Step-up authentication

Step-up authentication protects areas of the VIP Dashboard where users can access secure information (e.g. Single Sign-On (SSO) Configurations) and protects actions that are not reversible (e.g. removing a domain or editing IP Restrictions).

Limitations

• For step-up authentication to work as expected, a user’s browser must allow pop-ups from dashboard.wpvip.com. If pop-ups from dashboard.wpvip.com are blocked, the user will be unable to complete the required authentication and will not have access to protected actions or routes.
• Step-up authentication does not apply to users who log in to the VIP Dashboard with their organization’s SSO service. For those users, authentication rules are handled by their organization’s IdP.

Default behavior

Step-up authentication only applies to VIP Dashboard users who:

• Have logged in to the VIP Dashboard with a VIP Authentication MFA method. Step-up authentication does not apply to users who log in to the VIP Dashboard with their organization’s SSO service. For those users, authentication rules are handled by their organization’s IdP.
• Have an Org admin role or an App admin role assigned to them. Only these roles have the permissions to access the actions and routes that are protected by step-up authentication.

When a user with an Org admin role or an App admin role attempts to perform a sensitive action or access a higher-risk resource, they will be prompted by step-up authentication to re-authenticate with VIP Authentication using one of their configured MFA methods. If the user re-authenticates successfully, they will be allowed to perform protected actions and access protected areas in the VIP Dashboard for one hour. After one hour expires, the requirement to re-authenticate will repeat.

Pop-up window for authentication

Step-up authentication triggers a pop-up window in the user’s browser for VIP Authentication and blocks access to the current VIP Dashboard panel with an overlay.

If the pop-up window fails, the user can attempt to re-trigger it by selecting the button labeled “Open authentication pop-up” in the overlay. If the pop-up continues to fail, the user’s browser might be blocking pop-ups. The browser’s settings must be updated to allow pop-ups from dashboard.wpvip.com or the user will be unable to complete authentication and have access to protected actions and routes.