You can view and configure the account policy for sending VIP Access Push notifications to users' mobile devices for authentication. This policy allows a user to respond to notifications sent to their mobile device as the second factor instead of entering a security code when signing in.

VIP sends a VIP Access Push notification after the user enters a user name and password when signing in. The notification may also include information on where the request originated (VIP Access notifications initiated by VIP Enterprise Gateway do not include push location information). If the user approves the notification, the user is logged into the account.

For devices that support biometric fingerprints, VIP will prompt the user to provide a biometric fingerprint to complete authentication. For mobile devices where biometric fingerprint is not available or not configured, or if biometric fingerprint fails, VIP PIN is used. Currently, only iOS TouchID is supported for biometric fingerprint.

If Require Number Challenge is enabled, the push notification is replaced by a prompt to enter a challenge number as authentication.

Note the following special considerations for the Mobile Push Authentication Policy:

	The user must register a device that is capable of receiving requests from the VIP Service to use VIP Access Push. VIP Access Push notifications will be sent to all devices for which this is enabled.
	Upon downloading a VIP Access release that includes the VIP Access Push feature, the user is prompted to enable or opt out of push notifications.
	There are four VIP Access Push states: never enabled, enabled, disabled, and temporarily locked.
	If more than five push notifications are sent, VIP Access Push will become temporarily locked for one hour. During this period, the user must use an alternate login factor.
	Before you can configure VIP Access Push, you must first enable Mobile Credentials (under Credentials → Enable all VIP credentials: on the VIP Policy Configuration page, either select Yes, or select No and manually select Mobile Credentials).
	If you enable the Require Number Challenge policy, the user must register a credential app that is able to use a number challenge. If the credential is not able to use a number challenge, the end user is prompted to authenticate using security codes generated on their device or sent through an out-of-band channel such as SMS or Voice Calls.
	If you enable Remembered Devices or Require Number Challenge, they will take priority over VIP Access Push. However, VIP Access Push notifications take priority over security codes.

If you enable VIP Access Push and want to include the VIP JavaScript library in your application's sign-in page, you need to generate the VIP integration code for JavaScript:

	Enter your externally-accessible domain name(s) for your web applications in the provided field. (As an example, if your sign-in page URL is https://vpn.example.com, you would enter example.com)
	Select VIP Integration Code for Javascript.

To set the policy for Mobile Push Authentication for your account:

	Select Policies in the navigation bar at the top of the page.
	Select "Account" tab.
	Select the Edit link to configure the Mobile Push Authentication policy settings. You can set the following: Enable Mobile Push: Set this to Yes to allow an end user to respond to a VIP Access Push notification sent to a mobile device as the second factor when signing in. If set to No, VIP will not send a VIP Access Push notification, and the end user must use another configured method for authentication. Allow Security Code Validation: If Enable Mobile Push is set to Yes, set Allow Security Code Validation to Yes to allow an end user to enter security codes as the second factor instead of VIP Access Push. If set to No, the user will not be prompted for security codes. Require Number Challenge: If Enable Mobile Push is set to Yes, and Require Number Challenge is set to Yes, end users are shown a uniquely generated, two-digit number when requesting VIP authentication. End users must enter the same number in the VIP Access Push that they receive on their mobile devices. Display Location Information: Set whether VIP Access Push notifications include information on where the request originated. Users can review this information to verify that the request was sent by their device to help ensure that the push notification is valid. Location information is not sent for push notifications sent by VIP Enterprise Gateway. The location may be affected if the user is using a VPN or if the network is mapped to a different IP address. VIP Push Title: Enter the title that end users see at the top of the VIP Access Push notification. The suggested maximum size is 30 characters. VIP Push Text: Enter the text that end users see in the body of the VIP Access Push notification. The suggested maximum size is 70 characters. Remote Access Service Name/URL: Enter your logon URL or profile, or other support resource for your end users. The suggested maximum size is 60 characters. Note: Push notification messages sent by clients (such as a Mobile SDK-based client, User Services APIs, or VIP Enterprise RADIUS clients) take precedence. Otherwise, the custom push notification message configured in here is used. If no push notification messages are configured, VIP uses the default message.

You can also customize the Mobile Push Authentication policy at the user group level. Settings at the user group level overwrite the account policy settings for members of that user group. The customizable VIP Access Push text is an account-level setting. It cannot be applied to individual user groups.

The Mobile Push Authentication policy defined at the group level always overwrites the account policy. If a user belongs to more than one group with different Mobile Push Authentication policies, the user is assigned the stricter policy using the following rules:

	The user can authenticate using VIP Access Push if Enable Mobile Push Authentication policy is set to Yes in at least one of the applicable policies
	The user cannot authenticate using a security code if the Allow Security Code Validation policy is set to No in any of the applicable policies.
	The user must complete a number challenge when authenticating if Require Number Challenge is set to Yes in at least one of the applicable policies. The user is shown a unique, two-digit number which the user must enter in the VIP Access Push that they receive on their mobile devices.

See Editing the User Group Policies.