Symantec Validation and ID Protection Service (VIP) Member Site Guide

Transcription

1 Symantec Validation and ID Protection Service (VIP) Member Site Guide

2 ii Symantec VIP Member Site Guide The software described in this book is furnished under a license agreement and may be used only in accordance with the terms of the agreement. Last updated June 20, 2013 Legal Notice Copyright Symantec Corporation. ll rights reserved Symantec, the Symantec Logo, and the Checkmark Logo are trademarks or registered trademarks of Symantec Corporation or its affiliates in the U.S. and other countries. VeriSign, VeriSign Trust, and other related marks are the trademarks or registered trademarks of VeriSign, Inc. or its affiliates or subsidiaries in the U.S. and other countries and licensed to Symantec Corporation. Other names may be trademarks of their respective owners. The product described in this document is distributed under licenses restricting its use, copying, distribution, and decompilation/reverse engineering. No part of this document may be reproduced in any form by any means without prior written authorization of Symantec Corporation and its licensors, if any. THE DOCUMENTTION IS PROVIDED S IS ND LL EXPRESS OR IMPLIED CONDITIONS, REPRESENTTIONS ND WRRNTIES, INCLUDING NY IMPLIED WRRNTY OF MERCHNTILITY, FITNESS FOR PRTICULR PURPOSE OR NON-INFRINGEMENT, RE DISCLIMED, EXCEPT TO THE EXTENT THT SUCH DISCLIMERS RE HELD TO E LEGLLY INVLID. SYMNTEC CORPORTION SHLL NOT E LILE FOR INCIDENTL OR CONSEQUENTIL DMGES IN CONNECTION WITH THE FURNISHING, PERFORMNCE, OR USE OF THIS DOCUMENTTION. THE INFORMTION CONTINED IN THIS DOCUMENTTION IS SUJECT TO CHNGE WITHOUT NOTICE. The Licensed Software and Documentation are deemed to be commercial computer software as defined in FR and subject to restricted rights as defined in FR Section "Commercial Computer Software - Restricted Rights" and DFRS , et seq. Commercial Computer Software and Commercial Computer Software Documentation, as applicable, and any successor regulations. ny use, modification, reproduction release, performance, display or disclosure of the Licensed Software and Documentation by the U.S. Government shall be solely in accordance with the terms of this greement. This document may describe features and/or functionality not present in your software or your service agreement. Contact your account representative to learn more about what is available with this Symantec product. Symantec Corporation 350 Ellis Street Mountain View, C

3 Contents Chapter 1 Chapter 2 Chapter 3 Chapter 4 Chapter 5 Chapter 6 Chapter 7 Introduction udience... 1 Related Documentation... 1 Getting Started Overview... 3 VIP Service Promotion VIP Service Promotion Page ccessed from Home Page or External Links... 6 VIP Service Promotion Page ccessed During Sign In Process... 7 User Profile Page... 8 Credential Procurement Process Redirecting Users to VIP Center for Credential Procurement... 9 Providing Credentials Directly to Users... 9 Registering a Credential Registration Reminder after Sign In Page...12 Three-Step Registration Process...12 Entering the Credential ID and Security Code...12 Locating the Credential ID...13 Locating the Security Code...14 Error Handling for Incorrect Credential ID or Security Code...15 Registration Confirmation Page...16 Signing In with a Registered VIP Credential Case 1: Credential Registration after Sign In Page...18 Case 2: Entering Security Code after Sign In Page...20 Security Code Help Page...21 Security Code Error Handling...22 Resetting Credentials...23 Signing In Without a VIP Credential...25 Secondary uthentication Mechanisms...25 Using Existing Password Recovery Method...26 Using Temporary Security Code...28 Managing Credentials Overview of Credential States...31 Recommended Credential Management Workflow...32 Displaying the Credential Management Landing Page...33 Credential Management Page for an Unregistered Credential...33 Credential Management Page for Registered Credentials...34 Credential Management Options...34 Report a Credential as Damaged...35 Report a Credential as Lost or Stolen...43

4 iv Contents Remove a Credential From an ccount...49 ppendix Index Recommended VIP Terminology

5 Chapter 1 Introduction This document defines the recommended user experience for the Symantec Validation and ID Protection (VIP) service. It provides interaction design guidelines that present a user experience that is intuitive, consistent, and recognizable across VIP member sites. Process flows, example page layouts, recommended graphics placement, and page descriptions are all provided to support the VIP user. Symantec highly recommends that VIP member organizations use consistent terminology and pre-defined page layouts to ensure a comprehensive user experience across all member sites within the VIP network. n appendix is provided as a guideline to help define recommended VIP terminology. ll suggested guidelines apply to the processes of the VIP service user interface implementation, including credential procurement, credential registration, user Sign In, and credential management. udience This document is intended for user-experience professionals or Web developers who are asked to implement the VIP service user interface within their organizations. These organizations are generally identified as one of the following: VIP member that provides security credentials to users, either through its own particular ecommerce process, or as a reseller. VIP member that does not provide security credentials to users, but directs its users to the Symantec Identity Protection Center for credential procurement. Related Documentation The following documents support information provided in this guide. VIP uthentication Service Overview. This document provides a high-level description of VIP uthentication Service, including planning recommendations, uses, and deployment methods. This document also describes the VIP uthentication Service components, and architecture. VIP Web Services Developer s Guide. This document describes how to set up the SOP Web Services interface between VIP and your client application.

