Enable and configure the VIP IA policy

As the first step for VIP Intelligent Authentication integration, you must enable and configure the VIP IA policy in VIP Manager.
  1. To configure VIP IA in VIP Manager for the first time:
  2. Sign in to your account in VIP Manager.
  3. Select
    Policies
    in the navigation bar at the top of the page.
  4. Select the
    VIP Intelligent Authentication
    tab.
  5. Select the
    Edit
    link.
  6. Enable the VIP IA policy, and then configure the policy:
    • Select an appropriate
      Sign-in threshold value
      for your users by estimating how likely IA requires additional authentication based on user risk.
      By default, the threshold value is set between
      Moderate
      and
      Strict
      , which is the setting that Symantec recommends.
      In general, the stricter that you set the threshold value, the more likely VIP IA considers access events suspicious. If an IA risk level for a user's authentication attempt is higher than the set threshold, IA considers the attempt risky. Then IA recommends that additional authentication be performed before the user is granted access.
    • Determine whether security codes should always be required for authentication from unrecognized devices.
      This option is checked by default to take advantage of Device Fingerprint (within the VIP Remembered Device policy) for evaluating device attributes at access. Users must always provide a security code in response to a challenge for authentication, regardless of the current IA threshold or risk-based IA score.
      If this option is disabled, users must respond to the challenge for authentication based exclusively on the following regardless of any unrecognized devices:
      • IA threshold
      • IA policy settings
      • IA risk score
      If this feature is disabled, it effectively makes the
      IAAuthData
      parameter optional for applicable IA APIs.
      For details about Device Fingerprint and VIP Remembered Device credential types, see the
      VIP Remembered Device Integration Guide
      . See the
      VIP User Services Developer's Guide
      for details about
      IAAuthData
      .
    • Optionally, specify additional countries with increased risk, from where any user access attempt can increase the user's IA risk score.
    • Optionally, specify IP addresses from where you need to always challenge or always accept (succeed) user sign-in attempts. If you set the policy to always challenge, users coming from a listed IP address are always prompted for second-factor authentication, even if their credential is set to Remembered Device.
      Up to 100 entries can be uploaded from a single file (one IP address or one IP address range represents one entry). Each IP address must be in either IPv4 or IPv6 format and a hyphen must separate each IP address range. All entries must be comma-separated.
      For example:
      • For IPv4: 192.0.2.40,203.0.113.255,198.51.100.1-198.51.100.100
      • For IPv6: 2001:DB8::0:1804:0:15:0:100,2001:DB8:0:1804::15:30:100-2001:DB8:112:1804::15:40:100
  7. Click
    Save
    .