XMedius Cloud Update • 2020-01-22

Administrator -

This article lists the changes of the XMedius Cloud platform and services as of 2020-01-22.

Account Administration

(Update 21)

Enhanced Password Policies

Administrators can now configure the following Password Policies:
  • Minimum length for Users and Administrators passwords
    • This setting was available prior to this update.
    • In order to adhere to best practices, the minimum acceptable value has been set to 8 instead of 6. All accounts have been upgraded to meet this minimal condition; existing passwords that do meet the criteria are not affected by this change.
  • Password Complexity
    • The Administrators can now configure how many criteria must be met and how many characters of each type must be in the password.
  • Password History
    • Administrators can now configure how many past passwords cannot be reused.
  • Password Expiration
    • Administrators can configure an expiration (in days) for passwords.
    • Once a password is expired, Users will be prompted to change their password.
    • Administrators can also enable a Password Expiration Reminder email.
    • It is possible to override the account's Password Expiration policy by setting Password Never Expires on selected User accounts.
  • Password Must be Changed at Next Logon
    • It is now possible to require a password to be changed at next logon. This can be done both at User account creation or by editing the Security settings of an existing account.

Users are now notified by email when their password is changed.

XMedius highly recommends Administrators to review their account's Password Policies.

Disabling of built-in Passwords

Some usage scenarios may not require a User to have a password on the platform. For example:
  • When using uniquely email-to-fax (and email notifications), a User may not need to authenticate against the platform's login page.
  • When using external SSO, built-in account authentication may not be required for most accounts.
    • In this situation, it is advisable to keep a password on some Administrator accounts (ideally with 2FA enabled) in order to keep control over the account in case of issues with the SSO integration.

It is now possible to disable the use of a platform's password on individual User accounts, either at account creation or by editing the Security Settings of an existing account. This does not impact the ability to login via SSO.

Once built-in password is disabled, a User cannot perform a Password Reset (I Forgot My Password).

For security reasons, it is recommended to disable built-in passwords on accounts that don't need them.

Mandatory Two-Factor Authentication (2FA)

Two-Factor Authentication (Time-based One-Time Password, TOTP) can now be made mandatory:
  • In the account settings, Administrators can set Two-Factor Authentication to be Optional (same as before) or Mandatory.
  • This setting applies to Users authenticating against the platform's built-in login page. It has no impact on the external SSO login flows.
  • If set to Mandatory:
    • Users will be asked to configure their 2FA following a first successful login.
    • It is possible for Administrators to exclude specific User accounts from this requirement.

Users are now notified by email when their 2FA is enabled or disabled.

User Account Locking

Administrators can now configure automatic account locking policies:
  • In the account settings, Administrators can now configure the number of failed login attempts before an account gets locked, as well as an auto-unlock policy (in minutes).
  • Default value of locking access after 6 failed login attempts and auto-unlocking after 30 minutes have been applied to all accounts.
  • Locked accounts are identified with a "Locked" tag in the Users administration page and a filter has been added to easily identify them.
  • Administrators can manually unlock a locked account from the User Account Security page.

Users are now notified by email when their accounts are locked because of too many failed login attempts.

Restricted Access to Enterprise Account

Account Administrators can now enable a Restricted Access mode on the Enterprise Settings page. When enabled, XMedius Customer Service Agents and Reseller Administrators (for those whose accounts can be managed by their Resellers) will completely lose access to the customer's account data and settings.

This can be used to meet internal security and contractual requirements. Customers should however be aware that blocking access to their account will prevent support teams from reviewing any account configuration and might require more customer involvement in the resolution of support tickets.

Disabling Email-To-Fax Support

A new distinctive setting has been added to enable or disable support for Email-To-Fax. By default, new accounts will have email-to-fax disabled and Administrators requiring the feature will need to enable the functionality (in the Enterprise Settings page). Email-to-fax remains enabled for accounts created prior to this update.

In order to prevent abuse due to email address spoofing, Administrators should immediately enable IP filtering or SPF record check when enabling this functionality.

Security & Privacy Officer Contacts

Customers can now configure Security and Privacy contact information that will be used in the event XMedius has to reach out to discuss an important Security or Privacy matter.

Note that these contacts don't have authority over the account. Customers should keep this information up to date by going to the Enterprise Settings page.

Miscellaneous


  • Administrators can now configure how long an invitation link is valid (default 7 days).
  • Administrators can now configure how long a password reset link is valid (default 24 hours).
  • Administrators can now export the Credit Transaction History data to CSV or Excel formats in order to better analyze where credits are spent. The credit transactions now also indicate to which service each usage relates to.
  • The fax International Price List now contains Country and Destination names (in addition to Phone prefixes). Also, the rate of 246 Phone prefixes of the fax international Price List were updated in line with market offer (147 prefixes decreased, 99 prefixes increased).
  • Various other improvements and security fixes.
Have more questions? Submit a request

Comments

Powered by Zendesk