6 2 Introduction Related Documentation

7 Chapter 2 Getting Started Overview The following figure illustrates the tasks your users can expect to perform at your site. For some user tasks, you can get started more quickly by leveraging Symantec s VIP infrastructure. Symantec has created and makes available Symantec-branded collateral and Web pagesaround credentials. y directing your end users to Symantec s VIP Center to learn about and obtain credentials, you can avoid the cost and effort of creating your own collateral and Web pages to support these tasks. You should direct your end users to Symantec s VIP Center if you wish to leverage Symantec s collateral and Web site for: Educating end users about VIP credentials (service promotion) Purchasing Symantec-branded security tokens or security cards. You must direct end users to Symantec s VIP Center if you wish to provide your end users with the free VIP ccess for Mobile credential. However, for some user tasks, or if you wish greater control over the user s experience (for example, you have branded the credentials with your organization s name and logo), you should create your own Web pages following the guidelines in this document.

8 4 Getting Started Overview See Table 2-1 to determine which options are available for each task, and for links to further information on implementing the pages to support them. Table 2-1 User task reference User ction You should See Learn bout Credentials Create promotional page and collateral. VIP Service Promotion on page 5. Obtain a Credential (mobile credentials) Obtain a Credential (all other credentials) Redirect users to Symantec's VIP Center. Redirect users to Symantec's VIP Center, or; Integrate VIP credentials into your existing procurement processes. Redirecting Users to VIP Center for Credential Procurement on page 9. Redirecting Users to VIP Center for Credential Procurement on page 9. Providing Credentials Directly to Users on page 9. Register a Credential Create a registration page. Registering a Credential on page 11. Sign in with a Credential Manage a Credential Integrate VIP credentials into your existing sign-in page. Integrate VIP credentials with your existing user account settings pages. Signing In with a Registered VIP Credential on page 17. Managing Credentials on page 31.

9 Chapter 3 VIP Service Promotion This chapter provides Symantec recommendations to help you promote the VIP service and educate your users about VIP credentials. Figure 3-1 illustrates the suggested workflow for promoting the VIP service. Figure 3-1 VIP Service promotion workflow

10 6 VIP Service Promotion Figure 3-2 shows examples of service promotion touch points on the Sign In page for a VIP member site. Provide a VIP logo near your Sign In prompt. This image should link to your promotional page for the VIP service. To facilitate user awareness and participation, include access points on the home page that educate your users about how their accounts can be protected. Link the access points to your promotional page for the VIP service. Figure 3-2 Home page VIP Service Promotion Page ccessed from Home Page or External Links Figure 3-3 on page 7 shows an example service promotion page accessible from your home page and from links embedded in external sources, such as and documentation related to your organization s site.

11 VIP Service Promotion 7 D E C F Provide a description of the VIP service. Illustrate the security code on your organization s credential. C Provide answers or helpful links for the commonly-asked questions in this section of the page. Symantec highly recommends that a new browser window be launched for each link. If you are providing credentials to your users, the credential price is unique to your organization. Symantec also provides the VIP ccess for Mobile credential free of charge from the VIP Center (see Redirecting Users to VIP Center for Credential Procurement on page 9). D Prominently display the VIP logo. E Include a link for users to register a credential at your site (see Registering a Credential on page 11). Users may already have a credential provided by another VIP member site. F Include a link to the VIP Center page that identifies member sites in the VIP network. Figure 3-3 Service promotion page VIP Service Promotion Page ccessed During Sign In Process If the user signs in but has not yet ordered a credential, provide a service promotion page immediately after the Sign In page. This page should be identical to the service promotion page shown in Figure 3-3 on page 7, but also include the unique content identified in Figure 3-4.

12 8 VIP Service Promotion User Profile Page User Profile Page Provide options for your user to dismiss the page so it does not display again. Figure 3-4 Extract from service promotion page after sign in user who has a registered credential at your site should have access to credential management information available in the user s personal profile area (for example, a page named My Settings or My Profile). Once a credential is registered, service promotion information should be replaced with credential management information (see Managing Credentials on page 31). Figure 3-5 shows example links on the left-hand side of a user profile page that offer access to credential management information. Provide helpful links for ordering, registering, and managing a credential. Figure 3-5 User profile page

