PDF Messenger and Web Email Protection users cannot reset their passphrase if their account is locked

book

Article ID: 165174

calendar_today

Updated On:

Products

Encryption Management Server Gateway Email Encryption

Issue/Introduction

If a PDF Messenger or Web Email Protection user locks their account by entering an incorrect passphrase more times than is configured in the Encryption Management Server console under Services / Web Email Protection / Options / Maximum Login Attempts, they receive an email message containing a URL that is needed to unlock their account.

The message they receive is based on the Message Template named Unlock Account. This can be found under Mail / Message Templates in the console.

The message is sent only once no matter how many times the user enters an incorrect passphrase.

If the user does not receive the message for any reason or cannot find it and tries to logon again, this message is displayed:

Authentication Warning
The credentials that you have supplied are incorrect or your account may be locked. Please try again, check your mailbox, or contact an administrator.

If the user tries to reset their password by clicking on the I lost my passphrase link from the logon screen, this message is displayed to them on the Passphrase Reset Message Sent page:

You will receive an email with a link to reset your passphrase. If your account is in the "Locked" state, check your mailbox for the "Symantec Encryption Server Account Unlock" email from Symantec Encryption Server, and follow the instructions in the email to unlock your account. Or please contact your administrator, if you do not receive the email.

If the user's account is locked, Encryption Management Server will not send the user the Symantec Encryption Server Account Unlock email message.

The user will often not be aware why they did not receive the Symantec Encryption Server Account Unlock message.

The user has no choice except to contact an Encryption Management Server administrator who can unlock their account. However, contacting an administrator is usually not a straightforward process for an external user.

Cause

This is by design. 

This authentication warning is deliberately ambiguous:
The credentials that you have supplied are incorrect or your account may be locked.

The reason for the deliberate ambiguity is that an attacker could attempt to authenticate with numerous email addresses. The ambiguous authentication warning does not let an attacker know whether an email address is valid or the precise reason authentication failed.

If Encryption Management Server informed the user that their account was locked out, an attacker would know that they would need to try authenticating with a different email address.

Environment

  • Encryption Management Server 3.3 and above running PDF Messenger or Web Email Protection.
  • PGP Universal Server 3.0 and above running PDF Messenger or Web Messenger.

Resolution

In the admin console under Services / Web Email Protection / Options / Maximum Login Attempts it is possible to configure Unlimited login attempts. If this change is made, external users will never be locked out.

If external users are permitted to attempt to logon with incorrect credentials an unlimited number of times, they will still not be informed whether the email address they are using is valid so there is still some protection against attackers.

Clearly, however, permitting unlimited logon atempts introduces a security risk so please consider carefully whether to implement it.