Best practices - Browser tokens

Helium, Virtual Authenticator and mAccess Web are browser Tokens developed by TrustBuilder In short, they are implemented in an iFrame inserted in your login page that will produce One-Time Passwords.

The purpose of this guide is to provide browser requirements for Helium, Virtual Authenticator (VA) or mAccess Web, with best practices to guarantee their persistence.

For Helium, VA and mAccess Web to work properly in a browser, the requirements are:

• HTML5 Local Storage must be supported (Firefox, Chrome, Safari, Opera, Edge, Edge Chromium…)

• JavaScript execution must be enabled

• Cookies and site data from third party must be accepted (at least for inWebo domains: https://www.myinwebo.com and https://ult-inwebo.com)

Browser-specific requirements are detailed in this page.

About Web storage persistence

Helium, VA or mAccess Web will persist in your browser as long as “website data” are not cleared. In most browsers, this data is cleared at the same time as cookies are cleared.

To avoid losing your browser token(s), we recommend that users do not clear website data from their browser and that they install the TrustBuilder Backup browser extension whose purpose is to automatically restore the browser data that is accidentaly lost.

How to keep your account in your browser - Best Practice

Managing your data policies / Web storage

The best practices are:

• Never clear the cookies and website data:
  never click on the button “Remove all website data” in the your browsers > Settings > Privacy panel.

• Alternatively a user may delete website data for given domains (details) but never for domain ult-inwebo.com.

Clearing History

• For most Browsers :
  A user may choose to delete browsing history (via the menu History > Clear history) as this does not have any effect cookies or site data.

• For Safari / Apple (Mac, iMac, MacBook)
  Never clear the browser history via History > Clear history as it will also clear cookies and website data

Installing TrustBuilder Backup extension to secure your account

TrustBuilder Backup browser extension is available for Chrome, Chromium based browsers (e.g. Edge), Firefox, Safari and Internet Explorer. Its purpose is to keep enrollment data in case of a browser data cleanup (which would normally lead to the loss of your browser enrollment).

• To install TrustBuilder Backup extension, you may redirect users to http://www.myinwebo.com/hbckup/install

The installation of this browser extension is also proposed during the user activation process.

Additional recommendations for Administrator accounts

Service administrators are the most important accounts, and their access to the administration console must not be lost. Thus, we strongly advises the following:

1. Use TrustBuilder Backup Extension

2. Enroll at least 2 devices

3. Create at least a second administrator account

4. Generate an API certificate and keep it carefully in a secure place

Best practice for Chrome / Edge

Requirements

Chrome controls local storage in exactly the same way as cookies. If a user chooses to clear their cookies, it will also clear local storage.

The best practice is to set the Tools > Settings > Confidentiality and security as follow:

• Click “Cookies and other site data”, “General parameters” have to be set to at least “Block third party cookies in incognito mode”, blocking all cookies or third party cookies will also block access to TrustBuilder security cookies.

• Clear browsing data: make sure the “Cookies and other site and plugin data” option is not checked. If it is, exceptions need to be added for domains https://ult-inwebo.com and https://www.myinwebo.com

Installing TrustBuilder Backup extension

• You can find TrustBuilder Backup for Chrome in the store here: https://chrome.google.com/webstore/detail/trustbuilder-backup/ekjhggmngmlemlalphejlafdmldloanb

• You can find TrustBuilder Backup for Edge in the store here: https://microsoftedge.microsoft.com/addons/detail/trustbuilder-backup/hoingnmkkaciekhpehiafjpcbmmadopg

Best practice for Firefox

Requirements

Firefox needs to be configured to authorize Third Party Cookies, at least for domain https://ult-inwebo.com. This can be done in “Options > Privacy” by setting protection level to “Standard”. If you are using “Custom” level settings, the “Cookies” parameters should be set to “All third party cookies” , or an Exception needs to be configured for domain https://ult-inwebo.com

Persistence

Firefox controls local storage in exactly the same way as cookies. If a user chooses to clear their cookies, it will also clear local storage.

If a user wants to keep his enrollment cookies even after clearing his history, he needs to configure an Exception for domain https://ult-inwebo.com in “Options > Privacy”

• With Firefox default parameters, closing Firefox will not delete your enrollment.

• Even if you set History to “Use custom settings for history”, “Clear history when Firefox closes” with default parameters in Settings, you will not lose enrollment.

But if you check “Delete cookies and site data when Firefox is closed”, or if you manually clear Cookies or history, you will lose your browser enrollment.

Installing TrustBuilder Backup extension

You can install TrustBuilder Backup for Firefox:

• Directly from “Menu > Add-ons”, search 'trustbuilder'

• From this link: https://addons.mozilla.org/fr/firefox/addon/trustbuilder-backup/

Best practice for Internet Explorer

Using IE11 may cause compatibility issues and affect the user experience. We strongly recommend upgrading to the latest version of Microsoft Edge, Google Chrome or Mozilla Firefox.

Requirements

For Helium/VA/mAccess to work properly in Internet Explorer, in addition to generic requirements, we recommend that:

• All pages that include Helium, VA or mAccess script (e.g. all “secure sites”) are in the same security zone as https://ult-inwebo.com and https://www.myinwebo.com (In IE: 'Tools' menu > 'Internet Options' > 'Security')

• This zone configuration must be executed BEFORE Helium/VA/mAccess activation

• Security level of the zone must not be set to 'High'

• Preferably, the compatibility view should be disabled for sites using Helium/VA/mAccess. If this is not possible, it must be set so that Document Mode is IE9 or newer.

Helium/VA Persistence

Internet Explorer controls local storage in exactly the same way as cookies. If a user chooses to clear their cookies, it will also clear local storage.

To avoid losing their local storage, a user can delete all of their browsing history except cookies. The best practice is to uncheck "Cookies" in the Clear Browsing History dialog box opened with 'Tools'> 'Internet Options' > 'Browsing history' > 'Delete'…

As an administrator, you can configure a GPO that will prevent users from deleting their cookies. You can also set a GPO that allows users to clear their cookies except those belonging to their favorite website. In this second case, users will first need to add https://ult-inwebo.com and https://www.myinwebo.com to their favorites. It is possible to set a GPO to automatically create this bookmark. See https://technet.microsoft.com/en-us//library/cc772139.aspx .

Installing TrustBuilder Backup extension

You can download TrustBuilder Backup for IE installer here: https://www.myinwebo.com/console/product/download/heliumbackup_ie

Best practice for Safari

Requirements

Safari controls local storage in exactly the same way as cookies. Both cookies and storage are grouped under “Cookies and website data”. If a user chooses to clear his website data, he will also clear the Local Storage.

The best practice is to:

• Never delete cookies and website data: never click on the button “Remove all website data” in the “Safari > Preferences > Privacy” panel. Alternatively a user can also delete website data for given domains (details) but never for the domain ult-inwebo.com

• Never clear the browser history via “History > Clear history” as this will also clear cookies and website data

• Enabling third party cookies in Safari

Enabling third party cookies in Safari

Safari should have access to third party cookies

For Safari 11.x

The best practice is to set the Confidentiality Settings as follow:

• Deactivate "Prevent cross-site tracking"

For Safari 8.x

The best practice is to set the Privacy Settings as follow:

• Change the value of "Cookies and website data" to "always allow"

Installing TrustBuilder Backup extension

You can download TrustBuilder Backup for SAFARI installer here: https://www.myinwebo.com/console/product/download/heliumbackup_safari