This article lists the changes of the XMedius Cloud platform and services as of 2020-01-22.
Enhanced Password Policies
- Minimum length for Users and Administrators passwords
- Password Complexity
- Password History
- Password Expiration
- Administrators can configure an expiration (in days) for passwords.
- Once a password is expired, Users will be prompted to change their password.
- Administrators can also enable a Password Expiration Reminder email.
- It is possible to override the account's Password Expiration policy by setting Password Never Expires on selected User accounts.
- Password Must be Changed at Next Logon
Users are now notified by email when their password is changed.
XMedius highly recommends Administrators to review their account's Password Policies.
Disabling of built-in Passwords
- When using uniquely email-to-fax (and email notifications), a User may not need to authenticate against the platform's login page.
- When using external SSO, built-in account authentication may not be required for most accounts.
It is now possible to disable the use of a platform's password on individual User accounts, either at account creation or by editing the Security Settings of an existing account. This does not impact the ability to login via SSO.
Once built-in password is disabled, a User cannot perform a Password Reset (I Forgot My Password).
For security reasons, it is recommended to disable built-in passwords on accounts that don't need them.
Mandatory Two-Factor Authentication (2FA)
- In the account settings, Administrators can set Two-Factor Authentication to be Optional (same as before) or Mandatory.
- This setting applies to Users authenticating against the platform's built-in login page. It has no impact on the external SSO login flows.
- If set to Mandatory:
Users are now notified by email when their 2FA is enabled or disabled.
User Account Locking
- In the account settings, Administrators can now configure the number of failed login attempts before an account gets locked, as well as an auto-unlock policy (in minutes).
- Default value of locking access after 6 failed login attempts and auto-unlocking after 30 minutes have been applied to all accounts.
- Locked accounts are identified with a "Locked" tag in the Users administration page and a filter has been added to easily identify them.
- Administrators can manually unlock a locked account from the User Account Security page.
Users are now notified by email when their accounts are locked because of too many failed login attempts.
Restricted Access to Enterprise Account
Account Administrators can now enable a Restricted Access mode on the Enterprise Settings page. When enabled, XMedius Customer Service Agents and Reseller Administrators (for those whose accounts can be managed by their Resellers) will completely lose access to the customer's account data and settings.
This can be used to meet internal security and contractual requirements. Customers should however be aware that blocking access to their account will prevent support teams from reviewing any account configuration and might require more customer involvement in the resolution of support tickets.
Disabling Email-To-Fax Support
A new distinctive setting has been added to enable or disable support for Email-To-Fax. By default, new accounts will have email-to-fax disabled and Administrators requiring the feature will need to enable the functionality (in the Enterprise Settings page). Email-to-fax remains enabled for accounts created prior to this update.
In order to prevent abuse due to email address spoofing, Administrators should immediately enable IP filtering or SPF record check when enabling this functionality.
Security & Privacy Officer Contacts
Customers can now configure Security and Privacy contact information that will be used in the event XMedius has to reach out to discuss an important Security or Privacy matter.
Note that these contacts don't have authority over the account. Customers should keep this information up to date by going to the Enterprise Settings page.
- Administrators can now configure how long an invitation link is valid (default 7 days).
- Administrators can now configure how long a password reset link is valid (default 24 hours).
- Administrators can now export the Credit Transaction History data to CSV or Excel formats in order to better analyze where credits are spent. The credit transactions now also indicate to which service each usage relates to.
- The fax International Price List now contains Country and Destination names (in addition to Phone prefixes). Also, the rate of 246 Phone prefixes of the fax international Price List were updated in line with market offer (147 prefixes decreased, 99 prefixes increased).
- Various other improvements and security fixes.