Critical: Securing your administrator accesses

WARNING this is a critical security point for your service

inWebo service administrator accounts are the most important accounts because they provide access to the administration console. Access to the administration console should never be lost! To protect against this, inWebo strongly advises the following:

  • Use Helium backup (applicable to all types of users)

  • Enroll at least 2 devices (applicable to all types of users)

  • Create at least a second administrator account

  • Generate an API certificate and keep it carefully in a secure place

    For more information : How to secure your Administrator access

Email alerts

In order to preserve their access, administrators will receive alert emails: 30 days, 2 weeks and 1 week prior the expiration of one of their tools.

Accessing the Administration console

Administrator access is activated on the computer, when you are setting up your service (Trial or Enterprise)

The address of your administration console is: https://www.myinwebo.com/console/logon

You must activate a device/web browser to gain access to the administration console, and you

must be an administrator (i.e. have administration access) to access this administration console.

Administration console overview

  1. Select the service you want to manage

  2. Manage and troubleshoot your user accesses in the "Service Users" tab

  3. Manage User groups and security policies in the "User Groups" tab

  4. Configure your secure sites and applications in the "Secure Sites" tab

  5. Configure your security / authentication service in the "Service parameters" tab

  6. Read your reports and analyze your activity in the "Usage Reports" log

Defining your default/standard security settings

In the service parameters tab (5), you have to provide details for standard "users" (users who are not members of a group).

Authentication mode:

  • Without PIN: the user's inWebo PIN is not required to generate an OTP with Authenticator and Virtual Authenticator.

  • With PIN: the user's inWebo PIN is required to generate an OTP with Authenticator and Virtual Authenticator.

Configuring Authenticator app, default restriction

If a mobile phone is registered on the user profile, set inWebo Authenticator (mobile/desktop) parameters.

inWebo Authenticator (mobile/desktop)

Setting

Description

Activated

  • Yes → The users can connect to the service Secure Sites and applications with inWebo Authenticator application.

  • No → The users cannot connect to the service Secure Sites and applications with inWebo Authenticator application.

Maximum number of devices

Limits the maximum number of smartphones a user can register. (0 for unlimited) 

You must define a strict restriction on the number of devices allowed for a standard user for standard users (users who are not members of a group). Note that a group membership with a "security policy" will override this default restriction.

Tools automatically blocked after

Limits the maximum number of days a device may remain inactive before being blocked. (0 for unlimited) 

Tools automatically deleted after

Limits the maximum number of days a device may remain inactive before being deleted. (0 for unlimited) 

Authentication with biometrics allowed

  • Yes → the user to can authenticate using biometrics.

  • No → the user cannot authenticate using biometrics.

Authentication with biometrics only

This setting cannot be changed. To be compliant with the GDPR (General Data Protection Regulation), the user should have the choice to use biometrics or not.

OTP format

This setting allows you to set the offline OTPs format. The online OTPs format is always 8 characters.

You can choose the offline format based on what your authentication interface supports.

  • 8 digits → OTP is a string of 8 numbers.

  • 6 characters alphanum → OTP is a string of 6 alphanumerics characters (letters and numbers)

  • 7 characters alphanum → OTP is a string of 7 alphanumerics characters (letters and numbers)

  • 8 characters alphanum → OTP is a string of 8 alphanumerics characters (letters and numbers)

Choose OTP length according to the security level required, meaning the probability of finding the correct OTP by luck or brute force: the longer the OTP, the safer it is.

Allow online OTPs

  • Yes → Authenticator will first try to generate online OTP.

  • No → Authenticator will not try to generate online OTP.

In this setting, if Online OTP cannot be generated, then Offline OTPs are generated as a backup for an occasional use case. For mostly offline use case, you should set the full Offline mode.

Enable OTP in full Offline mode

The "full offline mode" is used when inWebo MFA is needed to open a network connection.

  • Yes → enables Authenticator to generate OTPs for always offline users. Set it when the use case for generating OTP is mostly offline.

  • No → disables Authenticator to generate OTPs for always offline users.

Enabling the OTP in full Offline mode does not mean that all users will always be offline. You can enable full offline mode for always offline users while allowing online OTPs for others users.

After generating an OTP, users should wait 50 seconds to generate a new OTP.

