Egnyte Help Desk

Password Controls and other Advanced Security Features

Overview 

Set Password Strength 

Password Rotation 

Institute Account Lockouts

Mobile Device Controls

Two-Step Login Verification

Overview

As an admin user, you can enforce varying levels of password requirements for account users, some aspects of the use of mobile devices to access Egnyte content from your domain, and other related authentication settings.

Standard Authentication

  • Set the minimum password strength.
  • Require Standard Users or Power Users (employees) to change their password upon first logging in.
  • Allow Standard Users to change their personal information (first name, last name, etc.)
  • Change account lockout settings.
  • Permitting or denying offline access to Egnyte documents
  • Mandating the use of a passcode lock.

Advanced Authentication Package (purchase required)

  • Set the minimum password length 
  • Require users to rotate their passwords on a designated time frequency and prevent users from reusing recent passwords
  • Configure email alerts to users when their passwords change
  • Configure email alerts to admins when users reset their passwords
  • All Standard Authentication settings
  • Requiring the use of Two-step login verification
 

 Password Settings can be found under:  "Settings" / "Configuration" / "Security & Authentication"

Set Password Strength

Password strengths can be set to: "Any," "Good," or "Strong."

Any: This password strength requires a password that is at least 8 characters long.

Good or Strong: These password strengths require a password that is at least 8 characters long. These passwords must also feature a varying degree of complexity, including upper and lower case letters, numbers, and special characters. 

Password complexity is measured by Egnyte’s algorithm, which assigns each password a complexity score. This score determines whether a password meets the required Good or Strong password strength levelsBelow are examples of complexity measurement:

  • Password: abcd1234       Strength: Weak

Complexity Algorithm – This password earned complexity points for mixing letters and numbers, but lost complexity points for using consecutive lower case characters, consecutive numbers, and sequential numbers.

  • Password: adcb1324       Strength: Good

Complexity Algorithm – The password earned complexity points for mixing letters and numbers, but lost points for using consecutive lower case characters and consecutive numbers.

  • Password: Adcb1324      Strength: Strong

Complexity Algorithm – This password earned complexity points for mixing letters and numbers as well as using both lower and upper case letters, but lost points for using consecutive lower case characters and consecutive numbers.

Password Rotation

By default, Egnyte requires new users to change their password upon first log-in. By deselecting the options for Standard and/or Power Users, users can skip this step and continue using the existing password assigned to them.

 Egnyte has made it possible for admins to require users to periodically change their passwords. Please note that this is a premium feature; if you are interested in this feature please let us know by submitting an inquiry here, or contact your account manager. This option is located within "Settings" / "Configuration" / "Security & Authentication" / "Password Controls"



First, decide how often you want to require your users to change passwords. Remember that this policy will apply to all users: admins, power users, and standard users.  You have five options for password rotation periods: 30, 60, 90 days, 6 months, and 1 year.

Next, decide whether you want to prohibit your users from re-using their password at the end of the password rotation period. You can prohibit users from using their last 1, 3, 5, or 10 passwords. Alternately, you can choose not to implement this feature by selecting “0.” We don’t recommend this. It doesn’t make much sense to require users to periodically change their passwords if they can re-use a password.

When it’s time for one of your users to change their password, they’ll be able to log into Egnyte using their old password, but they’ll immediately be prompted with the dialog box below requiring them to change their password.

Institute Account Lockouts

To configure account lockout, an admin user should navigate to "Settings" / "Configuration" / "Security & Authentication" / "Password Controls" and toggle on "Enforce account lockout".

Enforce account lockout: If “Enforce Account Lockout” is disabled, a user will be able to make an unlimited number of login attempts. If enabled, the admin needs to specify the number of consecutive failed login attempts users are permitted to make: 3, 5, 10, or 20 attempts.

Lockout duration: Specify how long (10 minutes, 30 minutes, or an hour) a user is locked out after they have exceeded the configured number of attempts. Alternately, opt to lock the user out until an admin manually unlocks their account. When you’re done making your selections, be sure to click “Save” at the bottom of this screen.

If you have decided to require administrator unlocking, Power and Standard users will be shown this screen when they exceed the maximum allowable number of login attempts. Even if you opt to require administrator unlocking, admin users who lock themselves out will be permitted to re-attempt access after one hour.