13 Chapter 4 Credential Procurement Process The process for enabling a user to order a VIP credential depends on how the member site distributes credentials to users: Redirect users to Symantec s VIP Center to obtain credentials. This method provides the quickest integration of the credential procurement process. This method is also required if you choose to issue VIP ccess for Mobile credentials. For organizations that rely on Symantec to provide credentials to the organization s users, see Redirecting Users to VIP Center for Credential Procurement on page 9. Provide credentials directly to users. This method allows the greatest control over the user experience and allows complete integration with your existing procurement processes. For organizations that provide credentials directly to their users, see Providing Credentials Directly to Users on page 9. Redirecting Users to VIP Center for Credential Procurement For VIP members that prefer to have Symantec provide credentials to their users, a link for ordering a credential can appear on the service promotion page after sign in. The link should resolve to m.vip.symantec.com for VIP ccess for Mobile credentials or for all credential types. Users can follow the simple procurement flow within the VIP Center to purchase credentials directly from Symantec. Providing Credentials Directly to Users If providing physical credentials (such as VIP Security Tokens or VIP Security Cards), members have the freedom to manage the design and experience of credential ordering, purchase process, and delivery method as applicable to their existing internal guidelines. Pricing, payment methods, and shipping options may also be determined by each member site, independent from Symantec. However, Symantec recommends the following when integrating VIP credential procurement with your existing procurement processes: Prominently display the VIP logo on all pages of the credential procurement flow. If your organization offers a promotional code option, specify this (typically where you specify the credential pricing, quantity, and shipping method). Symantec requires that the credential can only be purchased after the user reviews and accepts the terms and conditions of a legal agreement for your organization. The text of this legal agreement must be similar to the text contained in the VIP Credential End User greement.

14 10 Credential Procurement Process Providing Credentials Directly to Users

15 Chapter 5 Registering a Credential This chapter provides Symantec recommendations to help guide your users through the credential registration process. Figure 5-1 illustrates the expected workflow for credential registration. Figure 5-1 Recommended workflow to register a VIP credential

16 12 Registering a Credential Registration Reminder after Sign In Page Registration Reminder after Sign In Page If you are a VIP member site that provides credentials to your users, you need to account for users who have purchased credentials, but have not yet registered their credentials at your site. For these cases, provide a page immediately after the Sign In page that prompts the user to register his or her credential. For details, see Case 1: Credential Registration after Sign In Page on page 18. Three-Step Registration Process user should perform the following three steps to successfully register a credential: Enter a credential ID. Enter a security code. Submit the credential ID and security code to complete credential registration. Entering the Credential ID and Security Code Figure 5-2 shows the recommended page elements for registering a credential. C D Prominently display the VIP logo. Explain that a credential ID typically contains 12 alphanumeric characters. C Provide a link to a page that shows where the credential ID is located on your organization s credential (Figure 5-3). D Provide a link to a page that shows how to generate the security code on your organization s credential. Figure 5-2 Register Your Credential page

17 Registering a Credential Three-Step Registration Process 13 Locating the Credential ID Figure 5-3 shows the location of a credential ID on a sample VIP Security Card. Prominently display the VIP logo. Identify the location of the credential ID. Figure 5-3 How to Locate Your Credential ID page

18 14 Registering a Credential Three-Step Registration Process Locating the Security Code Figure 5-3 shows the location of a security code on sample credentials. C D Prominently display the VIP logo. Identify the location of the security code. C Provide a link for users who have damaged or lost their credentials, or who may have other valid reasons for being unable to generate a security code (see Signing In Without a VIP Credential on page 25). D Include information to contact your customer support organization to address any security code issues. Figure 5-4 How to Locate Your Security Code page

19 Registering a Credential Three-Step Registration Process 15 Error Handling for Incorrect Credential ID or Security Code Figure 5-5 shows an example error message when a user has submitted an incorrect Credential ID or invalid security code during the registration process. Prominently display the VIP logo. Provide error messages to inform users why a credential ID may be invalid, or why attempts to generate a security code may have failed. You should provide unique security code error messages for the following conditions: When the security code was submitted after the validity period. If the security code was submitted beyond the 30-second time interval, the user must generate and submit another security code. When the entered security code included characters other than numbers. When no security code was entered. When the entered security code was less than or greater than six digits. Note: Symantec strongly recommends that the first condition for security code time interval be the only condition that is counted by the validation server as a failed attempt. The remaining conditions may be handled with internal scripts for error messages without sending the invalid attempts to the server. This flexibility helps prevent your user s credentials from becoming locked because of repeated security code attempts, and may also help reduce customer support calls within your organization. Figure 5-5 Register Your Credential error page

20 16 Registering a Credential Registration Confirmation Page Registration Confirmation Page Figure 5-6 shows the recommended page elements for a successful registration message. C Prominently display the VIP logo. Remind your users that the credential must now be used to access their accounts. C Provide direct access to the user s account. Figure 5-6 Registration Successful page

21 Chapter 6 Signing In with a Registered VIP Credential This chapter describes the sign-in scenarios for your VIP users. Figure 6-1 illustrates the expected workflow for VIP users who sign in to your site with registered credentials. Figure 6-1 Sign In workflow with a registered VIP credential

22 18 Signing In with a Registered VIP Credential Case 1: Credential Registration after Sign In Page Figure 6-2 shows an example Sign In page for a VIP member site. Provide a VIP image near your Sign In prompt. This image should link to a promotional page of the VIP service (see VIP Service Promotion on page 5). To facilitate user awareness and participation, include access points on the home page that educate your users about how their accounts can be protected. Link the access points to your promotional page for the VIP service (see VIP Service Promotion on page 5). Figure 6-2 Sign In page example Case 1: Credential Registration after Sign In Page This case is unique to VIP member sites that provide credentials to their users. If you are aware that a particular user has purchased a credential, but not yet registered that credential, provide a page immediately after the Sign In page that prompts the user to register the credential. page similar to Figure 6-3 should be substituted for the service promotion page when addressing these users.