Error cases
In order to resynchronize Authenticator and the inWebo service, 2 OTPs are needed in a short time (less than 15 minutes).

In the following scenarios (in full offline mode):

  • OTP input error,

  • a generated OTP is not submitted,

  • a generated OTP is submitted late,

the next OTP will be rejected. The user will have to generate another OTP: this one will be validated.

Selfcare access

Yes → The user can manage their account by themselves from the Authenticator application (PIN management).

No → The user cannot manage their account by themselves from the Authenticator application.

The Selfcare function is accessible to users that have a pin. In a service without pin, Selfcare will be accessible to administrators only.

Audit access

  • Yes → the user can access to their audit.

  • No → the user cannot access to their audit.

Configuring inWebo Virtual Authenticator / browser, default restriction

  • Activated: Yes or No / to enable authentication via the Virtual Authenticator interface

  • Maximum number of devices:  the maximum number of browsers a user can register with Virtual authenticator for this service

Note: A user can activate an unlimited number of browsers with his inWebo identity, but only the specified number of devices can access the service.

Configuring inWebo Helium / browser, default restriction

If you are using Helium, you can configure the following settings:

  • Activated: Yes or No / to enable authentication via the Helium interface 

  • Maximum number of devices: the maximum number of browsers a user can register with Helium for this service

  • Helium authentication mode: Without password: the user's password is not required to generate an OTP and With password: the user's password is required to generate an OTP

Recommended maximum number of devices for standard users

The values indicated in the "Service Parameter" tab represent default values and the minimum number of devices a standard user can enlist, this should be the strict minimum:

  • inWebo Authenticator (mobile): 1

  • inWebo Virtual Authenticator (browser): 1

  • inWebo Helium (browser): 1

  • Maximum number of devices of all types: 2 (At the bottom of the page)

Activating Transaction sealing

If you have requested the transaction sealing option from inWebo.
You'll be able to enable it for your service in the "service parameters" tab

  • For inWebo White label and legacy offer: in the "inWebo mAccess" section (if enabled)

  • For inWebo Standard offer: in the "General settings" section

Change the "Transaction sealing" option to >Yes<

Defining groups and security

Creating a security policy for a group

In the User Groups tab, click the "Manage the security Policies", above the Service ID.

You'll reach the "Manage Security Policies" page, in this page you can edit specific policies applied to groups.

  • Create a new policy with the button or edit an already existing one by clicking on it.

It is up to you to decide whether your policy will be more generous than the default security settings.

Once you set the security you can save it and apply it to a group.

How to manage groups

When you reach the User Groups tab of the administration console, you see the groups which have been created for this service.

You can Create, Edit or Delete groups via this interface.

Creating a group

If you decide to create a Group you will reach a page displaying:

  • The name of the group you want to create

  • The security policy you previously created

  • The secure sites the users of the group can see,

The shaded boxes in front of a "secure site" indicates the sites available for all users in the service.

You may select/check the sites the group will see.

Restricting the Secure site visibility to a specific group.

To restrict the visibility of a Secure site only to a specific group, you have to edit the Secure site / Application in the "Secure Sites" tab of the console,

and check the Give Access / Only to defined groups of users.

Synchronizing with IWDS

If you are using IWDS, you have to create the same number of groups as the number of LDAP groups you want to synchronize with IWDS:

Once you have created these groups in the Administration console you have to associate them to LDAP group/UO in the IWDS console.


*LDAP group mapping tab in IWDS

Viewing a group's list of users

When you edit a group, you'll see the button "View all group users" available.

When clicking on this button, you'll reach the "Service Users" tab with the users filtered by the group you have selected.

This allows you to view only the members of this group and to perform the targeted action.

Managing roles and group administration

Defining Roles

When clicking on the "Service Users" tab, you'll see the "Manage User Roles" button above the Service ID

You can "Add a new role" or Edit existing roles.

Creating a new role

To define a new role, you select (check box) the features and tabs available for this role, at your convenience.

When creating a new role it's recommended to create a new user and to test the access / restrictions with another activated browser to see the result of your restrictions.

When you modify an existing role it is advised to Log out - Log in to ensure the role has been correctly updated.

