When an end-user with multiple assigned credentials manually enters their VIP security code during a login, it is possible for one or more of their credential IDs in VIP Manager to go to a locked state, despite the VIP credential not being used for validations.
VIP Manager screenshot:
During a VIP Validation when an end-user manually enters a VIP security code from their VIP credential, the encrypted VIP username+VIP security code is sent to the VIP Cloud.
When an end-user is assigned one VIP credential ID:
When an end-user is assigned more than one VIP credential ID:
*This value can be adjusted by a VIP Administrator in the VIP Manager portal.
Note: A locked credential affects VIP authentications only when it is used during a login attempt.
- Users with multiple assigned credentials can periodically use a security code from another assigned credential
- Use the VIP PUSH feature. This does not impact a credentials invalid security code counter.
- Enable the VIP Manager policy to enforce a maximum number of assigned credentials. Your organization should decide the max. number of credentials a user can be assigned, and if credentials can assigned to more than one user at a time.
- Enable the Credential expiration policy to automatically remove unused credentials from users. Expired credentials are unassigned from the user and appear as 'inactive' in VIP Manager.
If user services is used for credential validation(https://userservices.vip.symantec.com) the credential will not be locked but if credential services is used (https://services-auth.vip.symantec.com) the credential will lock after passing the Maximum Validation Failures set in Security Settings.