23 Signing In with a Registered VIP Credential Case 1: Credential Registration after Sign In Page 19 Prominently display the VIP logo. Provide these options for a user: Register the credential immediately. gree to register the credential at a later time, and dismiss this page so it does not display again. Figure 6-3 Registration pending page

24 20 Signing In with a Registered VIP Credential Case 2: Entering Security Code after Sign In Page Case 2: Entering Security Code after Sign In Page Case 2 applies when a user has already registered a credential at your site. Provide a page similar to Figure 6-4 immediately after the Sign In page to prompts the user to enter his or her security code. C D E Prominently display the VIP logo. Provide a link to show where the security code is located on your organization s credential (Figure 6-5). C Provide a link for users who have damaged or lost their credentials, or who may have other valid reasons for being unable to generate a security code (see Signing In Without a VIP Credential on page 25). D Provide a link for users who may need to reset their credentials due to too many consecutive, invalid security codes (Figure 6-7). E Include information to contact your customer support organization to address any security code issues. Figure 6-4 Enter Security Code after Sign In page

25 Signing In with a Registered VIP Credential Case 2: Entering Security Code after Sign In Page 21 Security Code Help Page Figure 6-5 shows recommended elements to be included within the Security Code Help page. C D Prominently display the VIP logo. Describe how to generate a security code from your organization s credential. C Provide a link for users who have damaged or lost their credentials, or who may have other valid reasons for being unable to generate a security code (see Signing In Without a VIP Credential on page 25). D Include information to contact your customer support organization to address any security code issues. Figure 6-5 Security Code Help page

26 22 Signing In with a Registered VIP Credential Case 2: Entering Security Code after Sign In Page Security Code Error Handling Figure 6-6 shows an example error message when a user has submitted an invalid security code. Prominently display the VIP logo. Provide error messages to inform users why a credential ID may be invalid, or why attempts to generate a security code may have failed. You should provide unique security code error messages for the following conditions: When the security code was submitted after the validity period. If the security code was submitted beyond the 30-second time interval, the user must generate and submit another security code. When the entered security code included characters other than numbers. When no security code was entered. When the entered security code was less than or greater than six digits. Note: Symantec strongly recommends that the first condition for security code time interval be the only condition that is counted by the validation server as a failed attempt. The remaining conditions may be handled with internal scripts for error messages without sending the invalid attempts to the server. This flexibility helps prevent your user s credentials from becoming locked because of repeated security code attempts, and may also help reduce customer support calls within your organization. C Provide a link for users who have damaged or lost their credentials, or who may have other valid reasons for being unable to generate a security code (see Signing In Without a VIP Credential on page 25). D Provide a link for users who may need to reset their credentials due to too many consecutive, invalid security codes (Figure 6-7). E Include information to contact your customer support organization to address any security code issues. C D E Figure 6-6 Enter Security Code error page

27 Signing In with a Registered VIP Credential Case 2: Entering Security Code after Sign In Page 23 Resetting Credentials If the user enters two consecutive, invalid security codes, provide an error message that indicates that the credential must be reset. Figure 6-7 shows the recommended elements to include within the credential reset page. C D Prominently display the VIP logo. Explain why and how the credential should be reset. C Provide a link for users who have damaged or lost their credentials, or who may have other valid reasons for being unable to generate a security code (see Signing In Without a VIP Credential on page 25). D Include information to contact your customer support organization to address any issues. Figure 6-7 Reset Your VIP Credential page Provide a successful credential reset message. Figure 6-8 Reset Successful page

28 24 Signing In with a Registered VIP Credential Case 2: Entering Security Code after Sign In Page If two consecutive attempts to reset the credential fail, allow the user to try again or choose to sign in without the credential by displaying a page that contains the recommended elements shown in Figure 6-9. C D Prominently display the VIP logo. Users should be allowed to continue their attempt at resetting their credentials. C Provide a link for users who wish to sign in without a credential. This should be the same link as for users who have damaged or lost their credentials, or who may have other valid reasons for being unable to generate security codes (see Signing In Without a VIP Credential on page 25). D Include information to contact your customer support organization to address any reset or security code issues. Figure 6-9 Unable to Reset Your VIP Credential page Threshold for Security Code ttempts If your user has completed a maximum number of attempts to reset his or her credential and is still unsuccessful, the user should not be able to use the credential for authentication. The threshold for the maximum number of security code attempts is set at 10 attempts before the credential is locked (see Table 7-1 on page 31). However, this number is configurable, and may be changed to accommodate your own organization s threshold policy. Provide a page similar to Figure 6-10 on page 24 when your user has reached your organization s maximum threshold of security code attempts. The page should explicitly state that your users should contact customer support within your organization for assistance if they experience an account lockout. Figure 6-10 Maximum Sign In ttempts Reached page example

