VIP Policy Configuration
You can view and configure the policy for Credentials for your VIP account. This policy allows you to:
Note: You must also select the credential type or types that you want to allow for this policy in the Enable other credential types policy on this tab, and in the Enable temporary security codes policy on the Policy > Components tab.
To set the Credentials policy for your VIP account:
You can also customize the Credentials policy at the user group level. Settings at the user group level overwrite the account policy settings for members of that user group.
The Credentials policy defined at the group level always overwrites the account policy. If a user belongs to more than one group with different Credential policies, the user is assigned the stricter policy using the following rules:
See Editing the User Group Policies.
Setting Credentials to Expire
You can set credentials to expire if users do not use them to successfully authenticate themselves, after a specified amount of time. Once a credential expires, it becomes inactive and can no longer be used to authenticate a user. An administrator can return the credential to a valid status in VIP Manager. The credential expiration setting applies to:
The credential expiration policy does not apply to:
If users are bound to a credential, the credentials expire after the date configured in this policy, based on the last validated date. If there is no last validated date (for example, the credential has never been used), VIP uses the date that the credentials were bound to the users. If no users are bound to a credential, the credentials expire only if they are in the ENABLED state and have a last validated date. Otherwise, the credentials do not expire.
| Enable hardware and software VIP credentials that your end users can register within the VIP Self Service Portal. These credentials include the VIP Security Card, VIP Security Token, and the VIP Access app. If you decide not to enable all VIP credentials by selecting No, you need to de-select the specific hardware and/or software credentials that you want disabled. Your selection does not affect previously-registered VIP credentials that may already be enabled. | |
| Enable other credential types for your end users, including SMS text messages, Voice Calls, and Email messages. | |
| Select how many credentials an end user can have registered at any one time. | |
| Set credentials to expire if users do not use them to successfully authenticate themselves after a specified amount of time. For more information, see Setting Credentials to Expire, later in this topic. | |
| Choose whether a credential can be registered to more than one end user within your organization at any one time. | |
| Set VIP to automatically delete SMS, Voice, or Email credentials that are inactive for a set number of days. VIP performs this action nightly for any SMS, Voice, or Email credential (up to 50,000) that meet this criteria on that day. Deleted credentials are permanently removed from VIP. | |
| Set whether VIP sends SMS messages and voice calls to non-US numbers. If you enable this option, VIP will not send SMS messages or voice calls to numbers outside the United States. | |
| Set whether VIP can automatically register a credential for a user using information from your identity store during the authentication flow. When the user attempts to log in without a credential, VIP obtains the configured out-of-band authentication methods from your identity store and automatically registers them as credentials for authentication. |
To set the Credentials policy for your VIP account:
| Select Policies in the navigation bar at the top of the page. | |
| Select the "Account" tab. | |
| Click the Edit link to configure the Credentials policy settings. |
You can also customize the Credentials policy at the user group level. Settings at the user group level overwrite the account policy settings for members of that user group.
The Credentials policy defined at the group level always overwrites the account policy. If a user belongs to more than one group with different Credential policies, the user is assigned the stricter policy using the following rules:
| The user is allowed access to only the credential types enabled in all applicable policies. | |
| The maximum credentials allowed is set to the larger of the numbers present in all applicable policies. | |
| The user is assigned the stricter credential expiration policy, in the order Expire > Never Expire. The expiry time is set to the smaller time period present in all applicable policies. |
See Editing the User Group Policies.
Setting Credentials to Expire
You can set credentials to expire if users do not use them to successfully authenticate themselves, after a specified amount of time. Once a credential expires, it becomes inactive and can no longer be used to authenticate a user. An administrator can return the credential to a valid status in VIP Manager. The credential expiration setting applies to:
| Hardware tokens and cards | |
| VIP Access for Mobile or Desktop | |
| SMS | |
| Voice Call | |
| Service-generated OTP authenticators. | |
The credential expiration policy does not apply to:
| Passwordless Credentials | |
| Remembered Device (set this expiration in the Remembered Device Policy) |
If users are bound to a credential, the credentials expire after the date configured in this policy, based on the last validated date. If there is no last validated date (for example, the credential has never been used), VIP uses the date that the credentials were bound to the users. If no users are bound to a credential, the credentials expire only if they are in the ENABLED state and have a last validated date. Otherwise, the credentials do not expire.