Enable and configure the VIP IA policy
As the first step for VIP Intelligent Authentication integration, you must enable and configure the VIP IA policy in VIP Manager.
- To configure VIP IA in VIP Manager for the first time:
- Sign in to your account in VIP Manager.
- SelectPoliciesin the navigation bar at the top of the page.
- Select theVIP Intelligent Authenticationtab.
- Select theEditlink.
- Enable the VIP IA policy, and then configure the policy:
- Select an appropriateSign-in threshold valuefor your users by estimating how likely IA requires additional authentication based on user risk.By default, the threshold value is set betweenModerateandStrict, which is the setting that Symantec recommends.In general, the stricter that you set the threshold value, the more likely VIP IA considers access events suspicious. If an IA risk level for a user's authentication attempt is higher than the set threshold, IA considers the attempt risky. Then IA recommends that additional authentication be performed before the user is granted access.
- Determine whether security codes should always be required for authentication from unrecognized devices.This option is checked by default to take advantage of Device Fingerprint (within the VIP Remembered Device policy) for evaluating device attributes at access. Users must always provide a security code in response to a challenge for authentication, regardless of the current IA threshold or risk-based IA score.If this option is disabled, users must respond to the challenge for authentication based exclusively on the following regardless of any unrecognized devices:
- IA threshold
- IA policy settings
- IA risk score
If this feature is disabled, it effectively makes theIAAuthDataparameter optional for applicable IA APIs.For details about Device Fingerprint and VIP Remembered Device credential types, see theVIP Remembered Device Integration Guide. See theVIP User Services Developer's Guidefor details aboutIAAuthData. - Optionally, specify additional countries with increased risk, from where any user access attempt can increase the user's IA risk score.
- Optionally, specify IP addresses from where you need to always challenge or always accept (succeed) user sign-in attempts. If you set the policy to always challenge, users coming from a listed IP address are always prompted for second-factor authentication, even if their credential is set to Remembered Device.Up to 100 entries can be uploaded from a single file (one IP address or one IP address range represents one entry). Each IP address must be in either IPv4 or IPv6 format and a hyphen must separate each IP address range. All entries must be comma-separated.For example:
- For IPv4: 192.0.2.40,203.0.113.255,198.51.100.1-198.51.100.100
- For IPv6: 2001:DB8::0:1804:0:15:0:100,2001:DB8:0:1804::15:30:100-2001:DB8:112:1804::15:40:100
- ClickSave.