29 Signing In with a Registered VIP Credential Signing In Without a VIP Credential 25 Signing In Without a VIP Credential Users should be permitted to access their accounts if a security code cannot be generated, or if users do not have access to their credentials. For these cases, the user should authenticate by using a secondary authentication mechanism. There are valid conditions that may require a user to sign in without submitting a security code: The user forgot the credential or it is not accessible. The credential is lost or stolen. The credential is damaged. The credential has been disabled because of too many failed attempts at entering a security code. If the user does not have the credential in his or her immediate possession, the user should have the ability to select a link that allows account access without a credential. Secondary uthentication Mechanisms There are different ways to verify a user s identity so that he or she may sign in without generating a security code. Symantec recommends you use any existing password retrieval method already established within your organization. Some options may include: The user answers a challenge question (supported by your site). See Using Existing Password Recovery Method on page 26. The user receives a security code through , SMS, or Voice OTP. See Using Temporary Security Code on page 28. The user contacts customer support (not recommended by Symantec). Note: lthough a user challenge question may already exist as a supported method within your organization, Symantec endorses sending a temporary security code by , SMS, or Voice OTP for stronger authentication.

30 26 Signing In with a Registered VIP Credential Signing In Without a VIP Credential Using Existing Password Recovery Method Figure 6-11 shows the expected workflow for a user who wishes to sign in to a VIP member site without a credential using an alternative password retrieval method. Figure 6-11 Sign In Workflow that requires existing password recovery method Symantec does not recommend the use of a challenge question recovery method that is designed uniquely for a VIP credential.

31 Signing In with a Registered VIP Credential Signing In Without a VIP Credential 27 Figure 6-12 shows one example of password recovery page (using an organization s challenge question). Prominently display the VIP logo. Provide password retrieval method that is unique to your organization. In this example, the user is prompted with a challenge question. Figure 6-12 Sign In Without Your VIP Credential (challenge question) page Figure 6-13 shows the recommended page elements to display when a user s answer is incorrect. C Prominently display the VIP logo. Provide an informative error message. C Direct users to your customer support organization when they cannot access their accounts. Figure 6-13 Sign In Without Your VIP Credential error page

32 28 Signing In with a Registered VIP Credential Signing In Without a VIP Credential Using Temporary Security Code Figure 6-14 shows the expected workflow for a user who wishes to sign in to a VIP member site without a credential by requesting a temporary security code by , SMS, or Voice OTP. Figure 6-14 Sign In workflow requiring security code sent by , SMS, or Voice OTP

33 Signing In with a Registered VIP Credential Signing In Without a VIP Credential 29 Provide a page similar to Figure 6-15 that explicitly requests a user s address or telephone number. Figure 6-15 Request Security Code page Provide a page similar to Figure 6-16 to allow a user to enter the security code. Figure 6-16 Security Code Sent page Provide a page similar to Figure 6-17 to confirm the user has correctly accessed his or her account. Figure 6-17 Identity Verified page

34 30 Signing In with a Registered VIP Credential Signing In Without a VIP Credential

35 Chapter 7 Managing Credentials Your users should be able to manage the state of any registered credential through a Manage Credential link on your site. We recommend that the link be positioned alongside links for ordering and registering a credential on the same page, as shown in the User Profile Page on page 8. Overview of Credential States Table 7-1 provides the names of VIP credential states and how they behave in the credential management section of the user interface. Table 7-1 Credential State Registered Deactivated Locked Inactive VIP credential states for users Description credential that has been registered by a user for use at a member site within the VIP network. Once registered, the credential is considered active for the particular member site. The credential must be registered at each individual member site at which it is intended to be used. credential that has been removed from an account by of a user s request. This option is available in the credential management section of the member site (see Credential Management Options on page 34). Once deactivated, credentials should no longer appear on the user s Credential Management page. Credentials may also be deactivated by the member site through the VIP Manager tool. credential that is currently unavailable for validation. This state is set automatically by the system, based on account validation settings (see Resetting Credentials on page 23). previously registered credential that is no longer active because it was reported lost, stolen, or damaged. If the credential is subsequently found in working condition, it can be reregistered by the user.