Group administration

If you want to assign a role to a restricted group:

  1. You should create a "Group Administrator" role, with the following attributes:

  2. You select "User" role as User service role parameter

  3. You select the group you want to manage at the bottom of the profile

  4. You select the newly created "Group Administrator" role for this group

You'll notice that there is no standard Administrator role available for a group, so you should assign the user the Group Administrator role created previously.

Managing users

Adding new users

To add a user to the interface, you can use the button "Add a new user" (1),

An empty user profile will be displayed, only the login is mandatory (2).

If you input an Email address, you can directly send an Activation link in an email to the new user.

(3) and (4). In the "User service role" section (5), you may select the role that will be assigned to the user for the whole service. (User, Administrator,...) 

For (6) and (7) you can add the user to a group with a user role or a customized role 

Optional - You can specify the user first name and last name. Note that the following special characters ' . - _ ! # ^ ~()[] are authorized.

If the "Send an activation email" is not selected, when saving the user you should retrieve the activation code in the Administration console:

This Activation code has a duration of 30mn.

Unlocking / Password locked

If a user has made 3 attempts to login with a wrong password, he will be locked.

If the user has not deleted all his devices, you can send him the following elements to unlock one of his tools:

  • An unlock code with immediate use (A code you can use to reset your password) it has a duration of 30mn

  • An unlock link sent by mail (The user will receive in his mail address a link to create an unlock code)

  • An unlock link with immediate use (It will display a link to give to the user to create an unlock code)

If the user has deleted all his tools, as there are no locked tools, the user status will not show the locked state, you will have to perform a "User Restore" procedure.

User restore

The user restore procedure will delete and recreate an identical user, this procedure will create an activation code which will also unlock the user, after confirmation of the "restoration" procedure. The user profile will close and a new activation code will be displayed in the interface, at the top of the "Service user" tab

When asked for an unlock code, the user will use this activation code to unlock his account and activate a new device at the same time.

Customizing Email Templates

In the "Service Users" tab, at the top right of the administration console, you have the button "Customize Email Templates", it gives you access to all the service email templates which will be sent to your users (in French or English) .

You can customize the following templates: 1st activation email, Confirmation email, Add new device email, Unlock device email.

Under the text block, you will find a list of variables you can use to compose your email and to access user data:

_SERVICE_ displays the name of the service for which the email is sent
The following variables can be inserted into the body of the message only:
_LINK_ displays a link opening a generic activation page allowing the user to choose between a mobile or browser activation
_LINK:BROWSER_ displays a link opening a browser activation page (inWebo Virtual Authenticator or inWebo Helium according to your service settings)
_LINK:MOBILE_ displays a link opening a mobile activation page (inWebo Authenticator or inWebo mAccess)
_FIRSTNAME_ displays the user's first name
_LASTNAME_ displays the user's last name
_LOGIN_ displays the user's login name

Deep Linking

For a mobile activation, you may use the following link to direct users straight to the activation screen, with the activation code already filled-in → https://near.myinwebo.com/enrole/activate?code=_CODE_

Deletion

You can easily delete an inWebo user with the "trash can" at the end of the line.
You can also select/check multiple users and select "Delete selected users from service" at the bottom of the page if you want to perform a mass delete of users.

How to search and filter your users

In the "User tab" you have access to the "Filter Users" button, it will display a menu to search and filter your user list.

  • Search by login name:

  • Filter by group

  • Filter by status (Activated, Pending Activation, not activated)

  • Display users with no activity

      since >?< day(s)


You can for instance, Filter all users without activity for 60 days and select them for deletion.

warning

this operation can display Administrator level accounts. / be sure to verify the user's status before a deletion operation 

Accessing Reports and Troubleshooting

Accessing Reports

In the "Usage Reports" tab, you have access to the following Reports:

  • Authentications

  • User provisioning

  • User activation 

  • Service Parameter Updates

These reports are available through the combo box at the top of the page 

Troubleshooting user provisioning, activation and deletion

The "User provisioning" reports display all operations performed on users such as their creation, activation and update for the service in question along with error messages.

Troubleshooting tool/device and user access

If the users lock a tool or a device, it is important that they don't delete or clean their Web browser,
as they will delete their information and it will be harder to recover their access without an activated device.

The administrator can see in the user profile that the user PIN code is Locked, he can also see the tools which are concerned: