Email Lockout

An email lockout feature is provided in the case where multiple email acknowledgments with an invalid PIN are received by the system. This security feature will prevent an unknown user from overloading the system, or block access to the system by an unauthorized user.

Email lockout is determined by limiting the number of attempts by a user with an invalid email address and PIN combination. The lockout is for a configured number of minutes, after which you will again be allowed to send acknowledgment emails. Lockout is automatically enabled by default — you will be locked out for 30 minutes after 5 failed attempts. After 30 minutes the lockout will expire. Configure the keywords described in the table below to change the default values, or to disable the feature.

The lockout is per user and is tied to the email address and PIN. As such, while locked out, a user is still able to acknowledge a notification using another method, such as:

acknowledging a notification via the GNS queue
sending an email acknowledgment from a different (configured) email address (Ack ID and PIN must be included)
send an SMS using a configured SMS gateway address (Ack ID and PIN must be included)
acknowledgment a notification by telephone (Voice Address only).

A user will be notified by email when the maximum number of email acknowledgment attempts has been reached and the email address has been locked out. Lockouts are logged as events in the ELS.

Lockout settings will be persisted when the GNS is restarted.

GNS Configuration File Keywords

The following keywords can be configured in the Gns.cfg. Uncomment the keyword and change the default values. See the Shared Mail Keywords for more information.

Keyword	Description
PIN_LOCKOUT_MAX_ATTEMPTS	PIN_LOCKOUT_MAX_ATTEMPTS specifies the maximum number of invalid email address and PIN combination attempts before a user is locked out. Set to zero (0) to disable a lockout. Maximum number is 999. The default value is 5. This keyword is shared by POP server and the Graph API server.
PIN_LOCKOUT_DURATION	PIN_LOCKOUT_DURATION specifies the time in minutes that an email address and PIN combination will be locked out before automatic unlocking occurs. Set to zero (0) to lock out a user until that user is explicitly unlocked in the GNS PIN Manager in CygNet Explorer. Maximum value is 99,999. The default value is 30 minutes. This keyword is shared by POP server and the Graph API server. See Configuring a PIN for more information.
PIN_WORK_FACTOR	PIN_WORK_FACTOR specifies the work factor for PIN hashing: a number between 10 and 31. The default value is 12. This keyword is shared by POP server and the Graph API server. Note: PIN or password hashing is a method of string encryption using a hashing algorithm. Hashes are commonly used to store passwords to prevent them from being viewed. Most normal password hashes are poor because they don’t allow you to increase security over time as computers get faster. The work factor represents the time in seconds required to break the encryption. By increasing the work factor you can increase the cost of a brute force check if someone gets access to the PIN file.

Keyword

Description

PIN_LOCKOUT_MAX_ATTEMPTS

PIN_LOCKOUT_MAX_ATTEMPTS specifies the maximum number of invalid email address and PIN combination attempts before a user is locked out. Set to zero (0) to disable a lockout. Maximum number is 999. The default value is 5.

This keyword is shared by POP server and the Graph API server.

PIN_LOCKOUT_DURATION

PIN_LOCKOUT_DURATION specifies the time in minutes that an email address and PIN combination will be locked out before automatic unlocking occurs. Set to zero (0) to lock out a user until that user is explicitly unlocked in the GNS PIN Manager in CygNet Explorer. Maximum value is 99,999. The default value is 30 minutes.

This keyword is shared by POP server and the Graph API server.

See Configuring a PIN for more information.

PIN_WORK_FACTOR

PIN_WORK_FACTOR specifies the work factor for PIN hashing: a number between 10 and 31. The default value is 12.

This keyword is shared by POP server and the Graph API server.

Note: PIN or password hashing is a method of string encryption using a hashing algorithm. Hashes are commonly used to store passwords to prevent them from being viewed. Most normal password hashes are poor because they don’t allow you to increase security over time as computers get faster. The work factor represents the time in seconds required to break the encryption. By increasing the work factor you can increase the cost of a brute force check if someone gets access to the PIN file.

Unlocking a User

A blocked email address can be unlocked by an administrator via the GNS PIN Manager.