Credential Security Settings
Use the Credential Security Settings module to configure credential security settings, and SMS message settings.
Credential Security Settings
Configure the credential security settings to set the level of security you want to maintain for each credential type.
Important: It is highly recommended that you select one of the predefined security levels (low, medium, or high) based on your organization's needs. Symantec has thoroughly tested these security levels, and verified their effectiveness.
It is not recommended that you configure the security settings manually for your credentials. However, if your security policy mandates that you manually configure the security settings, see Manually Configuring Credential Security Settings.
SMS Message Settings
Configure SMS message settings to enter sender information and message text for the SMS messages that send security codes to your users. See Configuring SMS Message Settings for details.
Configuring the credential security settings manually is not recommended, as it requires you to change settings that directly affect the security of the customer data you are trying to protect. If your security policy mandates that you manually configure the security settings, be sure you fully understand each setting, and how the settings work together. For more information on configuring security settings, see the following topics:
Manually Changing HOTP Event-Based Security Settings
Manually Changing HOTP Time-Based Security Settings
Manually Changing SMS/Voice/Email/Service-generated Security Settings
Manually Changing Vasco Time-Based Security Settings
If the predefined security levels are not suitable for your site, you can manually adjust the security settings. Manually setting the security level is not recommended. You should only set the security level manually if you fully understand each setting.
To manually change the security settings for HOTP Event-Based credentials, follow these steps:
If the predefined security levels are not suitable for your site, you can manually adjust the security settings. Manually setting the security level is not recommended. You should only set the security level manually if you fully understand each setting.
To manually change the security settings for HOTP Time-Based credentials, follow these steps:
If the predefined security levels are not suitable for your site, you can manually adjust the security settings. Manually setting the security level is not recommended. You should only set the security level manually if you fully understand each setting.
To manually change the security settings for Vasco Time-Based credentials, follow these steps:
If the predefined security levels are not suitable for your site, you can manually adjust the security settings. Manually setting the security level is not recommended. You should only set the security level manually if you fully understand each setting.
To manually change the security settings for SMS/Voice/Email/Service-generated credentials, follow these steps:
Symantec uses SMS messaging to send security codes to your credential users. Use the SMS Message Settings page to identify yourself as the sender, and edit the SMS message text.
End users can obtain help by replying HELP to the SMS message. VIP responds with a message providing instructions for opting out of SMS messages. The message includes support contact information.
However, if the local carrier overrides the SMS From number in the SMS message, all SMS keywords (including HELP and STOP) will fail without notifying the end user. You should educate your end users that they must contact their Support representative to opt out of SMS messages or to obtain help if they do not get a response from SMS keywords.
Note the following when you create the message text:
To configure SMS message settings, follow these steps:
Important: Due to how China manages incoming SMS messages, users in China may experience intermittent SMS message failures. To guarantee delivery of SMS messages in China, you must register a friendly name and an SMS message language (English or Simplified Chinese). Once registered, Symantec VIP overrides the messages that you set here and sends the SMS message listed in the China-specific Message section at the bottom of the SMS Message Settings page for the Credential Registration, Security Code Service, and Temporary Password messages.
VIP sends a number of different emails to users. You can customize the templates for some of these emails. Once customized, VIP will use your template when it sends these emails to users.
Email as a credential:
To customize an email, select the appropriate template, and add a subject line (up to 988 alphanumeric characters only). Enter your customized email text in the Body field. You can use only plain text or HTML format, and the body text cannot exceed 1000 characters. JavaScript and XSS code are automatically removed.
You can use the Insert Variable dropdown to add variable codes to the template (you can also enter them manually). VIP replaces these codes with the actual value in the emails sent to users. Although the order does not matter, you must use all of the variables at least once in your template.
To include images, enter the full path to the image. You must use https://.VIP supports the .webp, JPEG, PNG, and GIF image formats.
Click Preview at any time to see how the email will appear to the user. Save the template when you are done. You can also discard your changes to revert to the last saved version, or reset the template to the default to erase any previously saved template.
Credential Security Settings
Configure the credential security settings to set the level of security you want to maintain for each credential type.
Important: It is highly recommended that you select one of the predefined security levels (low, medium, or high) based on your organization's needs. Symantec has thoroughly tested these security levels, and verified their effectiveness.
It is not recommended that you configure the security settings manually for your credentials. However, if your security policy mandates that you manually configure the security settings, see Manually Configuring Credential Security Settings.
SMS Message Settings
Configure SMS message settings to enter sender information and message text for the SMS messages that send security codes to your users. See Configuring SMS Message Settings for details.
