The following is a round-up of upcoming security improvements and changes to the Echo platform. Please note the Planned Release dates.
Blocking messages to unverified accounts
Updated: June 15, 2021
Release: August 19, 2021
Change: Echo will begin blocking messages for unverified emails and phone numbers. After implementation, when a message is sent from Echo to an unverified account, the user is given one week to verify their information before Echo begins blocking messages. During this grace period, the banner remains visible, and users receive an automated message from Echo prompting them to verify their information along with the first message they receive during this time.
This change impacts: All Echo users who have not verified their email and/or phone numbers.
Users can now verify their email addresses and phone numbers in the User menu > Settings controls. Where possible, Echo Administrators should encourage users to verify their information. A banner appears above the Echo toolbar prompting users to verify their information. They can click Settings to jump to user settings, or open their User menu and select Settings.
Reason for change: By verifying user's email and phone numbers, we are preventing communications and notifications from being sent to the wrong email or phone number. This protects potentially sensitive information from being shared and avoids an unintended recipient from getting unwanted email and notifications from the system.
Changing how updated passwords security works
Planned change: When a user's password is changed, any current sessions where that user is authenticated using the previous password will become inactive, and the user will have to login again with the new password.
Planned release: April 22, 2021
- If a user changes their own password and is using one browser, they will continue to be able to use Echo without having to sign in again as long as it is the same browser session.
- If a user changes their own password and is using multiple browsers, they will continue to be able to use Echo without having to sign in again with the same browser session. However, they will have to sign in with the new password in the other browser(s).
- If an admin changes a user's password while the user is using Echo, the user will have to sign in again with the new password.
Reason for change: This change will prevent an unauthorized user from sustaining access to an account by keeping the browser session active. Instead, the unauthorized user would be logged out after the password was changed.
Changing ‘Mail From:' COMPLETED
Planned change: The Mail From: domain will be changed from amazonses.com to buzz-mail.agilix.com. When messages are sent from Echo there is a Mail From field and From field. Mail From will be changing; From will continue to be email@example.com.
Planned release: April 29, 2021
This change impacts: Echo users hosted by Agilix at <schooldomain.echo-ntn.org or custom URL with an API address of api.agilixbuzz.com.
Reason for change: When messages are sent from Echo, there is a Mail From field and From field. The Mail From field is generally hidden in the email header and not normally visible to teachers or students, but is used by some school email systems to block undesirable e-mail. Because amazonses.com is used by thousands of other websites, technology departments have been hesitant to allow email from this domain to pass through the filter. This can prevent teachers and students from using Echo's communication tools. Having a custom Mail From domain that is used specifically for Buzz apps like Echo, will allow schools to open the door for emails from Echo while still preventing emails from other web sites.
Important Next Steps
If your email system restricts the domains that are allowed to message your students and teachers using the Mail From field:
- Add buzz-mail.agilix.com as authorized senders to your email filter
- After April 29, you can remove amazonses.com domain from your security rules.
Enhancing the security of Google Drive integration
Announced: June 15, 2021
Planned release: June 17, 2021
Planned change: We are enhancing the security of Echo's default Google Drive file picker. After this update, users who have already granted access allowing Echo to embed files may be asked to grant this access again.
This change impacts: All Echo users in domains with Google Drive integration.
Reason for this change: Improve security for users.
Echo is constantly being improved based on the feedback from users and we strive to keep our documentation up to date. If this document doesn’t match what you are seeing in Echo, please let us know.