As an Admin User, you can enforce varying levels of security and authentication features. This article describes how you can have more control and set password requirements for account users, institute account lockouts, increase secure use of mobile devices to access Egnyte content from your domain, and other related authentication settings.
- Set the minimum password strength
- Require Standard Users or Power Users (employees) to change their password upon first logging in.
- Allow Standard Users to change their personal information (first name, last name, etc.).
- Change account lockout settings
- Permitting or denying offline access to Egnyte documents
- Mandating the use of a passcode lock on the mobile app
Advanced Authentication Package
- All Standard Authentication settings
- Set the minimum password length
- Require users to rotate their passwords on a designated time-frequency and prevent users from reusing recent passwords.
- Configure email alerts to users when their passwords change
- Configure email alerts to Admins when users reset their passwords
- Requiring the use of Two-step login verification (purchase required)
Password strengths can be set to Any, Good, or Strong.
Any: This password strength requires a password that is at least 8 characters long.
Good or Strong: These password strengths require a password that is at least 8 characters long. These passwords must also feature a varying degree of complexity, including upper and lower case letters, numbers, and special characters.
Password complexity is measured by Egnyte’s algorithm, which assigns each password a complexity score. This score determines whether a password meets the required Good or Strong password strength levels. Below are examples of complexity measurement:
- Password: abcd1234 Strength: Weak
Complexity Algorithm – This password earned complexity points for mixing letters and numbers, but lost complexity points for using consecutive lower case characters, consecutive numbers, and sequential numbers.
- Password: adcb1324 Strength: Good
Complexity Algorithm – The password earned complexity points for mixing letters and numbers, but lost points for using consecutive lower case characters and consecutive numbers.
- Password: Adcb1324 Strength: Strong
Complexity Algorithm – This password earned complexity points for mixing letters and numbers as well as using both lower and upper case letters, but lost points for using consecutive lower case characters and consecutive numbers.
By default, Egnyte requires new users to change their password upon first log-in. By deselecting the options for Standard and/or Power Users, users can skip this step and continue using the existing password assigned to them.
Egnyte has made it possible for Admins to require users to periodically change their passwords.
Note: This is a premium feature. If you're interested in this feature, please let us know by submitting an inquiry here, or contact your account manager.
This option is located within the Password Controls section.
First, decide how often you want to require your users to change passwords. Remember that this policy will apply to all users: Admins, Power Users, and Standard Users. You have five options for password rotation periods: 30, 60, 90 days, 6 months, and 1 year.
Next, decide whether you want to prohibit your users from re-using their password at the end of the password rotation period. You can prohibit users from using their last 1, 3, 5, or 10 passwords. Alternately, you can choose not to implement this feature by selecting “0.” We don’t recommend this. It doesn’t make much sense to require users to periodically change their passwords if they can re-use a password.
When it’s time for one of your users to change their password, they’ll be able to log into Egnyte using their old password, but they’ll immediately be prompted with the dialog box below requiring them to change their password.
Block Non-Web Access
If you enable the Block non-web access if passwords have expired option, all of the user's authentication tokens for their devices (Mobile App, Desktop App...) will be invalidated as soon as the user's password expires. They'll need to log into the Web UI to change their password and reauthenticate all of their devices.
If this option is disabled, the user's devices will continue to work until the user tries to log into the Web UI. At this time, they will be required to change their password and reauthenticate their devices.
Institute Account Lockouts
To configure account lockout, an Admin User should navigate to the Password Controls section. From here, toggle on Enforce account lockout and click Save.
Enforce account lockout: If this is disabled, a user will be able to make an unlimited number of login attempts. If enabled, the Admin needs to specify the number of consecutive failed login attempts users are permitted to make: 3, 5, 10, or 20 attempts.
Lockout duration: Specify how long (10 minutes, 30 minutes, or an hour) a user is locked out from new login attempts after they have exceeded the configured number of attempts. Alternately, opt to lock the user out until an admin manually unlocks their account. When you’re done making your selections, be sure to click Save at the bottom of this screen.