Manually Changing HOTP Event-Based Security Settings
Manually Changing HOTP Time-Based Security Settings
Manually Changing SMS/Voice/Email/Service-generated Security Settings
Manually Changing Vasco Time-Based Security Settings
To manually change the security settings for HOTP Event-Based credentials, follow these steps:
| Select Account in the navigation bar at the top of the page. | |
| Click Credential Security Settings in the Links area on the right side of the page. You see the Credential Security Settings page. | |
| On the Credential Security Settings page, click Change Settings in the Actions column next to the HOTP Event-Based validation type. | |
| On the Change HOTP Event-Based Credential Security Settings page, click set the security level manually at the bottom of the page. You see more advanced options for configuring security levels. | |
| Type a number for Maximum Validation Failures. Maximum Validation Failures sets the number of times that a user is allowed to enter an invalid security code before the credential automatically locks. If a credential locks, the user cannot use the credential to sign in. Unless auto-unlock is enabled in the User and Credential Lockout policy (on the Policy > Credentials tab), the user must contact your help desk and request that an administrator unlock the credential. Less Secure: 32 validation failures More Secure: 5 validation failures Symantec Recommends: 10 validation faiures | |
| Select an option to enable or disable the Auto Sync feature. Enable Auto Sync to automatically resynchronize credentials that get out of synchronization. Disable Auto Sync to require that users manually synchronize credentials that get out of synchronization. Important: A credential gets out of synchronization when the user generates too many unused security codes. An unused security code is a security code that a user generates but does not use to sign in. (When a user generates unused security codes, the credential event counter--which counts button press events--gets out of synchronization with the Symantec validation server event counter.) | |
| Symantec highly recommends that you click an option in the Set Windows area to select one of the predefined security levels (low, medium, or high) based on your organization's needs. Symantec has thoroughly tested these security levels, and verified their effectiveness. | |
| Type a number for Validation Window. Security codes are valid if they are within the Validation Window. If a user generates unused security codes, but the number of unused security codes is within the Validation Window, then the Symantec validation server validates the security code, and the user is signed in to his or her account. Less secure: 32 unused security codes More secure: 5 unused security codes Symantec recommends: 10 unused security codes | |
| Type a number for Auto Sync Window. If Auto Sync is enabled, and security codes are within the Auto Sync Window, then the security codes are still valid and the Symantec validation server event counter automatically synchronizes itself with the credential event counter. The Auto Sync Window sets the maximum number of unused security codes a user can generate and still generate valid security codes on a credential that has become out of synchronization. (The credential is automatically synchronized.) Less secure: 128 unused security codes More secure: 16 unused security codes Symantec recommends: 32 unused security codes If you are using the Auto Sync feature, the Auto Sync Window must be larger than the Validation Window. | |
| Type a number for Manual Sync Window. If a security codes are within the Manual Sync Window, users cannot use their credential to sign in to their account. They must enter two consecutive security codes to manually synchronize their credential's event counter with the Symantec validation server event counter. The Manual Sync Window sets the maximum number of unused security codes a user can generate and still use their credential. Less secure: 1024 unused security codes More secure: 128 unused security codes Symantec recommends: 1024 unused security codes The Manual Sync Window must be larger than the Auto Sync Window. | |
| Click Save Changes to update your settings, or click Back to return to the Credential Security Settings page. |
To manually change the security settings for HOTP Time-Based credentials, follow these steps:
| Select Account in the navigation bar at the top of the page. | |
| Click Credential Security Settings in the Links area on the right side of the page. You see the Credential Security Settings page. | |
| On the Credential Security Settings page, click Change Settings in the Actions column next to the HOTP Time-Based validation type. | |
| On the Change HOTP Time-Based Credential Security Settings page, click set the security level manually at the bottom of the page. You see more advanced options for configuring security levels. | |
| Type a number for Maximum Validation Failures. Maximum Validation Failures sets the number of times that a user is allowed to enter an invalid security code before the credential automatically locks. If a credential locks, the user cannot use the credential to sign in. Unless auto-unlock is enabled in the User and Credential Lockout policy (on the Policy > Credentials tab), the user must contact your help desk and request that an administrator unlock the credential. Less secure: 32 validation failures More secure: 5 validation failures Symantec recommends: 10 validation failures | |
| Select an option to enable or disable the Auto Sync feature. Enable Auto Sync to automatically resynchronize credentials that get out of synchronization. Disable Auto Sync to require that users manually synchronize credentials that get out of synchronization. Important: A credential gets out of synchronization when its internal clock drifts ahead of or behind the Symantec validation server clock. For example, if the credential clock is running slow or fast, the credential will need to be resynchronized. | |