36 32 Managing Credentials Recommended Credential Management Workflow Recommended Credential Management Workflow Figure 7-1 Recommended workflow for managing VIP credentials

37 Managing Credentials Displaying the Credential Management Landing Page 33 Displaying the Credential Management Landing Page When your users select the Manage Credential link, they should be presented with one of two potential landing pages for managing credentials; one if the user has not registered a credential and one if the user has registered a credential. Each page reflects a different flow for the user. Credential Management Page for an Unregistered Credential Figure 7-2 shows the recommended page elements to display when the user either has not yet purchased the credential, or has purchased the credential but not yet registered it C D E Prominently display the VIP logo. riefly explain the purpose of the VIP credential. To facilitate user awareness and participation, include a link to the service promotion page (Figure 3-3 on page 7) to help educate your users on how their accounts can be protected. C Provide an image of your organization s credential. D Provide options to either proceed with registering a credential or to order a new credential. Users may already have a credential provided by another VIP member site. E Include a link that enables a user to return directly to his or her account. Figure 7-2 VIP Credential Management (unregistered credential) page

38 34 Managing Credentials Credential Management Options Credential Management Page for Registered Credentials Figure 7-3 shows the recommended page elements to display when a user has registered one or more credentials at your site. C D Prominently display the VIP logo. Provide a link to access the page for changing the status of a credential (Figure 7-4 on page 35). C Provide options to either proceed with registering a credential or to order a new credential. Users may already have a credential provided by another VIP member site. D Include a link that enables a user to return directly to his or her account. Figure 7-3 Credential Management Options VIP Credential Management alternative page example Users should be able to take the following actions at a member site for registered VIP credentials: Report a credential as damaged. See Report a Credential as Damaged on page 35. Report a credential as lost or stolen. See Report a Credential as Lost or Stolen on page 43. Remove a credential from an account. See Remove a Credential From an ccount on page 49.

39 Managing Credentials Credential Management Options 35 Figure 7-4 shows the recommended page elements for managing credentials. C D E Prominently display the VIP logo. Display the credential name and ID, as well as the current status of the credential. C riefly describe VIP extended service, and include the validity period that is specific to your organization. D Provide brief descriptions for each of the status options. E Emphasize the fact that any change to a credential s state will apply only to your organization. Figure 7-4 Report a Credential as Damaged VIP Credential Management (status change) page example Once a user reports his or her credential as damaged, the credential is set to a deactivated state. The user should not be prompted for a security code during future sign-in attempts. If you are the site that issued the credential, you should provide Return Merchandise uthorization (RM) instructions to the user. Otherwise, you should prompt the user to also report the credential as damaged at the credential issuing site for possible RM options. Note: RM does not apply to mobile credentials (such as VIP ccess for Mobile) that are offered free of charge from the VIP Center. The user should also be offered an interim second factor authentication option during the time that they wait for a new credential. Symantec recommends using the member site s existing password retrieval method as this interim second factor. lternately, a member site can allow users to request a temporary security code that is sent to the address on file with the account. The user should not be allowed to select and enter a different address. Damaged credentials should not display in the user s credential management page (Figure 7-3 on page 34).

40 36 Managing Credentials Credential Management Options Figure 7-5 Recommended workflow for reporting a damaged credential

41 Managing Credentials Credential Management Options 37 Figure 7-6 shows the recommended page elements for reporting a damaged credential. C Prominently display the VIP logo. lert users that the credential will no longer be associated with an account at your site. C If offering more than one form of credential, allow users to select the credential type. Figure 7-6 Report Damaged VIP Credential page

42 38 Managing Credentials Credential Management Options Removing a Damaged Credential from an ccount Figure 7-7 identifies the recommended elements for the follow-up page to remove the credential from its related account. C D Prominently display the VIP logo. Remind users that the credential will no longer be associated with an account at your site. C Emphasize the fact that the credential will be removed only at your site. If a user wishes to remove a credential from accounts at other member sites, the user must do so at each individual site. D For organizations that provide credentials to their users, include options for a potential replacement or refund of the credential. Include the validity period that is specific to your organization. credential replacement or refund does not apply to mobile credentials (such as VIP ccess for Mobile) that are offered free of charge from the VIP Center. Figure 7-7 VIP Credential Removed (after reporting damaged credential) page example

43 Managing Credentials Credential Management Options 39 Replacing a Damaged Credential If a user chooses to replace the VIP credential, provide the suggested page elements shown in Figure 7-8. Prominently display the VIP logo. Determine the shipping method and replacement cost unique to your organization. Figure 7-8 VIP Credential Replacement page

44 40 Managing Credentials Credential Management Options Provide a page to collect the user s shipping information, similar to Figure 7-9. Prominently display the VIP logo. Identify the fields required by your organization. Figure 7-9 VIP Credential Replacement (shipping information) page

45 Managing Credentials Credential Management Options 41 Extending VIP Service You may choose to provide the option for temporary VIP extended coverage until a user receives and registers a replacement credential. Figure 7-7 identifies the recommended page elements for this option. C D Prominently display the VIP logo. lert users they will receive an notification that confirms shipment of a replacement credential. C Specify your organization s validity period for potential extended VIP service. D Provide options for account Sign In without a credential. Figure 7-11 on page 42 shows an example page when the option is selected to have a security code ed to the user s address. Figure 7-10 VIP Credential Replacement (service extension) page

