Critical: Securing your administrator accesses
WARNING this is a critical security point for your service
inWebo service administrator accounts are the most important accounts because they provide access to the administration console. Access to the administration console should never be lost! To protect against this, inWebo strongly advises the following:
Use Helium backup (applicable to all types of users)
Enroll at least 2 devices (applicable to all types of users)
Create at least a second administrator account
Generate an API certificate and keep it carefully in a secure place
For more information : How to secure your Administrator access
In order to preserve their access, administrators will receive alert emails: 30 days, 2 weeks and 1 week prior the expiration of one of their tools.
Accessing the Administration console
Administrator access is activated on the computer, when you are setting up your service (Trial or Enterprise)
The address of your administration console is: https://www.myinwebo.com/console/logon
You must activate a device/web browser to gain access to the administration console, and you
must be an administrator (i.e. have administration access) to access this administration console.
Administration console overview
Select the service you want to manage
Manage and troubleshoot your user accesses in the "Service Users" tab
Manage User groups and security policies in the "User Groups" tab
Configure your secure sites and applications in the "Secure Sites" tab
Configure your security / authentication service in the "Service parameters" tab
Read your reports and analyze your activity in the "Usage Reports" log
Defining your default/standard security settings
In the service parameters tab (5), you have to provide details for standard "users" (users who are not members of a group).
Without PIN: the user's inWebo PIN is not required to generate an OTP with Authenticator and Virtual Authenticator.
With PIN: the user's inWebo PIN is required to generate an OTP with Authenticator and Virtual Authenticator.
Configuring Authenticator app, default restriction
If a mobile phone is registered on the user profile, set inWebo Authenticator (mobile/desktop) parameters.
inWebo Authenticator (mobile/desktop)
Maximum number of devices
Limits the maximum number of smartphones a user can register. (0 for unlimited)
You must define a strict restriction on the number of devices allowed for a standard user for standard users (users who are not members of a group). Note that a group membership with a "security policy" will override this default restriction.
Tools automatically blocked after
Limits the maximum number of days a device may remain inactive before being blocked. (0 for unlimited)
Tools automatically deleted after
Limits the maximum number of days a device may remain inactive before being deleted. (0 for unlimited)
Authentication with biometrics allowed
Authentication with biometrics only
This setting cannot be changed. To be compliant with the GDPR (General Data Protection Regulation), the user should have the choice to use biometrics or not.
This setting allows you to set the offline OTPs format. The online OTPs format is always 8 characters.
You can choose the offline format based on what your authentication interface supports.
Choose OTP length according to the security level required, meaning the probability of finding the correct OTP by luck or brute force: the longer the OTP, the safer it is.
Allow online OTPs
In this setting, if Online OTP cannot be generated, then Offline OTPs are generated as a backup for an occasional use case. For mostly offline use case, you should set the full Offline mode.
Enable OTP in full Offline mode
The "full offline mode" is used when inWebo MFA is needed to open a network connection.
Enabling the OTP in full Offline mode does not mean that all users will always be offline. You can enable full offline mode for always offline users while allowing online OTPs for others users.
After generating an OTP, users should wait 50 seconds to generate a new OTP.
In the following scenarios (in full offline mode):
the next OTP will be rejected. The user will have to generate another OTP: this one will be validated.
Yes → The user can manage their account by themselves from the Authenticator application (PIN management).
No → The user cannot manage their account by themselves from the Authenticator application.
The Selfcare function is accessible to users that have a pin. In a service without pin, Selfcare will be accessible to administrators only.
Configuring inWebo Virtual Authenticator / browser, default restriction
Activated: Yes or No / to enable authentication via the Virtual Authenticator interface
Maximum number of devices: the maximum number of browsers a user can register with Virtual authenticator for this service
Note: A user can activate an unlimited number of browsers with his inWebo identity, but only the specified number of devices can access the service.
Configuring inWebo Helium / browser, default restriction
If you are using Helium, you can configure the following settings:
Activated: Yes or No / to enable authentication via the Helium interface
Maximum number of devices: the maximum number of browsers a user can register with Helium for this service
Helium authentication mode: Without password: the user's password is not required to generate an OTP and With password: the user's password is required to generate an OTP
Recommended maximum number of devices for standard users
The values indicated in the "Service Parameter" tab represent default values and the minimum number of devices a standard user can enlist, this should be the strict minimum:
inWebo Authenticator (mobile): 1
inWebo Virtual Authenticator (browser): 1
inWebo Helium (browser): 1
Maximum number of devices of all types: 2 (At the bottom of the page)
Activating Transaction sealing
If you have requested the transaction sealing option from inWebo.
You'll be able to enable it for your service in the "service parameters" tab
For inWebo White label and legacy offer: in the "inWebo mAccess" section (if enabled)
For inWebo Standard offer: in the "General settings" section
Change the "Transaction sealing" option to >Yes<
Defining groups and security
Creating a security policy for a group
In the User Groups tab, click the "Manage the security Policies", above the Service ID.
You'll reach the "Manage Security Policies" page, in this page you can edit specific policies applied to groups.
Create a new policy with the button or edit an already existing one by clicking on it.
It is up to you to decide whether your policy will be more generous than the default security settings.
Once you set the security you can save it and apply it to a group.
How to manage groups
When you reach the User Groups tab of the administration console, you see the groups which have been created for this service.
You can Create, Edit or Delete groups via this interface.
