, or IP address changed)

Before entering your multifactor code, please enter the Extra Security Code that should have just arrived in your email inbox in the Extra Security field.
If you do not receive an email with the subject of Lavawall Extra Security Code, please tap the Help button on your Lavawall® device to receive an email with an extra security code sent to your registered address.

Privacy Disclosure:
We determine the need for extra security by hashing together a random string of 255 characters that we store as a cookie on your computer for one year, your IP address, and your browser's agent information. We never record the cookie, your IP address, or your browser's agent information separately in our accounts database except in this hashed format. Since we don't retain your browser's cookie information after the cookie is written, we are also unable to determine this information by recreating the hash.
If you elect to receive this information in logs or notifications in your account settings, this information may be stored in our access logs, which is more readily associated with your account.

Extra Security Required

In addition to your username, password, and multifactor code, Lavawall® provides additional security by verifying that you are using the same computer and network as your last login.

Your computer or network appears riskier than usual and may be infected with a bot or malicious software.

After you enter your username, you will receive an email with an email with an extra security code. Enter that code in the Extra Security field.

Locked Out

Lavawall® has detected too many failed login attempts from your computer.

You will be locked out for the rest of the day.

If you need help logging in, please press the Help button on your Lavawall® to recover your username and to begin the process of resetting your password and multifactor authentication

Multifactor Code Lost MFA?

Reset MFA

To initiate an MFA reset, press the Help button on your Lavawall®. We will then send you an email with a one-time link to start the MFA reset process. The link expires within 5 minutes of pressing the button. Your service provider may also call you to make sure that everything is going smoothly.

To make resetting your MFA as easy as possible, please:

Log into your email before pressing the button.
Open the link in the email from the same computer and web browser that you last used to log in.
Have your MFA device handy.

I consent to using cookies

Details

I agree with the privacy policy

Details

Trust this computer

Details

No account? Activate your Lavawall® or Sign up

This console's servers and data are in Ireland and/or Canada
Other consoles: Canada ⋅ USA
Your ISP or our proxies may route Lavawall® data through other countries. Lavawall® uses Irish email servers.

Lavawall Cookies

Every time you sign in, we create, check, or update a cookie on your computer to reduce the need for extra security codes during subsequent logins. This cookie is configured to expire after one year of your last login and is used in combination with other data to keep you logged into the system. We store your last login time in our database to enforce PCI idle time re-authentication requirements. We reduce the likelihood of interception of these cookies by requiring them to be transmitted by HTTPS and reduce cross-site scripting attacks by requesting that your browser not provide them to website scripts or domains other than Lavawall.com.

This site also uses some cookies for AMP and other services provided through Cloudflare and other security- and reliability-related tools. It also includes content, fonts, cookies, and scripting from Google to provide fonts, analytics, and additional features. ThreeShield Information Security Corporation may also enable third-party chat and support tools that use third-party cookies.

Lavawall Privacy Policy

TL;DR
✔ We comply with all provisions of GDPR and PIPEDA
✔ We collect as little information as possible about you. If requested, we encrypt information that we don't require for automated functions in such a way that it can only be accessed using your password. (This is opt-in, since only companies with multiple authorized individuals will be able to recover this information if the password is reset.)
✔ We'll give you all of the information we can access about you; however, since we encrypt some of it with keys that are further hashed with a salted hash of your password, you will have to log in to access all of the information.
✔ We store your information in Canada, but send email from Ireland and route your traffic through Cloudflare.
✔ Your passwords, session keys, and cross-site request forgery mitigation tokens are all stored using salted slow hash algorithms. We hash your password on your computer before it hits the Internet so ThreeShield, Cloudflare, AWS, and any other companies that may have access to the traffic never have access to your password.

Your information is yours
In compliance GDPR, PIPA, and PIPEDA, we will provide you all of the information that we store about you, respond to requests to change the information, and will delete it on request. However, in addition to encrypting our entire database at rest, some business contact and position information is encrypted to prevent ThreeShield Information Security Corporation staff from accessing it without your consent. As such, you will need to be able to log into your account to view, modify, or delete your information.

Data Residency
All information on the Canadian Lavawall® console is stored and processed on servers physically located in Canada. However, the data goes through Cloudflare between your computer and our servers. Depending on your location, Cloudflare may route your data outside of Canada. In addition, we use Irish email servers for all emails sent from the Lavawall® console. This includes the additional security verification emails and notifications.

Minimal Information
In compliance with Canada's PIPEDA, Europe's GDPR, and various other privacy regulations, ThreeShield Information Security Corporation collects the minimum amount of personal data required to run the Lavawall® console. We also use one-way hash encryption techniques to allow us to secure your session from hijacking and cross-site request forgery without storing your IP address, cookie information, or browser fingerprint in a way that could be decrypted or accessed in connection with your account.

Third Parties
ThreeShield Information Security Corporation, Amazon Web Services, Cloudflare, Google, or one of our other security or hosting partners my include your IP address in web, firewall, or other logs. These logs do not include cookie or user information. However, these logs could be used to determine which Lavawall® and ThreeShield web pages you visited.
Additional information about Google is provided below.