46 42 Managing Credentials Credential Management Options Figure 7-11 identifies the recommended elements to include on the page for extended VIP coverage if the user selects the challenge question option. C D Prominently display the VIP logo. Describe the selected method for extended VIP service. C Specify your organization s validity period for extended VIP service. D Note the fact that VIP service will be extended only at your site. If a user wishes to extend VIP service at other member sites that offer an extension period, the user must do so at each individual site. Figure 7-11 VIP Extension Enabled ( ) page

47 Managing Credentials Credential Management Options 43 Requesting Refund for a Damaged Credential If a user chooses the option to receive a full refund for the VIP credential, provide the suggested page elements shown in Figure C Prominently display the VIP logo. Describe the refund policy for your organization, including the timeframe for reimbursement. C lert users they will receive an notification that confirms the refund of the credential. Figure 7-12 VIP Credential Refund Confirmation page Report a Credential as Lost or Stolen If the user reports a VIP credential as lost or stolen, the credential is set to an inactive state. The user should not be prompted for a security code during future sign-in attempts. RM options should not be offered to users who report their credentials as lost or stolen. The user should be offered an interim second factor authentication option during the time that they wait for a new credential. Symantec recommends using the member site s existing password retrieval method as this interim second factor. lternately, a member site can allow users to request a temporary security code that is sent to the address on file with the account. The user should not be allowed to select and enter a different address.

48 44 Managing Credentials Credential Management Options Credentials that are reported as lost or stolen should continue to be displayed in the user s credential management page with an inactive state (Figure 7-3 on page 34). Users should have the option of reregistering an inactive credential if it is found. Figure 7-13 Recommended workflow for reporting a lost or stolen credential

49 Managing Credentials Credential Management Options 45 Prominently display the VIP logo. lert users that the credential will no longer be associated with an account at your site. Figure 7-14 Report VIP Credential Lost or Stolen page

50 46 Managing Credentials Credential Management Options Removing a Lost or Stolen Credential from an ccount When a user selects the option to report a credential as either lost or stolen, the credential should be deactivated and subsequently removed from its related account C Prominently display the VIP logo. Remind users that the credential will no longer be associated with an account at your site. C Emphasize the fact that the credential will be removed only at your site. If a user wishes to remove a credential from accounts at other member sites, the user must do so at each individual site. Figure 7-15 VIP Credential Removed (after reporting lost or stolen credential) page example

51 Managing Credentials Credential Management Options 47 Extending VIP Service You may choose to provide the option for temporary VIP extended coverage. This page includes similar elements as the page to extend VIP service when replacing a credential (Figure 7-10 on page 41). C Prominently display the VIP logo. Specify your organization s validity period for potential extended VIP service. C Provide options for account sign-in without a credential. Figure 6-12 on page 27 shows an example page when an option is selected to answer a challenge question unique to your organization. Figure 7-16 Extend VIP Service (after reporting lost or stolen credential) page example

52 48 Managing Credentials Credential Management Options Figure 7-17 identifies the recommended elements to include on the page for extended VIP coverage if the user selects the challenge question option. C D Prominently display the VIP logo. Describe the selected method for extended VIP service. C Specify your organization s validity period for extended VIP service. D Note the fact that VIP service will be extended only at your site. If a user wishes to extend VIP service at other member sites that offer an extension period, the user must do so at each individual site. Figure 7-17 VIP Extension Enabled ( ) page example

53 Managing Credentials Credential Management Options 49 Remove a Credential From an ccount If the user chooses to remove a credential from his or her account, the credential is set to a deactivated state and should not be displayed in the user s credential management page (Figure 7-3 on page 34). The user should not be prompted for a security code during future sign-in attempts. When users remove credentials from their accounts, they should not be offered RM options or interim second factor authentication online protection. Figure 7-18 Recommended workflow for removing a credential from an account

54 50 Managing Credentials Credential Management Options Figure 7-19 shows an example page for a user to confirm the credential removal. This page should immediately follow Figure 7-4 on page 35. Prominently display the VIP logo. Remind users that the credential will no longer be associated with an account at your site. Figure 7-19 Remove Your VIP Credential page

55 Managing Credentials Credential Management Options 51 Figure 7-20 identifies the recommended elements for the follow-up page to remove the credential from its related account. C D Prominently display the VIP logo. Remind users that the credential will no longer be associated with an account at your site. C Emphasize the fact that the credential will be removed only at your site. If a user wishes to remove a credential from accounts at other member sites, the user must do so at each individual site. D Include a link for ordering a new credential for VIP online account protection at your organization. Figure 7-20 VIP Credential Removed page