Creating a group
If you decide to create a Group you will reach a page displaying:
The name of the group you want to create
The security policy you previously created
The secure sites the users of the group can see,
The shaded boxes in front of a "secure site" indicates the sites available for all users in the service.
You may select/check the sites the group will see.
Restricting the Secure site visibility to a specific group.
To restrict the visibility of a Secure site only to a specific group, you have to edit the Secure site / Application in the "Secure Sites" tab of the console,
and check the Give Access / Only to defined groups of users.
Synchronizing with IWDS
If you are using IWDS, you have to create the same number of groups as the number of LDAP groups you want to synchronize with IWDS:
Once you have created these groups in the Administration console you have to associate them to LDAP group/UO in the IWDS console.
*LDAP group mapping tab in IWDS
Viewing a group's list of users
When you edit a group, you'll see the button "View all group users" available.
When clicking on this button, you'll reach the "Service Users" tab with the users filtered by the group you have selected.
This allows you to view only the members of this group and to perform the targeted action.
Managing roles and group administration
When clicking on the "Service Users" tab, you'll see the "Manage User Roles" button above the Service ID
You can "Add a new role" or Edit existing roles.
Creating a new role
To define a new role, you select (check box) the features and tabs available for this role, at your convenience.
When creating a new role it's recommended to create a new user and to test the access / restrictions with another activated browser to see the result of your restrictions.
When you modify an existing role it is advised to Log out - Log in to ensure the role has been correctly updated.
If you want to assign a role to a restricted group:
You should create a "Group Administrator" role, with the following attributes:
You select "User" role as User service role parameter
You select the group you want to manage at the bottom of the profile
You select the newly created "Group Administrator" role for this group
You'll notice that there is no standard Administrator role available for a group, so you should assign the user the Group Administrator role created previously.
Adding new users
To add a user to the interface, you can use the button "Add a new user" (1),
An empty user profile will be displayed, only the login is mandatory (2).
If you input an Email address, you can directly send an Activation link in an email to the new user.
(3) and (4). In the "User service role" section (5), you may select the role that will be assigned to the user for the whole service. (User, Administrator,...)
For (6) and (7) you can add the user to a group with a user role or a customized role
Optional - You can specify the user first name and last name. Note that the following special characters
' . - _ ! # ^ ~() are authorized.
If the "Send an activation email" is not selected, when saving the user you should retrieve the activation code in the Administration console:
This Activation code has a duration of 30mn.
Unlocking / Password locked
If a user has made 3 attempts to login with a wrong password, he will be locked.
If the user has not deleted all his devices, you can send him the following elements to unlock one of his tools:
An unlock code with immediate use (A code you can use to reset your password) it has a duration of 30mn
An unlock link sent by mail (The user will receive in his mail address a link to create an unlock code)
An unlock link with immediate use (It will display a link to give to the user to create an unlock code)
If the user has deleted all his tools, as there are no locked tools, the user status will not show the locked state, you will have to perform a "User Restore" procedure.
The user restore procedure will delete and recreate an identical user, this procedure will create an activation code which will also unlock the user, after confirmation of the "restoration" procedure. The user profile will close and a new activation code will be displayed in the interface, at the top of the "Service user" tab
When asked for an unlock code, the user will use this activation code to unlock his account and activate a new device at the same time.
Customizing Email Templates
In the "Service Users" tab, at the top right of the administration console, you have the button "Customize Email Templates", it gives you access to all the service email templates which will be sent to your users (in French or English) .
You can customize the following templates: 1st activation email, Confirmation email, Add new device email, Unlock device email.
Under the text block, you will find a list of variables you can use to compose your email and to access user data:
_SERVICE_ displays the name of the service for which the email is sent
The following variables can be inserted into the body of the message only:
_LINK_ displays a link opening a generic activation page allowing the user to choose between a mobile or browser activation
_LINK:BROWSER_ displays a link opening a browser activation page (inWebo Virtual Authenticator or inWebo Helium according to your service settings)
_LINK:MOBILE_ displays a link opening a mobile activation page (inWebo Authenticator or inWebo mAccess)
_FIRSTNAME_ displays the user's first name
_LASTNAME_ displays the user's last name
_LOGIN_ displays the user's login name
For a mobile activation, you may use the following link to direct users straight to the activation screen, with the activation code already filled-in → https://near.myinwebo.com/enrole/activate?code=_CODE_
You can easily delete an inWebo user with the "trash can" at the end of the line.
You can also select/check multiple users and select "Delete selected users from service" at the bottom of the page if you want to perform a mass delete of users.
How to search and filter your users
In the "User tab" you have access to the "Filter Users" button, it will display a menu to search and filter your user list.
Search by login name:
Filter by group
Filter by status (Activated, Pending Activation, not activated)
Display users with no activity
since >?< day(s)
You can for instance, Filter all users without activity for 60 days and select them for deletion.
this operation can display Administrator level accounts. / be sure to verify the user's status before a deletion operation
Accessing Reports and Troubleshooting
In the "Usage Reports" tab, you have access to the following Reports:
Service Parameter Updates
These reports are available through the combo box at the top of the page
Troubleshooting user provisioning, activation and deletion
The "User provisioning" reports display all operations performed on users such as their creation, activation and update for the service in question along with error messages.
Troubleshooting tool/device and user access
If the users lock a tool or a device, it is important that they don't delete or clean their Web browser,
as they will delete their information and it will be harder to recover their access without an activated device.
The administrator can see in the user profile that the user PIN code is Locked, he can also see the tools which are concerned: