Unused VIP Credentials / Token IDs are getting locked in VIP Manager
search cancel

Unused VIP Credentials / Token IDs are getting locked in VIP Manager

book

Article ID: 273344

calendar_today

Updated On:

Products

VIP Service

Issue/Introduction

When an end-user enters an invalid VIP security code not matching any of their assigned credentials, it is possible for one or more of their credential IDs to get locked by the VIP Service.

VIP Manager screenshot:

Cause

When an end-user enters a VIP security code from their VIP credential during a validation attempt, the SSL encrypted VIP username+VIP security code is sent to the VIP Cloud.

When an end-user is assigned a single VIP credential ID:

  • The transaction is successful if the security code matches the user's credential ID.
  • The transaction fails if an invalid code is used, and the 'invalid security code' counter for that credential ID increments by 1.
  • The token is locked after 10* consecutive invalid OTPs.  
  • The 'invalid security code' counter resets back to 0 when a valid code is used if the credential ID is not locked. 

When an end-user is assigned multiple VIP credential IDs:

  • The VIP Cloud attempts to match the security code to one of their assigned credentials.
  • If a match is found, the transaction is successful.
  • If a match is not found, the invalid security code counter for each assigned credential increments by one and the transaction fails. (A credential ID is locked when the invalid security code counter reaches 10*.) 10 consecutive invalid security codes will lock all assigned credentials. 
  • If a match is found during a subsequent login, the invalid security code counter for the matching credential ID is reset to 0. However, the invalid security code counter for the remaining credentials remain unchanged.
  • If an invalid security code is used during subsequent logins, the invalid security code counter continues to increment until the credential ID is locked. 

*This credential lockout value can be adjusted by a VIP Administrator in the VIP Manager portal

Note: A locked credential affects VIP authentications only when it is used during a login attempt. 

Resolution

- Users with multiple assigned credentials can periodically use a security code from another assigned credential 

- Use the VIP PUSH feature. This does not impact a credentials invalid security code counter.

- Enable the VIP Manager policy to enforce a maximum number of assigned credentials.

- Enable the Credential expiration policy to automatically remove unused credentials from users after a set amount of days. This policy sets unused credentials to 'inactive' and removes them from the user. Inactive tokens can be enabled and assigned to the user by a VIP administrator.

 

Additional Information

If VIP User Services 'authenticateCredentials' API is used for credential validation (https://userservices.vip.symantec.com), credentials will not be locked. If VIP Credential Services 'validateMultiple' API is used (https://services-auth.vip.symantec.com) the credential will lock after passing the Maximum Validation Failures set in Security Settings.

Powered by Wolken Software