56 52 Managing Credentials Credential Management Options

57 ppendix Recommended VIP Terminology The VIP terms and definitions provided in Table -1 are part of the recommended guidelines for consistent terminology use within VIP member organizations. Table -1 Terms ctive credential Credential ID Recommended Usage of VIP Terminology Description Once a VIP credential is registered by a user at your site, the credential is considered to be active until it is intentionally deactivated by the user or organization, or is inadvertently locked because of excessive invalid security codes entered by the user. This term refers to a VIP credential s unique, identifying number on any type of VIP credential. Terms such as serial number, token ID, and credential code are not recommended as field names in the user interface. Damaged credential Deactivate a credential Generate Inactive credential Locked credential Lost or stolen credential Register a credential Remove a credential See Report damaged credential. deactivated credential has been removed by the user or organization from the user s account, and is no longer required for sign in authentication. For more information, see Credential Management Options on page 34. Each credential type (for example, VIP Security Token or VIP Security Card) has a different method to display a security code for authentication. The action for instructing an end user to procure a security code is to generate a security code. credential that is no longer active because it was reported as lost, stolen, or damaged. For more information, see Table 7-1, VIP credential states for users, on page 31. credential that is currently unavailable for validation. For more information, see Table 7-1, VIP credential states for users, on page 31. See Report lost or stolen credential. The term register defines the process of associating a credential with a member site. If a user has received a new credential or has one that was issued from another member site, the user should be invited to register the VIP credential for use at your member site. The term register should be used in conjunction with any type of VIP credential for this process. Terms such as bind, activate, and enroll are not recommended to describe this process. The term remove is a prompt to enable a user to deactivate a credential so the credential is no longer required for sign in authentication. The user interface can display the prompt Remove This VIP Credential From My ccount to describe this action. Terms such as disable, delete, deactivate, and turn-off are not recommended to describe this action.

58 54 Recommended VIP Terminology Table -1 Terms Recommended Usage of VIP Terminology (Continued) Description Report damaged credential Report lost or stolen credential Reset a credential Security Code Validation and ID Protection credential (or VIP credential) VIP ccess for Mobile VIP Security Card (or) VIP Security Token Users should be able to report a damaged VIP credential within the user interface. The interface can use the prompt My VIP Credential is Damaged to describe this action. Terms such as malfunction, not working, and broken are not recommended to describe this action. Users should be able to report a lost or stolen VIP credential within the user interface. The interface can use the prompt My VIP Credential is Lost or Stolen to describe this action. Terms such as missing, misplaced, can t find, and not with me are not recommended to describe this action. The term reset describes the process of generating two consecutive security codes on a VIP credential and submitting them for validation to set the credential with the VIP service (see Resetting Credentials on page 23). Terms such as resynchronize and recalibrate are not recommended to describe this process. This term refers to the unique six-digit code generated by a VIP credential for user authentication. The term security code can be used in conjunction with any VIP credential type. Terms such as pass code, password, and security key should not be used in place of security code. This refers to any type of VIP form factor. VIP credential is the umbrella term that should be used consistently to distinguish it from any other credential type. Terms such as token, key, and card should not be used as umbrella terms to describe VIP credentials. When referring to a specific VIP credential type, terms such as VIP Security Token and VIP Security Card may be used. free VIP credential that can be downloaded to a mobile phone from the VIP Center (see Redirecting Users to VIP Center for Credential Procurement on page 9). hard VIP credential that can be ordered through the VIP Center (see Redirecting Users to VIP Center for Credential Procurement on page 9).

59 Index actions for the user 4 active credential 53 audience 1 branded credentials 3 C challenge question 25, 27, 47 extend VIP service with 48 collateral 3 confirmation page for registration 16 credential active 53 damaged 35, 53 deactivate a 53 error when signing in without 27 extend VIP service for lost or stolen 47 inactive 53 locked 15, 22, 24, 53 lost or stolen 53 management tasks for 3 managing ordering 9 register a 53 remove a 53 remove a damaged 38 remove from an account 49 removing lost or stolen from an account 46 replacing a damaged 39 report a damaged report damaged 54 report lost or stolen 43, 54 requesting refund for damaged 43 re-registering an inactive 44 reset a 54 reset successful message 23 resetting 23 RM for removed 49 sign in without 24, 26 sign-in without 25 VIP ccess for Mobile 3, 7 VIP Security Card 9 VIP Security Token 9 credential branding 3 credential ID definition 53 entering 12 errors when entering 15 locating the 13 credential management 8 options 34 credential management landing page registered credential 34 unregistered credential 33 credential management page deactivated credential 49 lost or stolen credential 44 credential management workflow 32 credential procurement 3, 9 process 9 credential registration after sign-in 18 process credential registration workflow 11 credential reset error 23 credential sign in credential state deactivated 31, 35, 49 inactive 31, 43 locked 31 registered 31 credential status 35 credential type 37 D damaged credential 35, 53 extend VIP service for a 41 replacing 39 requesting refunds for 43 deactivate a credential 53 deactivated credential 31, 49 deactivated state 35, 49 definition active credential 53 credential ID 53 damaged credential 53 deactivate s credential 53 generate 53 inactive credential 53 locked credential 53 lost or stolen credential 53 register a credential 53 remove a credential 53 report damaged credential 54 report lost or stolen credential 54 reset a credential 54 security code 54 VIP ccess for Mobile 54 VIP Security Card 54 VIP Security Token 54 direct provisioning guidelines 9