(If your Encyro account is part of an organization, see )
To enable or edit compliance settings, go to your account "Settings" and click "Compliance" in the left panel (on a mobile device, scroll down to "Compliance Settings").
The settings available are:
Require Strong Password
You may turn on the toggle switch next to "Require strong password..." to make sure you are required to use a strong password for your Encyro account.
- If changing this setting from OFF to ON, you will be asked to enter your current password, unless the system already knows your password is strong from a previous time you enabled this setting. If your current password is not a strong password, you will be prompted to change it. Your new password must be a strong password, meaning that, it must contain a mix of uppercase and lowercase alphabets, numbers and symbols.
- If you currently did not have a password (such as you signed in with Google or Facebook), you will be asked to create a password for your Encyro account. When this setting is ON, you cannot use your Google (Gmail) or Facebook accounts to login to Encyro. This is because Encyro cannot check if your Google or Facebook password is strong now or after a change.
When you turn on this setting, if you are logged in to Encyro but do not perform any activity on the Encyro website for 15 minutes (i.e., you are inactive for 15 minutes), then you will be automatically logged out. Automatic logout is required as part of most data security standards compliance.
However, if you only access your Encyro account on a limited number of devices and you are certain that each of those devices (your work computer, home computer, laptop, smartphone, any other computers you use at remote sites) is already set to lock its screen if left unattended for 15 minutes or less, then you can use that screen lock to satisfy your compliance requirement. In this case, you may disable automatic logout from your Encyro account.
You may wish to activate screen lock on your devices following these instructions:
- Windows: https://blog.encyro.com/how-to-force-windows-10-to-lock-itself-after-inactivity-for-all-users/
- Mac: First set the display to turn off after inactivity and then require password upon wake up.
- Mobile devices (iOS, Android): See https://blog.encyro.com/digital-safeguards-for-device-security/ and scroll down (or find “iOS” and then “Android”) – they are under section Device Encryption but describe both the screen lock and encryption together.
When this setting is ON, you cannot use your Google (Gmail) or Facebook accounts to login to Encyro. This is because Encyro cannot check if your Google or Facebook accounts are set to logout automatically in case of inactivity (usually, they are not).
Message Access Without Password
You can optionally turn on or off the switch for "Allow others to receive messages from me or my organization without a password." If you turn this switch ON, you may select a number of days after which the message access links expire. When this is enabled, your recipients can simply click a link in their email to read the secure message you sent them. These links do expire to keep data secure.
Should I allow message access without password: Data privacy standards require access control to protect data. One way to implement access control is to send a link that can only be accessed using the recipient's email account. And because the regular email messages are not encrypted and you do not want the message access link to be stored without encryption forever, the links expire after a few days. So using message access links without a password can meet compliance requirements.
However, the traditional method to meet access control requirements is to require a password. Even though that makes message access harder and may cause some users to simply give up on encrypted email and fall back to regular email.
So whether to allow such access or not is a subjective decision you must make. Our recommendation is this:
- If your contacts are themselves businesses (and subject to compliance), do not allow messages without a password (i.e., do require a password). They will make the extra effort to sign up for an account and benefit from password protection.
- If your recipients are consumers who may not be subject to compliance themselves, then do allow message access without passwords. Your recipients will continue to benefit from secure messages and the more security conscious among them will create a password.