| Symantec highly recommends that you click an option in the Set Windows area to select one of the predefined security levels (low, medium, or high) based on your organization's needs. Symantec has thoroughly tested these security levels, and verified their effectiveness. | |
| Type a number for Validation Window. Security codes are valid if the credential time is within the Validation Window. The Validation Window sets the maximum number of seconds that the credential clock can drift ahead of or behind the Symantec validation server clock and still generate valid security codes. Less secure: 1920 seconds More secure: 300 seconds Symantec recommends: 300 seconds | |
| Type a number for Auto Sync Window. If Auto Sync is enabled, and the credential time is within the Auto Sync Window, security codes are still valid and the Symantec validation server clock automatically synchronizes itself with the credential clock. The Auto Sync window sets the maximum number of seconds that the credential clock can drift ahead of or behind the Symantec validation server clock and still generate valid security codes if the credential is out of synchronization. (The credential is automatically synchronized.) Less secure: 1980 seconds More secure: 480 seconds Symantec recommends: 960 seconds If you enable Auto Sync, the Auto Sync Window must be larger than the Validation Window. | |
| Type a number for Manual Sync Window. If the credential time is within the Manual Sync Window, users cannot use their credential to sign in to their account. They must enter two consecutive security codes to manually synchronize their credential clock with the Symantec validation server clock. The Manual Sync window sets the maximum number of seconds that the credential clock can drift ahead of or behind the Symantec validation server clock and still function. Less secure: 7680 seconds More secure: 3840 seconds Symantec recommends: 3840 seconds The Manual Sync Window must be larger than the Auto Sync Window. | |
| Type a number for Initial Validation Window. The Initial Validation window specifies the maximum amount of time (in seconds) that the credential clock is allowed to drift ahead of or behind the Symantec validation server clock and still be able to generate a valid security code the first time the credential is used. | |
| Type a number for Next Security Code Validation Window. The Next Security Code Validation window specifies the maximum amount of time (in seconds) that the credential clock is allowed to drift ahead of or behind the Symantec validation server clock when a second consecutive security code is required for sign in and synchronization operations. | |
| Click Save Changes to update your settings, or click Back to return to the Credential Security Settings page. |
To manually change the security settings for Vasco Time-Based credentials, follow these steps:
| Select Account in the navigation bar at the top of the page. | |
| Click Credential Security Settings in the Links area on the right side of the page. You see the Credential Security Settings page. | |
| On the Credential Security Settings page, click Change Settings in the Actions column next to the Vasco Time-Based validation type. | |
| On the Change Vasco Time-Based Credential Security Settings page, click set the security level manually at the bottom of the page. You see more advanced options for configuring security levels. | |
| Type a number for Maximum Validation Failures. Maximum Validation Failures sets the number of times that a user is allowed to enter an invalid security code before the credential automatically locks. If a credential locks, the user cannot use the credential to sign in. Unless auto-unlock is enabled in the User and Credential Lockout policy (on the Policy > Credentials tab), the user must contact your help desk and request that an administrator unlock the credential. Less secure: 32 validation failures More secure: 5 validation failures Symantec recommends: 10 validation failures | |
| Select an option to enable or disable the Auto Sync feature. Enable Auto Sync to automatically resynchronize credentials that get out of synchronization. Disable Auto Sync to require that users manually synchronize credentials that get out of synchronization. Important: A credential gets out of synchronization when its internal clock drifts ahead of or behind the Symantec validation server clock. For example, if the credential clock is running slow or fast, the credential will need to be resynchronized. | |
| Symantec highly recommends that you click an option in the Set Windows area to select one of the predefined security levels (low, medium, or high) based on your organization's needs. Symantec has thoroughly tested these security levels, and verified their effectiveness. | |
| Type a number for Validation Window. Security codes are valid if the credential time is within the Validation Window. The Validation Window sets the maximum number of seconds that the credential clock can drift ahead of or behind the Symantec validation server clock and still generate valid security codes. Less secure: 1024 seconds More secure: 160 seconds Symantec recommends: 320 seconds | |
| Type a number for Auto Sync Window. If Auto Sync is enabled, and the credential time is within the Auto Sync Window, security codes are still valid and the Symantec validation server clock automatically synchronizes itself with the credential clock. The Auto Sync window sets the maximum number of seconds that the credential clock can drift ahead of or behind the Symantec validation server clock and still generate valid security codes if the credential is out of synchronization. (The credential is automatically synchronized.) Less secure: 3840 seconds More secure: 320 seconds Symantec recommends: 1024 seconds If you enable Auto Sync, the Auto Sync Window must be larger than the Validation Window. | |
| Type a number for Manual Sync Window. If the credential time is within the Manual Sync Window, users cannot use their credential to sign in to their account. They must enter two consecutive security codes to manually synchronize their credential clock with the Symantec validation server clock. The Manual Sync window sets the maximum number of seconds that the credential clock can drift ahead of or behind the Symantec validation server clock and still function. Less secure: 7200 seconds More secure: 3600 seconds Symantec recommends: 3600 seconds The Manual Sync Window must be larger than the Auto Sync Window. | |
