VIP Policy Configuration
You can view and configure the account policy for sending VIP Access Push notifications to users mobile devices for authentication. This policy allows a user to respond to notifications sent to their mobile device as the second factor instead of entering a security code when signing in. VIP sends a VIP Access Push notification after the user enters a user name and password when signing in. If the user approves the notification, the user is logged into the account.
For devices that support biometric fingerprints, VIP will prompt the user to provide a biometric fingerprint to complete authentication. For mobile devices where biometric fingerprint is not available or not configured, or if biometric fingerprint fails, VIP PIN is used. Currently, only iOS TouchID is supported for biometric fingerprint.
If Require Number Challenge is enabled, the push notification is replaced by a prompt to enter a challenge number as authentication.
Note the following special considerations for the Mobile Push Authentication Policy:
If you enable VIP Access Push and want to include the VIP JavaScript library in your application's sign-in page, you need to generate the VIP integration code for JavaScript:
To set the policy for Mobile Push Authentication for your account:
You can also customize the Mobile Push Authentication policy at the user group level. Settings at the user group level overwrite the account policy settings for members of that user group.
The Mobile Push Authentication policy defined at the group level always overwrites the account policy. If a user belongs to more than one group with different Mobile Push Authentication policies, the user is assigned the stricter policy using the following rules:
See Editing the User Group Policies.
For devices that support biometric fingerprints, VIP will prompt the user to provide a biometric fingerprint to complete authentication. For mobile devices where biometric fingerprint is not available or not configured, or if biometric fingerprint fails, VIP PIN is used. Currently, only iOS TouchID is supported for biometric fingerprint.
If Require Number Challenge is enabled, the push notification is replaced by a prompt to enter a challenge number as authentication.
Note the following special considerations for the Mobile Push Authentication Policy:
| The user must register a device that is capable of receiving requests from the VIP Service to use VIP Access Push. VIP Access Push notifications will be sent to all devices for which this is enabled. | |
| Upon downloading a VIP Access release that includes the VIP Access Push feature, the user is prompted to enable or opt out of push notifications. | |
| There are four VIP Access Push states: never enabled, enabled, disabled, and temporarily locked. | |
| If more than five push notifications are sent, VIP Access Push will become temporarily locked for one hour. During this period, the user must use an alternate login factor. | |
| Before you can configure VIP Access Push, you must first enable Mobile Credentials (under Credentials → Enable all VIP credentials: on the VIP Policy Configuration page, either select Yes, or select No and manually select Mobile Credentials). | |
| If you enable the Require Number Challenge policy, the user must register a credential app that is able to use a number challenge. If the credential is not able to use a number challenge, the end user is prompted to authenticate using security codes generated on their device or sent through an out-of-band channel such as SMS or Voice Calls. | |
| If you enable Remembered Devices or Require Number Challenge, they will take priority over VIP Access Push. However, VIP Access Push notifications take priority over security codes. |
If you enable VIP Access Push and want to include the VIP JavaScript library in your application's sign-in page, you need to generate the VIP integration code for JavaScript:
| Enter your externally-accessible domain name(s) for your web applications in the provided field. (As an example, if your sign-in page URL is https://vpn.example.com, you would enter example.com) | |
| Select VIP Integration Code for Javascript. |
To set the policy for Mobile Push Authentication for your account:
| Select Policies in the navigation bar at the top of the page. | |||||||
| Select "Account" tab. | |||||||
Select the Edit link to configure the Mobile Push Authentication policy settings. You can set the following:
|
You can also customize the Mobile Push Authentication policy at the user group level. Settings at the user group level overwrite the account policy settings for members of that user group.
The Mobile Push Authentication policy defined at the group level always overwrites the account policy. If a user belongs to more than one group with different Mobile Push Authentication policies, the user is assigned the stricter policy using the following rules:
| | The user can authenticate using VIP Access Push if Enable Mobile Push Authentication policy is set to Yes in at least one of the applicable policies |
| | The user cannot authenticate using a security code if the Allow Security Code Validation policy is set to No in any of the applicable policies. |
| The user must complete a number challenge when authenticating if Require Number Challenge is set to Yes in at least one of the applicable policies. The user is shown a unique, two-digit number which the user must enter in the VIP Access Push that they receive on their mobile devices. |
See Editing the User Group Policies.