Google
We use some Google services to understand traffic flow and to prevent abuse of the system as yet another security measure. This includes Google Analytics and Google reCAPTCHA. We have only implemented reCaptcha on login, signup, and other pages that don't have prior authentication. You can see if it is loaded on each page by looking for the blue and grey Recaptcha logo in the bottom right corner of your browser's window. ReCaptcha works by collecting hardware and software information, such as device and application data, and sending these data to Google for analysis. The information collected in connection with your use of the service will be used for improving reCAPTCHA and for general security purposes. It will not be used for personalized advertising by Google. By using the Lavawall® console, you consent to the collection and sharing of this data with Google.

Information Sharing
We do not share any information that we collect other than for billing, collection, and operational purposes. However, we do use third-party cookies for data analytics and support purposes. These cookies are not associated with information that we collect on the Lavawall® or other ThreeShield Websites. However, third-party support tools allow you to optionally provide your name and email information for support purposes.

How We Avoid Querystrings From Identifying You
The unique querystring parameter that is included in links within the console is one of our cross-site request forgery protection techniques. That querystring parameters may be included in logs. However, that parameter is encrypted using a salted one-way hash in our database. As such, it cannot be directly queried without knowledge of other information stored in our database, a cookie on your computer that is hashed with the querystring parameter and not independantly stored in our database, your browser fingerprint, and other random information. In addition, we only store the salted hash of that parameter in our database for up to the last five pages that you visited within the console. For this reason, excessive use of the refresh or back buttons in your browser will force you to log back into the conosole.

Personal and Business Information
We collect business contact information, including your name, business address, telephone number, business function, and email address solely for the purpose of configuring the Lavawall® service communicating with you in relation to your use of the Lavawall® and related services, including billing, and customer relationship management. We may determine your country or approximate geographic location in order to provide geographically-appropriate information and for billing purposes. We do not collect other personal information except for personal email addresses and names from people who send us email from personal accounts.

Tracking
We store a cookie on your computer to keep you logged into the service. It expires after one year, is only accessible by Lavawall.com through secure web access by HTTPS with script access disabled. We also give your computer a unique identifier that lasts until you visit another Lavawall® console page. This identifier is passed through links and web forms and provides additional protection against some attacks that may be able to access your cookies.

IP Address
Although your IP address is not stored as part of your Lavawall® account, your IP address may appear in our web logs, which may include the unencrypted version of a random number that we assign to every page access in your account. This number is stored in our database using a one-way hash that is salted with many other factors. As such, it is very unlikely that your IP address would be tied to your account through this value. We also store IP addresses associated with failed login attempts. However, once you successfully log in from that IP address, it is dissassociated from your account. Finally, we do store IP addresses on the same network as your Lavawall® hardware devices as you request within the console.

Denied Access
We do not deny products or services to individuals who fail to consent to the collection and use of the above Personal and Business Information beyond what is required for this console to work. However, since email addresses are used through some of our authentication methods, it is not possible to log into the Lavawall® console without authorizing the use of this information.

System Information
The Lavawall device (as opposed to this console) collects information about data and systems on your network for security and PCI compliance purposes. This includes the MAC and IP addresses of systems on the network, open ports, DNS names, IP addresses and FQDNs of accessed sites (such as payment gateways), and frequency of access. The training system uses names and email addresses along with your busisness function (such as front desk cashier, IT, or managemetn) in order to customize training for your position.

Legal Stuff
We might disclose personal or business information if we're required to do so to comply with court orders or when your actions violate one or more agreement that you have with us. However, we do not sell or otherwise provide your information to other companies for the marketing of their own products or services.

Questions or concerns?
Contact our designated privacy officer through the ThreeShield contact form at https://www.threeshield.ca/contact.

Stay Logged In

The Payment Card Industry (PCI) Data Security Standard (DSS) Requirement 8.1.8 requires users to re-authenticate to re-activate the terminal or sesion after a session has been idle for more than 15 minutes.

We have implemented this requirement for all functions that can influence the security of a physical Lavawall® device or computer. However, other Lavawall® features, such as the support desk and monitoring capabilities do not fall under the PCI requirements. By checking the Trust this computer option, these non-PCI features will allow users to directly access them from a computer where the user previously authenticated within the last year as long as the cookie, IP address, and browser information remains unchanged.

If you had previously logged in with MFA from thee same computer and checked this box, then the cookie and IP address will be used in place of MFA for your second factor.

Lavawall Consent

In effort to comply with various privacy regulations (including, but not limited to GDRP, PIPEDA, and PIPA), you must consent to Lavawall®'s cookie use and privacy policy.

The Canadian and American consoles have these boxes pre-checked, because these jurisdictions do not require affirmative consent.

The European console requires you to check the boxes in order to comply with GDPR.

Where does Lavawall® store your information and how is it protected?

Privacy and Security

Your data is stored in Canadian data centres. Lavawall® emails are initiated on Canadian servers and sent through email servers in Ireland.

Passwords are hashed using multiple rounds of PBKDF2 on your computer before being sent to our servers, where they are hashed again using additional rounds of PBKDF2. There is a slight delay after you click Sign In to allow for the hashing.

Your hashed password, unique initialization vectors, and unique salts are also used to encrypt your MFA secrets, asymetric encryption keys for communications between Lavawall® servers and hardware, logs, and other sensitive data. HTTPS communications are through TLS 1.3 or TLS1.2.

In addition to internal multi-factor authentication, IP restrictions, and other safeguards, our systems are also protected by third-party denial-of-service and web firewalls.