If you have decided to require Administrator unlocking, Power and Standard Users will be shown this screen upon login when they exceed the maximum allowable number of login attempts. Even if you opt to require Administrator unlocking, admin users who lock themselves out will be permitted to re-attempt access after one hour.
Note: Repeated attempts to use the same password to log-in will not count as additional log-in attempts. For example, if one of your employees tries to log-in with "Password", then “Sesame,” then “Open!”, then “Password” again, Egnyte will record three log-in attempts instead of four. We do this to prevent inadvertent lockouts by users or automated applications.
If a customer attempts to use one of their 10 most recent passwords to log-in, Egnyte will not count this as a log-in attempt. We’ve found that users frequently forget their new passwords after IT mandates a password change, and we don’t want to lock-out these users after they repeatedly enter their old passwords.
Once the user has contacted you to inform you that they are locked-out, you can unlock them by going to the Users and Groups tab within the Settings view. Check the status column of the Power or Standard Users view to see who is locked.
You can easily unlock a user by clicking the row containing their user record. When you do so, various options will become available in the User Taskbar above. Select the Unlock option.
Once you do so, the user’s status will change from Locked to Active.
If you quickly want to identify the unlocked users from among a large number of users, you can use the status column menu in the upper-right hand corner of the screen to sort your users accordingly.
It’s possible to unlock a large number of users by using the CSV export button. When you export a CSV containing all of your users, you’ll see a column indicating which ones are locked, active, or inactive. Add a new column with header SpecialAction next to the existing headers. Enter the word unlock in this column and re-import the users. This will unlock those users.
Mobile Device Controls
Local storage of files on a mobile device can be useful for employees who need to read or edit documents while they are offline, but local storage heightens the risk that documents can be viewed or copied if the device is lost or stolen. The first premium feature allows Admins to disable local storage.
In the Applications tab, Administrators can enable or disable mobile downloads for devices on their account with the Local Storage and Allow folder downloads options.
If local storage is allowed, Admin Users will be able to set a lifespan for locally-stored files after which these documents will be deleted automatically.
The second feature makes Admins able to mandate the use of passcodes when users access Egnyte from a mobile device. Passcodes are four-digit pins that appear when a user exits (but does not log out of) and then re-enters Egnyte’s mobile app. Passcodes help prevent unauthorized users from viewing Egnyte content after they have logged-in using a valid username and password.
If this option is selected, users will be prompted to set their passcode the next time they log-in to the mobile app.
Egnyte’s passcode feature allows Admins to practice defense-in-depth.
1. Admins can specify when a passcode will appear. For example, setting the passcode to appear after five minutes will require the user to enter a passcode if they leave the Egnyte app and re-open it 5 minutes and 1 second after initially logging in with their username and password. They would not have to enter the passcode if they left the app and re-opened it 3 minutes after logging in with their username and password.
2. Admins can set the passcode to appear immediately when a user leaves and re-enters the app while the device is offline (in airplane mode or otherwise without cellphone signal and wi-fi access).
3. Setting the device to wipe all local (downloaded) files after 10 incorrect passcode attempts adds an additional line of defense.
Encrypt Local Data
In addition to setting a passcode, users who are running versions 4.8 or later of our iOS or Android applications can also encrypt the Egnyte files stored locally on their phones or tablets. This encryption will make it vastly harder for an unauthorized user to read the contents of the mobile device if it is lost or stolen.
When you open a locally-stored file, the file is decrypted and stored in a temporary cache. The same is done when you use the Open In... option to open the file in a 3rd party application. While end users can manually turn on local storage encryption themselves via the App's settings, account Administrators can require this option for all users via the Applications tab of the Configuration Settings screen in the Web UI.
In the Applications tab, Administrators can enable or disable mobile downloads for devices on their account with the Local Storage and Allow folder downloads options. Users can still mark files for offline access to ensure consistent access to files, regardless of Internet connectivity.
Admins also have the ability to decide whether files can be viewed outside of the Egnyte mobile app with the Allow opening files into 3rd party apps setting.
Two-Step Login Verification
Finally, Admins can mandate the use of Two-step login verification (TSLV). TSLV requires the use of a third piece of information (in addition to username and password) to access an Egnyte account. To learn more about setting up TSLV, please read on here.