Note that repeated attempts to use the same password to log-in will not count as additional log-in attempts. For example, if one of your employees tries to log-in with “Password,” then “Sesame,” then “Open!”, then “Password” again, Egnyte will record three log-in attempts instead of four. We do this to prevent inadvertent lockouts by users or automated applications.

If a customer attempts to use one of their 10 most recent passwords passwords to log-in, Egnyte will not count this as a log-in attempt.  We’ve found that users frequently forget their new passwords after IT mandates a password change, and we don’t want to lock-out these users after they repeatedly enter their old passwords.

Once the user has contacted you to inform you that they are locked-out, you can unlock them by going to the “Users and Groups” tab within the “Settings” view. Check the status column of the Power or Standard Users view to see who is locked.

You can easily unlock a user by clicking the row containing their user record. When you do, so various options will become available in the User Taskbar above. Select the “Unlock” option.


Once you do so, the user’s status will change from “Locked” to “Active.”

If you quickly want to identify the unlocked users from among a large number of users, you can use the status column menu in the upper-right hand corner of the screen to sort your users accordingly.

It’s possible to unlock a large number of users by using the CSV export button. When you export a CSV containing all of your users, you’ll see a column indicating which ones are locked, active, or inactive. Add a new column with header “SpecialAction” next to the existing headers. Enter the word “unlock” in this column and re-import the users. This will unlock those users.

 

Mobile Device Controls

Local storage of files on a mobile device can be useful for employees who need to read or edit documents while they are offline, but local storage heightens the risk that documents can be viewed or copied if the device is lost or stolen. The first premium feature allows admins to prohibit local storage.

If enabled, the mobile device controls will be available in Settings --> Configuration --> Applications.

Even if they allow local storage, admin users will be able to set a lifespan for locally-stored files after which these documents will be deleted automatically.

The second feature makes admins able to mandate the use of passcodes when users access Egnyte from a mobile device. Passcodes are four digit pins that appear when a user exits (but does not log out of) and then re-enters Egnyte’s mobile app. Passcodes help prevent unauthorized users from viewing Egnyte content after they have logged-in using a valid username and password.

If this option is selected, users will be prompted to set their passcode the next time they log-in to the mobile app.

Egnyte’s passcode feature allows admins to practice defense-in-depth.

1. Admins can specify when a passcode will appear. For example, setting the passcode to appear after five minutes will require the user to enter a passcode if they leave the Egnyte app and re-open it 5 minutes and 1 second after initially logging in with their username and password. They would not have to enter the passcode if they left the app and re-opened it 3 minutes after logging in with their username and password.

2. Admins can set the passcode to appear immediately when a user leaves and re-enters the app while the device is offline (in airplane mode or otherwise without cellphone signal and without wi-fi access).

3. Setting the device to wipe all local (downloaded) files after 10 incorrect passcode attempts adds an additional line of defense.

In addition to setting a passcode, users who are running versions 4.8 or later of our iOS or Android applications can also encrypt the Egnyte files stored locally on their phones or tablets. This encryption will make it vastly harder for an unauthorized user to read the contents of the mobile device if it is lost or stolen.

When you open a locally-stored file, the file is decrypted and stored in a temporary cache.  The same is done when you use the ‘Open In...’ option to open the file in a 3rd party application. While end users can manually turn on local storage encyrption themselves via the App's settings, account administrators can require this option for all users via the "Security" tab of the "Configuration" screen in the Web UI.

Administrators can enable or disable mobile downloads for devices on their account through the “Configuration” section of “Settings” in the Web UI.  Users can still mark files for offline access to ensure consistent access to files, regardless of Internet connectivity.

Administrators can also decide whether files can be viewed outside of the Egnyte mobile app.  This option is enabled by default and can be modified in the Web UI by navigating to Configuration --> Applications --> Mobile Applications.

Two-Step Login Verification

Finally, Admins can mandate the use of Two-step login verification (TSLV). TSLV requires the use of a third piece of information (in addition to username and password) to access an Egnyte account. To learn more about setting up TSLV, please read on here

Egnyte Community

Egnyte Community

Want to connect with other Egnyte users and our Egnyte team? Share ideas and ask questions in our Community.

Help Improve Egnyte

Every day we work hard to make Egnyte better with feedback from users to improve our products. Sign up to participate in Egnyte User Studies.