Skip to content

Step-up authentication

Step-up authentication protects areas of the VIP Dashboard where users can access secure information (e.g. Single Sign-On (SSO) Configurations) and protects actions that are not reversible (e.g. removing a domain or editing IP Restrictions).

Limitations

For step-up authentication to work as expected, a user’s browser must allow pop-ups from dashboard.wpvip.com. If pop-ups from dashboard.wpvip.com are blocked, the user will be unable to complete the required authentication and will not have access to protected actions or routes.

Default behavior

Step-up authentication only applies to VIP Dashboard users who:

When a user with an Org admin role or an App admin role attempts to perform a sensitive action or access a higher-risk resource, they will be prompted by step-up authentication to re-authenticate with VIP Authentication using one of their configured MFA methods. If the user re-authenticates successfully, they will be allowed to perform protected actions and access protected areas in the VIP Dashboard for one hour. After one hour expires, the requirement to re-authenticate will repeat.

Pop-up window for authentication

Step-up authentication triggers a pop-up window in the user’s browser for VIP Authentication and blocks access to the current VIP Dashboard panel with an overlay.

If the pop-up window fails, the user can attempt to re-trigger it by selecting the button labeled “Open authentication pop-up” in the overlay. If the pop-up continues to fail, the user’s browser might be blocking pop-ups. The browser’s settings must be updated to allow pop-ups from dashboard.wpvip.com or the user will be unable to complete authentication and have access to protected actions and routes.

Example screenshot of the VIP Authentication pop-up
Example screenshot of the step-up authentication overlay

Last updated: April 24, 2025

Relevant to

  • Node.js
  • WordPress