| Click Save Changes to update your settings, or click Back to return to the Credential Security Settings page. |
To manually change the security settings for SMS/Voice/Email/Service-generated credentials, follow these steps:
| Select Account in the navigation bar at the top of the page. | |
| Click Credential Security Settings in the Links area on the right side of the page. You see the Credential Security Settings page. | |
| On the Credential Security Settings page, click Change Settings in the Actions column next to the SMS/Voice/Email/Service-generated validation type. | |
| On the Change SMS/Voice/Email/Service-generated Credential Security Settings page, click set the security level manually at the bottom of the Credential Security Settings page. You see more advanced options for configuring security levels. | |
| Type a number for Maximum Validation Failures. Maximum Validation Failures sets the number of times that a user is allowed to enter an invalid security code before the credential automatically locks. If a credential locks, the user cannot use the credential to sign in. Unless auto-unlock is enabled in the User and Credential Lockout policy (on the Policy > Credentials tab), the user must contact your help desk and request that an administrator unlock the credential. Less secure: 32 validation failures More secure: 5 validation failures Symantec recommends: 10 validation failures | |
| Type a number for Security Code Expiration. The security code expiration sets the amount of time that a security code is valid after a user receives the security code in an SMS, Voice Call, or Email message. Less secure: 600 seconds More secure: 300 seconds Symantec recommends: 600 seconds | |
| Click Save Changes to update your settings, or click Back to return to the Credential Security Settings page. |
End users can obtain help by replying HELP to the SMS message. VIP responds with a message providing instructions for opting out of SMS messages. The message includes support contact information.
However, if the local carrier overrides the SMS From number in the SMS message, all SMS keywords (including HELP and STOP) will fail without notifying the end user. You should educate your end users that they must contact their Support representative to opt out of SMS messages or to obtain help if they do not get a response from SMS keywords.
Note the following when you create the message text:
| You must include a security code tag in the message. | |
| To add a security code tag, click the button for Security Code Tag or type the variable "_OTP_" where you want a security code to be included in the message. (VIP Manager substitutes "_OTP_" with a valid security code). | |
| Click the button for Line Break to add a line break to a message. | |
| Symantec recommends that SMS messages be less than 160 characters. |
To configure SMS message settings, follow these steps:
Important: Due to how China manages incoming SMS messages, users in China may experience intermittent SMS message failures. To guarantee delivery of SMS messages in China, you must register a friendly name and an SMS message language (English or Simplified Chinese). Once registered, Symantec VIP overrides the messages that you set here and sends the SMS message listed in the China-specific Message section at the bottom of the SMS Message Settings page for the Credential Registration, Security Code Service, and Temporary Password messages.
| Select Account in the navigation bar at the top of the page. | |
| Click SMS Credential Settings in the Links area on the right side of the page. You see the SMS Message Settings page. | |
| Type the Credential Registration Message in the text box (or use the default message text). This is the message that sends SMS-based credential users security codes that they can use to register their credentials. Important: This message is only for VIP members who sell SMS-based VIP credentials. | |
| Type the Security Code Service Message in the text box (or use the default message text). This is the message that sends SMS-based credential users security codes that they can use to sign in to VIP member sites. Important: This message is only for VIP members who sell SMS-based VIP credentials. | |
| Type the Temporary Password Message in the text box (or use the default message text). This is the message that sends users of all credential types a security code they can use to sign in to VIP member sites on a temporary basis. For example, you'll need to send this message to users who have lost or forgotten their credentials. | |
| Click Save Changes to update your settings, or click Cancel to return to the VIP Manager Home page. |
Email as a credential:
- Email credential registered (Register)
- Send a security code for authentication
- Send a temporary security code (Send Temporary Passcode)
- Send a security code for transactions
To customize an email, select the appropriate template, and add a subject line (up to 988 alphanumeric characters only). Enter your customized email text in the Body field. You can use only plain text or HTML format, and the body text cannot exceed 1000 characters. JavaScript and XSS code are automatically removed.
You can use the Insert Variable dropdown to add variable codes to the template (you can also enter them manually). VIP replaces these codes with the actual value in the emails sent to users. Although the order does not matter, you must use all of the variables at least once in your template.
To include images, enter the full path to the image. You must use https://.VIP supports the .webp, JPEG, PNG, and GIF image formats.
Click Preview at any time to see how the email will appear to the user. Save the template when you are done. You can also discard your changes to revert to the last saved version, or reset the template to the default to erase any previously saved template.